There is no doubt that effective due diligence is essential in any merger or acquisition of businesses. Conducting a complete and through investigation of a target company is critical to a potential buyer’s decision to purchase a company, at what price, and subject to what terms, conditions, representations, and warranties. Proper due diligence will cover the target company’s strategic position, financial data, operational assets, and legal matters. Too many companies, however, overlook cybersecurity matters as a key component of their assets (or liabilities) and of a comprehensive due diligence program, especially on smaller acquisitions.
The importance of cybersecurity due diligence can affect not only the purchase price (for example, Yahoo’s breaches in 2013 and 2014, when discovered in 2016, caused a substantial discount in Verizon’s purchase price—reportedly a $350 million-dollar reduction), but can also affect a company going forward. An acquiring company does not want to import cybersecurity breaches into its own secured system.
Cybersecurity incidents cause tremendous financial, legal, and reputational risk. Possible target companies must have detailed privacy and data security policies, programs, and procedures in writing and enforced regularly to maintain the highest company value. Possible acquirers must conduct specifically targeted cybersecurity due diligence to determine whether a transaction should proceed and at what cost. Cybersecurity issues or security breaches can undermine the value of a target, delay investment return, or even kill a deal. The potential costs of remediating cybersecurity vulnerabilities, infections, breaches, lax controls, and insurance coverage at the target company may not only lower the value of the target, but may also make the potential buyer walk away from the deal. If the deal proceeds in the face of such issues, the due diligence process can provide the acquirer with an estimate as to the costs and expenses needed to remediate, as well as the timeline to integrate the target company’s IT and cybersecurity infrastructure, which can cause significant expenses and delays if not properly handled.
Due diligence can vary from deal to deal, but any preliminary inquiry will include the breaches, losses of data, or other cybersecurity incidents the target company previously suffered. In conducting due diligence, the buyer of a company will want to uncover any systemic security failings, determine how the company has responded to cybersecurity incidents, and look to see whether the target company remains vulnerable to attack.
The next area of inquiry is whether the company is a high-risk target. The due diligence team will need to determine the scope of client or customer data on the target company’s servers, bank account records, or other sensitive information often targeted by hackers. You will also want to assess a target company’s governance—what is the current state of the target company’s cybersecurity program, policy, procedures, compliance, and enforcement? How does the target company manage its IT security? Does the company have written cybersecurity policies and are employees trained to recognize cybersecurity threats? Does the target company have mobile device use or password policies, and if so are they enforced? Does the target even have a data security team? Are there audit records for review? Is the target proactive in preventing breaches, detecting malware, updating security certificates, storing information, and protecting its assets, or does it merely react to attacks?
Next, the acquiring company must research the target company’s regulatory and compliance obligations. The type of business being acquired is important. Banking, financial, and healthcare institutions are highly regulated with respect to security and safeguarding information. Additionally, companies regulated by the New York Department of Financial Services are subject to the agency’s new cybersecurity regulations and reporting obligations, which can be both time-consuming and costly. Defense subcontractors are also subject to rigorous reporting standards. An acquirer should gain a complete picture of the additional regulatory and compliance burdens it is assuming in the deal.
Finally, due diligence should look at the security of the computing infrastructure, vendor or third-party relationships, identification of critical and sensitive data, employee training, employee access to systems, thefts, and the social media presence and policies of the target. Looking at these areas can help to determine whether the target company is at greater cybersecurity risk than normal. A company’s network is only as secure as its weakest link, and any outsourcing of security or IT services can open a back-door into systems if the third party is not chosen wisely or if a disgruntled employee can get into confidential system areas.
In a world where cybersecurity incidents are ubiquitous and do not discriminate among sectors, cybersecurity due diligence must be part of any good M&A checklist. Companies should integrate specialized cybersecurity teams, including counsel, into their due diligence process to ensure that they are asking the correct questions and reacting to discoveries properly. Carefully reviewing a target company’s cybersecurity posture not only identifies potential risks, but can also justify specialized representations and warranties to be included into purchase agreements to protect the value of an investment.