Overview
In recent history, anyone who consumes news on a regular basis has heard of cyberattacks resulting in major high profile data breaches, including Uber Technologies' disclosure this November of a data breach impacting over 57 million customers and drivers globally. These breaches are not limited to any particular industry or sector, and they can affect small- to mid-sized companies as well as global corporations - though those with sensitive data are often more lucrative targets for malicious hackers. What often does not get discussed in the news, however, is what companies could have done and should be doing to protect their data.
Cybersecurity also adds another element for buyers to consider when evaluating the acquisition of a company. Adding to the already arduous due diligence process, it is imperative that buyers now fully assess the cybersecurity practices of their acquisition targets too. Ignoring this crucial step could lead to not only over-valuing a target but also "buying a problem" that is not simply solved by collecting money damages and results in reputational damage negatively impacting your current business or portfolio companies.
What is Cybersecurity?
At its most basic level, cybersecurity is a general term relating to the framework of security that an organization has in place to protect its network-connected resources and the content on them. While this intuitive definition seems simple enough, cybersecurity involves a great deal more than simple device and content protection. Firewalls and antivirus software are not enough, and are easily bypassed by any trained attacker. The protections that worked well in past years are no longer sufficient. Any company that has not considered the possibility that their corporate data is on sale on the dark web right now has not fully comprehended their risk profile.
The Impact of Cybersecurity on M&A Transactions
In every M&A deal, a buyer seeks to have as clear a picture as possible of what they are buying, and ignoring cybersecurity is like buying a used car without having a mechanic inspect the major components. The car may run, but that doesn't mean the brakes won't fail. Not assessing a target's cybersecurity practices, procedures, and history could result in legal, financial, and reputational consequences, including increases to insurance premiums, trade name devaluations, and loss of intellectual property and customer relationships, among others.
The discovery of cybersecurity issues in the context of an M&A transaction can have a significant impact on deal certainty and deal terms, including the purchase price. A recent example of this occurred in Verizon's purchase of Yahoo. Verizon originally offered to purchase Yahoo for more than $4.8 billion. However, upon discovery of several "latent" data breaches at Yahoo affecting over one billion user accounts, Verizon reduced its offer by hundreds of millions of dollars and the deal closed at a purchase price of $4.48 billion.
The acquisition agreement can also be shaped by cybersecurity due diligence in terms of the representations and warranties to be made by the target, actions to be taken by the target prior to closing to rectify discovered issues or prevent potential issues, and the provision of special indemnification protection and indemnity escrows by the seller related to any such issues.
Evolving Due Diligence Considerations for Buyers
Taking an active role in enhancing the acquisition due diligence process by prioritizing privacy and data security considerations at the beginning of an M&A transaction is imperative. This should include an evaluation of the type of data that the target manages, with an increased emphasis on personally identifiable information and other sensitive data, and how the data is currently and has historically been managed by the target, including compliance with the ever-evolving framework of laws, rules and regulations governing privacy and data security. Of course, the industry in which the target operates, the target's business interaction with third-party providers and their handling of target's data, and any heightened level of data security risk involved with the type of business that the target operates will also influence due diligence directives.
In forming your due diligence team, it is important to include a privacy and data security attorney who not only understands cybersecurity risks from a legal perspective but also from a technology perspective. This attorney should be able to speak the "language" of the target's Information Technology (IT) group and relevant data security team which will vary in sophistication and size depending on the target's business, and may include a Chief Privacy Officer (CPO), Chief Information Security Officer (CISO/CIO), as well as risk or compliance managers, human resources managers, benefits managers, and operations managers.
Similar to other specialty areas such as employee benefits, taxes and environmental, the buyer's due diligence request list should be tailored to the target's business to specifically request information and documents regarding the target's privacy and data security framework, including (1) policies and practice manuals (including the target's data maps and data classification schemas), (2) details regarding any data security breaches or unauthorized use of the target's IT systems, (3) information regarding claims or proceedings relating to privacy or data security, (4) the results of any audits of the target's privacy and data security practices, (5) provision of any employee cybersecurity training materials and testing results, and (6) information regarding compliance measures with privacy and data security laws, rules and regulations and contractual requirements. In addition to document requests, the buyer should interview the target's employees who can speak to the privacy and security framework. Beyond policies and procedures, it's important to know what is actually done in practice.
If the buyer learns that some of these documents, processes, or practices do not exist or that the target does not employ a CPO or CISO/CIO or otherwise have personnel dedicated to privacy and data security matters, it should consider conducting a data security and privacy risk assessment. Depending on the size of the company, not having these key roles or documents should be a red flag to buyer's counsel and support the consideration of those assessments. The complexity of the assessment is a function of the nature of the transaction, industry, the target's IT infrastructure setup, the complexity of the target's data processing and storage, and the number and types of third parties engaged by the target, among others. For instance, a large financial services company that maintains sensitive client data would warrant a more rigorous assessment even if all of the key documents and personnel were in place.
Whether or not the due diligence process requires sharing personal information will also need to be determined, as well as if the data can be aggregated or anonymized to protect it. If this is not possible, you should enter into a non-disclosure agreement specifically protecting the target's confidential, personal, or commercially sensitive information. Further, the buyer and target should also review the target's security and privacy policies to determine whether the target is allowed to share personal information. Finally, buyer's counsel must be aware of and adhere to all applicable federal and state laws relating to disclosing personal information within a particular jurisdiction. Companies that have operations in the European Union should consider General Data Protection Regulation (GDPR) compliance during any transaction. This awareness should also extend to any governmental regulations that may or may not be industry specific.
Cybersecurity due diligence will also inform the integration process once an M&A transaction has closed. The buyer must ensure that it has or obtains consent logs to collect personal data that was previously held by their target. Further, any personal information acquired as part of the transaction must comply with future privacy obligations and any data transfers must be completed in line with the buyer's information security standards. The buyer should also constantly monitor their newly acquired personal data post-integration to ensure that privacy standards are met.
It is also critical that, while contemplating an acquisition, a buyer evaluate how they plan on using their target's data and information technology post-acquisition. The buyer's assessment should determine whether the buyer's proposed use of data and IT assets will adhere to all applicable laws and industry regulations, which is especially important when a target's data will be integrated into preexisting systems that expand where or how the data is used.
How Companies Can Protect Devices and Content
- Security by Design: A "Security by Design" approach requires companies to formalize their infrastructure design and automate security controls so that they are able to build security into every part of their information technology management and development process. Instead of reacting to security threats, systems are developed so that they are proactively secure. This requires stringent development, testing, and update standards. Implementing Security by Design requires C-Suite support and awareness. Security at any organization is most effectively implemented from the top down. When a company's IT group is faced with trying to convince middle management to implement more stringent security, it will often fail because IT may not have the broader support of organizational leadership that it needs to succeed.
- Security-Minded Workforce: Companies should provide awareness training and periodic unannounced tests to employees on cybersecurity. Examples of the latter include subjecting employees to organization-controlled email phishing campaigns. These are "fake" phishing emails that are setup by the organization or a third party to test employee reaction to emails that they should recognize as phishing emails. Those employees that click on the link are monitored and recorded. The organization can then reach out to the individuals and provide further instruction on phishing detection.
- Reduced Attack Surface: In order to avoid a loss of business income from vulnerability exploitation, companies must know and reduce their "attack surface," which is the collective sum of their IT resources. This includes websites, email servers, file servers, VPN servers, database servers, contractor portals, forums, cloud services, telephony services, keycard readers, mobile devices, and even USB drives left in an employee's car. Without an understanding of this topology, an organization cannot adequately protect itself.
- Internal Prevention Tools: While three quarters of cyberattacks are committed by outside attackers, companies should also have a healthy suspicion of their own employees. Disgruntled employees can cause severe harm because the trust model of their employment allows them access to non-public resources and data that they can choose to release to the public. Data loss prevention tools, robust endpoint logging, and mobile device management software can all be used to mitigate such risks.
Conclusion
In today's data-driven world, cyberattacks have dramatically impacted an M&A transaction's once "traditional" due diligence landscape, opening the door to an array of new considerations. For this reason, when assessing target companies of all sizes, it is now best practice to prioritize privacy and data security factors at the beginning of an M&A transaction, including thoroughly evaluating a target's cybersecurity processes, and conducting risk assessments to identify and mitigate potential threats. Furthermore, having a due diligence team consisting of attorneys and other third-party advisors who specialize in this area, understanding both the legal and technological perspectives, may prove indispensable for the success of your next deal.
Additional Resources:
Making Cybersecurity a Priority in Mergers and Acquisitions
Privacy Risk Assessment Questionnaire
Attack Surface Analysis Cheat Sheet
Mobile Device Management Software