Deals and Data: Cybersecurity M&A Due Diligence
January 10, 2017
Publications
Cybersecurity due diligence is quickly becoming part of standard best practices in Merger & Acquisition (“M&A”) deals. Traditionally, the primary goal of due diligence is to investigate the target of a merger or acquisition in order to gain an accurate understanding of the target’s financial condition, policies, contracts, assets and liabilities. With the rise of “big data,” and the attendant collection of massive quantities of personal and customer information, cybersecurity due diligence has become an essential component of the due diligence review process.
Recent surveys indicate that executives and investors, and general counsel are placing increased emphasis on the cybersecurity practices of target companies in performing their acquisition due diligence. Mergermarket conducted a survey of senior executives at corporations and private equity firms that frequently conduct M&A transactions. It found that most respondents use the information obtained through the cybersecurity due diligence process to plan for and estimate the cost of fixing uncovered problems, to decide whether to consummate a deal, and to negotiate down the purchase price or other deal terms. Top concerns of the group surveyed were the cost of correcting existing problems, the potential for complications with post-merger integration, the occurrence of frequent or recent data breaches, and threats to customer and business data. The most frequently reported type of cybersecurity issues were compliance problems, followed by a lack of comprehensive data security architecture, insider threats, inadequate security on mobile devices, server storage vulnerabilities, and the lack of a functioning data security team.
Seventy-seven percent of the respondents in the Mergermarket survey reported walking away from a deal as a result of data security issues that were discovered in cybersecurity due diligence. Even if the discovery of a cybersecurity problem in the course of due diligence does not kill the deal, it may affect the value of the target or cause problems with post-merger acquisition integration.
Outside cybersecurity attorneys and third-party forensic and technical advisors and consultants are becoming integral players in the M&A cyber-risk due diligence process. The goal of assessing the target company’s cybersecurity should be introduced early in the engagement process. A key indicator is the maturity of the target’s cybersecurity program and whether it is well-integrated into the target’s institutional culture, beginning with the CEO and Board-level and extending cross-functionally throughout all departments – as opposed to being just a silo inside the IT function. A key question to ask is: how much does the target company budget for cybersecurity management?
The vulnerability of a target company to cybersecurity incidents must be assessed so that the prospective purchaser is aware of the potential for exposure for liability for cybersecurity issues after the deal is completed. Due diligence should include a review and analysis of the seller’s privacy and data security policies, programs and procedures across all media, both online and mobile, including a description of the types of personally identifiable information (“PII”) the target company collects, how the PII is used, and the extent to which it is shared. Any available external and internal intrusion and other audits that have been conducted should be made available to the prospective purchaser. The target should be required to provide information about any data security breaches or other incidents that have occurred, and all reports related to them. The target should also provide all data breach notifications the target company has sent, reports that have been made to law enforcement or regulatory agencies, and any responses that have been received including regulatory and administrative complaints, actions, litigation, fines and penalties. Copies of the target company’s physical security policies pertaining to its buildings, data centers, computer rooms, and locations of its critical computer infrastructure should be examined both on paper and in actual practice.
The acquiring company should inspect all of the target’s insurance policies, in particular, its cyber insurance policy, especially if the target has experienced a data breach incident, to determine if the incident was covered and whether the proper steps were taken which could be a prerequisite to coverage. An analysis should be done to decide whether additional coverages specific to data security matters should be purchased, and what the additional coverages will cost. All information about any events that have given rise to a cyber insurance claim should be provided to the acquiring company.
A thorough review and analysis of the target company’s social media presence should be undertaken, including a list of all of the target’s social media platforms and a description of how the target company uses each form of social media. Employment manuals, handbooks and policies should be reviewed for provisions related to employee use of email and social media, and the target’s practices concerning the collection, use and retention of employee PII, as well as the security screening and controls the target uses in hiring personnel.
Because data breaches often involve third-party vendors, the target company’s vendor management process should be reviewed, with particular attention paid to its vendors’ obligations to the target company. Counsel should review the security and privacy provisions of the target’s vendor contracts.
Finally, the prospective purchaser needs to understand the target’s industry in order to determine the applicable sector-specific federal and state statutes and regulations and the target’s compliance with them. Federal laws could include, for example, the Gramm-Leach-Bliley Act (GLBA), HIPAA, HITECH, Fair Credit Reporting Act (FCRA), CAN-SPAM Act, and others. In addition, state privacy laws may be implicated since forty-seven states, and the District of Columbia, Puerto Rico and the Virgin Islands, have all enacted their own data breach notification laws, which govern the collection of their residents’ PII. International considerations must also be assessed so the acquiring company can determine the target’s compliance with the privacy and data protection laws of international jurisdictions where it is considered to operate, particularly because European Union member states often impose privacy and data security laws that are more far-reaching than in the United States.
By assessing privacy and data security risks in due diligence, the acquiring company can manage the transactional risks, the value of the deal, and the cost of post-merger compliance.