By Richard D. Harroch, Jennifer Martin, and Richard V. Smith
Information privateness, cybersecurity, and knowledge breach dangers are vital due diligence points in mergers and acquisitions. Put up-acquisition discovery of safety issues, and even notifiable breaches, is a far too widespread situation.
Based on one report, greater than a 3rd (40%) of buying firms engaged in a merger and acquisition transaction stated they found a cybersecurity drawback in the course of the post-acquisition integration of the acquired firm. Essentially the most extremely publicized instance of an M&A-related cybersecurity drawback was Verizon’s discovery of a previous knowledge breach at Yahoo! after having executed an acquisition settlement to amass the corporate.
This discovery nearly scuttled the deal, and in the end resulted in a $350 million discount within the buy worth paid by Verizon, with Yahoo! required to pay a $35 million penalty to settle securities fraud expenses alleged by the U.S. Securities and Trade Fee (SEC) and a further $80 million to settle securities lawsuits introduced by sad shareholders.
This text summarizes the rising potential dangers—authorized, monetary, reputational, and operational—related to cybersecurity, and in addition offers sensible options on methods to determine, perceive, and mitigate these dangers in the course of the M&A due diligence course of.
Cybersecurity Threat Panorama
Even for these buying firms that intend to scrutinize knowledge safety points as a part of the M&A due diligence course of, usually the legal professionals conducting such diligence don’t adequately perceive the present cybersecurity risk panorama or don’t perceive the actual dangers related to the goal firm. As a rule, the legal professionals ask a battery of routine, privacy-related questions of an organization even when that firm doesn’t gather or deal with client private knowledge.
The deal with privateness, and never safety extra typically, is due partly to a common lack of know-how of broader cybersecurity points, and a hyperawareness of the dangers related to knowledge breaches. To a big diploma, an overemphasis on knowledge breach dangers isn’t a surprise since firms should publicly disclose breaches of non-public knowledge to shoppers, and the media steadily focuses appreciable consideration on these breaches, particularly large-scale ones.
The general public is starting to change into extra conscious, nonetheless, of the specter of different forms of data compromises, together with ransomware assaults (by which knowledge is rendered unusable until a “ransom” cost is made), phishing emails (fraudulent emails despatched to trick recipients into present passwords or different useful data), and the theft and selective disclosure of delicate data for embarrassment and harassment (take into account, for instance, the Sony and Democratic Nationwide Committee hacks, by which delicate emails had been made public).
Different Articles From AllBusiness.com:
Furthermore, firms have at all times grappled with the theft of proprietary data and commerce secrets and techniques. Whereas such thefts don’t require notification to shoppers, the theft of useful mental property and commerce secrets and techniques can have a devastating influence on an organization, notably younger startup firms creating new applied sciences. The lack of useful mental property can considerably lower the worth of a goal firm to potential consumers. Equally, the worth of an organization might be manipulated by buying and selling on stolen inside data.
In brief, prison hackers are resorting to a broader array of strategies to monetize and exploit data, and the strategies used to amass that data are more and more stealthy and complicated, making it troublesome to defend in opposition to and detect such assaults. For instance, via superior strategies permitting for covert surveillance, attackers can monitor and steal knowledge, usually delicate proprietary data or methods (enterprise, political, or army), over an extended time frame with out detection.
However probably the most critical pc threats don’t goal data or knowledge in any respect. The NotPetya malware, a purely damaging assault, destroyed complete networks and techniques for among the largest firms on this planet, together with Merck, Maersk, and FedEx, and price firms worldwide an estimated $10 billion in damages.
On a smaller scale, the manipulation of the software program utilized in autonomous autos, for instance, can lead to private harm or loss of life. Or a single element half in a client product can be utilized to disrupt the provision of an enormous swath of the Web.
Regulators, clients, and buyers have been fast to react to those evolving threats. A delay by an organization in discovering and reporting a knowledge breach can lead to vital public criticism of the corporate in addition to authorized publicity, together with the chance of considerable fines and potential liabilities on account of class motion lawsuits and shareholder spinoff actions. The FTC and state Attorneys Basic steadily convey enforcement actions referring to delays in reporting a knowledge breach, together with in a number of high-profile breaches akin to Equifax, Uber, and, most just lately, Google+. Such scrutiny can also be a danger for firms that purchase a breached firm.
The SEC can also be stepping up enforcement actions in opposition to public firms that fail to adequately disclose not solely precise safety incidents, however dangers related to cybersecurity. Particularly, pursuant to its February 2018 Fee Assertion and Steering on Public Firm Cybersecurity Disclosures, extra public statements, and its April 2018 SEC settlement order with Yahoo!, the SEC has outlined its expectations for dealing with disclosure obligations referring to cybersecurity incidents.
Such obligations embody, however should not restricted to, having enough techniques of inside controls and processes to make sure an applicable degree of risk-management oversight of an incident, together with satisfying SEC disclosure obligations following discovery of an incident; amending or correcting prior materials misstatements concerning cybersecurity in danger issue and MD&A disclosures; and instituting buying and selling blackouts, as applicable.
In truth, the SEC just lately investigated 9 firms that had been victimized by a standard cyber-related fraud scheme, whereby accounting personnel obtained faux emails purportedly from firm executives or distributors to wire giant sums of cash to the perpetrators. Not solely did these 9 firms lose over $100 million in combination to the fraudsters, the SEC investigated them for potential violations of federal securities legal guidelines for failing to have in place a enough system of inside monetary accounting controls.
Lastly, many extremely regulated industries are required to adjust to particular safety requirements and controls, and to promptly report incidents. For instance, pursuant to the Gramm-Leach-Bliley Act, monetary establishments are required to implement data safety protections to safeguard monetary data and to inform their regulators within the occasion of unauthorized entry to such knowledge. The healthcare is topic to related necessities beneath the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA).
In different sectors, extra stringent necessities could apply. For instance, as of January 1, 2018, firms that contract with the Division of Protection are required to adjust to the NIST 800-171 commonplace and report any incidents that influence techniques on which authorities data is saved or processed. Equally, power firms regulated by the Federal Vitality Regulatory Fee (FERC) are required to adjust to Vital Infrastructure Safety reliability requirements; FERC can also be presently engaged on obligatory cybersecurity incident reporting guidelines.
As well as, distributors, suppliers, and different suppliers of regulated firms are sometimes contractually required to observe these necessities as nicely, no matter their measurement. Thus, firms focused for acquisition may be topic to vital contractual obligations concerning cybersecurity. For instance, firms that deal with bank card data via an e-commerce platform, cell software, or as a processing vendor are required by banks and bank card issuers to adjust to the PCI DSS cybersecurity requirements; a failure to fulfill these obligations can lead to vital fines and even contract termination. Increasingly steadily, contracts are requiring distributors throughout sectors to adjust to particular safety necessities, and to inform contracting companions within the occasion of an incident.
Mitigating Threat Via Due Diligence
Towards this backdrop, it’s crucial that an acquirer contemplating an acquisition totally examine and determine the actual cybersecurity and knowledge privateness dangers and liabilities posed by the transaction. It’s equally vital that the promoting firm anticipate cybersecurity and knowledge privateness points. Notably, as a result of a promoting firm could not even pay attention to a previous or present compromise that could be pertinent to the deal, additionally it is incumbent upon the acquirer to contemplate different technique of conducting due diligence on this space.
At a minimal, the acquirer’s due diligence investigation ought to deal with the next:
Figuring out the actual forms of privateness and cybersecurity dangers the goal firm faces given its sector, geographic attain, and the character of the merchandise and/or companies that it manufactures, develops, or offers.
Understanding the community and system structure and knowledge flows, together with the usage of cloud suppliers and third-party purposes.
Perceive the extent to which the promoting firm gathers and makes use of private data, particularly buyer private data and extremely delicate proprietary data, together with data supplied by enterprise companions and/or governmental companies.
Evaluation commitments and representations made by the promoting firm to its customers and clients in reference to privateness and safety points, together with contractual obligations.
Acknowledge whether or not the acquirer might want to get hold of any consents to make use of private or personal data of the promoting firm post-closing.
Ask whether or not the promoting firm has skilled any prior cybersecurity incidents, together with knowledge breaches, and the way it has responded to such incidents.
Decide whether or not the promoting firm has a written safety program that meets present regulatory and requirements and finest practices, together with with respect to organizational (insurance policies), operational (processes), and technical controls.
Assess the acquirer’s potential legal responsibility, compliance posture, and/or notification obligations that may exist after completion of the acquisition.
Within the the rest of this text, we define a number of forms of due diligence inquiries and procedures that an acquirer could want to undertake in reference to its investigation of information privateness and cybersecurity points. As with all M&A due diligence evaluation, the character of the inquiry and the procedures employed ought to be tailor-made to the state of affairs. Accordingly, not each merchandise mentioned beneath will probably be applicable for each knowledge privateness and cybersecurity due diligence evaluation.
1. Evaluation of Promoting Firm Insurance policies and Contracts
Initially, an acquirer ought to request and evaluation copies of varied insurance policies, contracts, and different paperwork of the promoting firm, together with the next:
Present and older variations of the promoting firm’s privateness coverage
Whether or not and to what extent the promoting firm has deviated from its privateness insurance policies
Present and older variations of any Phrases of Use agreements
Telemarketing and e mail advertising and marketing insurance policies
Safety insurance policies, together with however not restricted to the promoting firm’s Info Safety Coverage, Acceptable Use Coverage, and Information Classification Coverage
Outcomes of safety audits and assessments, vulnerability scans, and penetration checks
Privateness and safety program maturity plans
Privateness influence evaluation processes and evaluation reviews
Certifications (e.g., ISO 27001/2, PCI DSS, SOC) and audit data
A listing of business-to-business buyer contracts, notably with public firms within the monetary, well being, power, telecommunications, and different extremely regulated industries
Contracts with the promoting firm’s distributors, suppliers, and suppliers
Incident response plans and playbooks
Privateness and data safety coaching supplies, and an outline of the coaching program
Worker background investigation processes and insurance policies, and onboarding processes
Group and reporting construction because it pertains to the safety perform, and any data concerning govt administration of cybersecurity and privateness danger
GDPR-related compliance supplies, as relevant
Software program growth processes and documentation
Insurance coverage insurance policies defending the corporate from cybersecurity or knowledge breach losses (together with claims historical past)
Whether or not there are applicable techniques of inside accounting controls to protect in opposition to fraudulent requests for cash
2. Evaluation of Procedures to Shield the Promoting Firm’s Information
The acquirer additionally ought to evaluation the procedures the promoting firm has put in place to guard its worker, buyer, and enterprise companions’ knowledge and data in addition to its networks and techniques:
Does the corporate have a written cybersecurity program that establishes administrative, operational, and technical controls to mitigate safety dangers?
Does the promoting firm have applicable insurance policies, together with at a minimal an Info Safety Coverage, an employee-facing Acceptable Use Coverage, and a Information Classification and Dealing with Coverage?
Does the promoting firm conduct common danger assessments, and vulnerability and penetration testing of techniques?
Does the promoting firm have devoted safety personnel?
Does the promoting firm carry out an annual danger evaluation referring to privateness and cybersecurity?
Does the promoting firm practice its staff on privateness and safety finest practices?
Does the promoting firm have a complete Incident Response Plan and is it examined?
Does the promoting firm handle vendor danger?
Does the promoting firm have a enterprise continuity and catastrophe restoration plan, and back-up protocols?
Does the promoting firm defend the bodily safety of its amenities and belongings?
Does the promoting firm implement “cheap” technical safety controls (or adjust to obligatory requirements), together with, for instance, anti-virus software program, encryption, entry controls, community monitoring, authentication, and asset administration?
Does the promoting firm have an insider risk program to detect the potential theft of proprietary data or mental property?
Does the promoting firm require privateness influence assessments when implementing new techniques or processes?
three. Evaluation of Previous Information Breaches Towards the Promoting Firm
The acquirer ought to be particularly involved about previous knowledge breaches in opposition to the promoting firm or intrusions into its pc community.
Is the promoting firm conscious of any prior cybersecurity incidents, together with however not restricted to the compromise of delicate knowledge? An outline or report of all prior identified incidents ought to be requested.
How had been any such incidents found or detected?
Did the promoting firm conduct an investigation and what was the methodology and scope? Was a third-party forensic advisor engaged to research the incident? Any investigative reviews referring to cybersecurity incidents ought to be requested.
What was the influence of the incident on the promoting firm’s knowledge or techniques? What was the scope of the compromise or knowledge influence?
Has the promoting firm skilled any theft or suspected theft of proprietary data or mental property? In that case, when and how much data was stolen? Was the topic of the investigation an insider (worker, contractor, or ex-employee) or a third-party intruder?
Has the promoting firm skilled a possible breach of non-public knowledge? When? Had been notifications made? Why or why not? Did the promoting firm seek the advice of with exterior counsel on authorized obligations?
Has the promoting firm been defrauded or extorted because of an e mail compromise?
What remedial actions or patches had been carried out to repair any vulnerabilities or different root causes that resulted in an incident or potential incident?
How usually are networks, techniques, purposes, and different digital belongings scanned for vulnerabilities or topic to penetration testing?
four. Is the Promoting Firm in Compliance with Relevant Legal guidelines and Requirements?
There are a number of legal guidelines that set forth safety and privateness necessities, together with notification obligations, the scope of which rely on the promoting firm’s sector or the service or product it develops, manufactures, or offers. It’s vital to grasp what legal guidelines could apply to the promoting firm and to inquire whether or not the promoting firm is ruled by and compliant with specific legal guidelines, rules, and requirements. Keep in mind that many of those necessities could also be pushed down by contract to subcontractors, distributors, suppliers, and different suppliers of coated entities, even when such distributors should not instantly regulated.
The next is a non-exhaustive listing of doubtless relevant legal guidelines for illustrative functions (applicable safety or privateness counsel ought to be consulted in any specific M&A due diligence investigation):
Basic Shopper Privateness and Information Safety Legal guidelines
Federal Commerce Fee – The FTC is broadly empowered to convey enforcement actions to guard shoppers in opposition to unfair or misleading practices and has developed a type of “widespread regulation” with respect to regulatory expectations. The FTC has taken the place that “misleading practices” embody an organization’s failure to adjust to its revealed privateness coverage and its failure to implement “cheap” safety measures to guard shoppers’ private data.
European Union GPDR Guidelines – Europe’s framework for knowledge safety legal guidelines for firms that will gather or course of EU residents’ knowledge; GPDR guidelines have a world attain as they regulate any worldwide firm which collects or processes EU residents’ knowledge.
The Federal Youngsters’s On-line Privateness Safety Act – Prohibits the web assortment of knowledge of youngsters beneath the age of 13 and requires publication of a privateness discover and assortment of verifiable parental consent when such data is collected.
Phone Shopper Safety Act – Imposes restrictions on telemarketing.
State Information Breach Notification Legal guidelines – All 50 U.S. states require buyer notification of safety breaches involving private data; furthermore, many states are establishing minimal “cheap” requirements to guard client knowledge.
CAN-SPAM legal guidelines – Locations restrictions on e mail advertising and marketing.
Evolving federal and state legal guidelines – For instance, the California Shopper Privateness Act of 2018, which imports EU GDPR-style rights for California residents round knowledge possession, transparency, and management.
Monetary Companies Trade
Graham Leach Bliley Act – Imposes privateness and safety obligations on insurance coverage firms, banks and different coated monetary establishments with respect to buyer monetary data.
New York Division of Monetary Companies Cybersecurity Guidelines–Imposes particular safety necessities, together with technical controls, and reporting obligations on licensed entities – the necessities are directed on the safety of the techniques underlying the monetary sector, not merely on knowledge.
Fee Card Trade Information Safety Normal (PCI DSS) – Info safety commonplace that applies to organizations that deal with branded bank cards; compliance with PCI DSS is traditionally a contractual requirement of bank card issuers and buying banks, however states are starting to undertake it as a regulatory requirement.
Well being Care Trade
Well being Insurance coverage Portability and Accountability Act (HIPPA) – Supplies privateness and safety necessities and notification obligations to guard sufferers’ medical data.
FDA Pre-Market and Put up-Market Cybersecurity Steering on Related Medical Units – Establishes finest practices for the event and manufacture of linked medical units all through the lifetime of the gadget.
DFARS 252.204.7012 – Requires protection contractors to adjust to NIST 800-171 safety requirements.
FERC Vital Infrastructure Safety Reliability Requirements – Federal Vitality Regulatory Fee requirements.
5. Evaluation of Litigation and Complaints
The acquirer will need to rigorously evaluation any litigation or regulatory inquiries affecting the promoting firm:
Has the promoting firm obtained any litigation claims regarding its privateness or safety practices, together with class motion or shareholder spinoff fits post-breach?
Has the promoting firm obtained any governmental or regulatory notices about its privateness or safety practices, together with from the FTC, the SEC, state Attorneys Basic, or specific regulators? Is the promoting firm beneath a present regulatory (e.g., FTC) consent decree or monitoring order?
Has the promoting firm notified governmental or regulatory authorities and/or affected individuals of a knowledge breach or different incident, and are obligatory notification necessities triggered?
Has the promoting firm obtained breach of contract claims for failure to adjust to contractual necessities, together with post-incident?
Has the promoting firm obtained privateness or safety complaints from its clients?
Has the promoting firm settled any claims or complaints? In that case, on what phrases?
6. Different Pre-Acquisition Due Diligence
Cybersecurity due diligence additionally could require the consideration of extra “invasive” technical methodologies unfamiliar within the conventional M&A due diligence context. The next extra steps are notably vital to contemplate when the vendor or the client are in extremely regulated and/or vital infrastructure industries, for presidency contractors, or the place post-acquisition notification of prior breaches could also be required.
Require the promoting firm to have interaction a third-party safety firm to run vulnerability scans or penetration checks on vital belongings (for instance, people who retailer delicate knowledge or useful mental property) and purposes.
Have interaction a third-party safety firm to scan techniques for artifacts of present or previous compromises (nobody needs to amass a Russian Superior Persistent Menace (APT) together with their funding).
If such measures can’t be taken previous to acquisition, an acquirer should take into account such assessments previous to integration of networks and techniques to make sure that any current infections, malware, or compromises don’t unfold to the acquirer’s setting.
Cybersecurity due diligence has change into more and more vital for M&A transactions. Savvy acquirers perceive the potential for vital liabilities ensuing from a promoting firm’s failure to correctly determine and deal with prior knowledge breaches or different cybersecurity incidents. Much less steadily mentioned is how a previous cybersecurity incident could influence the worth of a promoting firm, akin to when useful mental property has been stolen or when obligatory disclosure of an incident post-acquisition leads to vital reputational harm and misplaced enterprise.
Equally, a failure to adjust to contractual and regulatory necessities could require a purchaser to take a position vital sources to convey a promoting firm into compliance and to mitigate privateness and cybersecurity dangers.
A radical and considerate due diligence investigation of the promoting firm’s cybersecurity and knowledge privateness state of affairs is vital for an acquirer to evaluate the dangers and liabilities it might tackle by making an acquisition, and whether or not such dangers are related to precisely assessing the worth of the goal firm.
Copyright © by Richard D. Harroch. All Rights Reserved.
A observe of because of Sam Casciato, an IT and cybersecurity engineer at Talix, Inc., for his useful suggestions on this text.
Concerning the Authors
Richard D. Harroch is a Managing Director and World Head of M&A at VantagePoint Capital Companions, a big enterprise capital fund within the San Francisco space. His focus is on Web, digital media, and software program firms, and he was the founding father of a number of Web firms. His articles have appeared on-line in Forbes, Fortune, MSN, Yahoo, FoxBusiness, and AllBusiness.com. Richard is the writer of a number of books on startups and entrepreneurship in addition to the co-author of Poker for Dummies and a Wall Avenue Journal-bestselling ebook on small enterprise. He’s the co-author of the just lately revealed 1,500-page ebook by Bloomberg, Mergers and Acquisitions of Privately Held Corporations: Evaluation, Kinds and Agreements. He was additionally a company and M&A associate on the regulation agency of Orrick, Herrington & Sutcliffe, with expertise in startups, mergers and acquisitions, and enterprise capital. He has been concerned in over 200 M&A transactions and 250 startup financings. He might be reached via LinkedIn.
Jennifer Martin is associate within the Silicon Valley officeof Orrick, Herrington & Sutcliffe LLP, and a member of the agency’s Cyber, Privateness, and Information Innovation follow. She advises shoppers on finest practices for mitigating cybersecurity dangers throughout industries, together with counseling on cybersecurity program compliance and resiliency on an industry-by-industry foundation; managing vital safety incidents and offering cross-disciplinary incident response planning; drafting business contract phrases and necessities for purchasers and distributors; and conducting cybersecurity due diligence in M&A transactions. She has centered on cybersecurity from the authorized, technical, and coverage views for almost 20 years from authorities, in-house, and personal follow and consulting views. Learn her full profile on Orrick.com.
Richard V. Smith is a associate within the Silicon Valley and San Francisco places of work of Orrick, Herrington & Sutcliffe LLP, and a member of its World Mergers & Acquisitions and Personal Fairness Group. He specializes within the areas of mergers and acquisitions, company governance, and activist protection. Richard has suggested on greater than 400 M&A transactions and has represented shoppers in all elements of mergers and acquisitions transactions involving private and non-private firms, company governance, and activist protection. He’s the co-author of the just lately revealed 1,500-page ebook by Bloomberg, Mergers and Acquisitions of Privately Held Corporations: Evaluation, Kinds and Agreements. Learn his full profile on Orrick.com.