This research-in-progress paper examines the relation between information security breaches and cross-border mergers and acquisitions (M&A). Drawing from the institutional perspective, we use the concept of institutional distance to explain the impact of institutional differences on information security management at the transnational level. Using the secondary data collected from DataLossDB and SDC Platinum database, we empirically test the relation between institutional distances of two countries where the M&A firms register and the likelihood of information security breaches. The exploratory results indicate that institutional distance is positively associated with the likelihood of information security breaches. We conclude with theoretical implications and direction for further research.