By Christine Malafi
With major data and security breaches consistently making headlines, a thorough investigation of a target company’s security practices is critical to a buyer’s decision to purchase a company. Areas of examination include operational assets, financial data, legal matters, strategic planning, and employee information. Such assessments help potential buyers manage and alleviate risk, liability, and exposure before pursuing a precarious deal. Unfortunately, cybersecurity is often overlooked in the frenetic pace of M&A transactions.
Failure to exercise proper due diligence in M&A transactions can result in costly mistakes. Just consider recent headlines: FedEx had customer data, including scanned passports and driver’s licenses, stolen from a publicly accessible server. FedEx obtained the server when it purchased Bongo International to help customers with shipping calculations. This breach highlights the importance of auditing digital assets to ensure data is secure before, during, and after an acquisition. Cybersecurity concerns may decrease the purchase price or result in a holdback of payments until claims are resolved.
This is precisely the scenario that played out in Verizon’s renegotiation of the Yahoo acquisition after details emerged that three billion Yahoo accounts were hacked. The news prompted a reported reduction of $350 million in the purchase price. In 2017, Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement of a consumer class action lawsuit, originating from a 2013 data breach which allegedly exposed the credit card data of more than 350,000 customers. And in August 2017, Women’s Health Care Group of PA, LLC experienced the third largest data breach of the year after completing a merger. These examples are only the tip of the iceberg, as nearly 182 million records have been exposed in the first half of 2018 alone.
To minimize the risks, target companies must have written data security policies – and enforce them – to maintain the highest company value. Potential acquirers must conduct targeted cybersecurity due diligence to determine whether a transaction should proceed by assessing all past and present versions of the target’s information security policies. Acquirers should also evaluate how to seamlessly migrate data and technology from the target company without exposing the information. The due diligence process can provide the acquirer with an estimate as to the costs needed to remediate.
A preliminary inquiry should also address data losses the target company has sustained. The acquiring company should uncover any systemic security failings, determine how the target company has responded to cybersecurity incidents, and assess whether the target company remains vulnerable.
The next area of inquiry is whether the company is a high-risk target. The due diligence team will need to determine the scope of client/customer data on the target company’s servers. This inquiry is especially pertinent to high profile mergers. A prospective buyer will also want to assess a target company’s governance. Questions to ask should include: what is the current state of the target company’s cybersecurity program, policy, procedures, compliance, and enforcement? How does the target company manage its IT security? Are employees trained to recognize cybersecurity threats? Is the target proactive in preventing breaches, detecting malware, updating security certificates, storing information, and protecting its assets?
The acquiring company must also research the target company’s regulatory and compliance obligations. The type of business is important: banking, financial, and healthcare institutions are highly regulated with respect to safeguarding information. These types of businesses often store information widely sought after by hackers. Additionally, companies regulated by the New York Department of Financial Services are subject to the agency’s new cybersecurity regulations and reporting obligations, which can be both time-consuming and costly. It may also be valuable to investigate industry standards to determine if a target company’s safeguards fall within commercially reasonable requirements. It is best practice for an acquirer to gain a complete picture of any additional compliance and regulatory burdens assumed in a deal.
Finally, due diligence should look at the security of the computing infrastructure, vendor or third-party relationships, employee training, and the social media presence and policies of the target. These areas can help determine whether the target company is at a greater cybersecurity risk. A company’s network is only as secure as its weakest link, and any outsourcing of security or IT services can open a back-door into systems.
The more efficient a company’s cybersecurity response protocol, the less risk will be assumed by the acquirer.
In a world where cybersecurity incidents are ubiquitous, cybersecurity due diligence must be part of any good M&A checklist. Companies should integrate specialized cybersecurity teams, including counsel, into their due diligence process to ensure they are asking the correct questions. Carefully reviewing a target company’s cybersecurity posture not only identifies potential risks, but can also justify specialized representations and warranties to be included into purchase agreements to protect the value of an investment.