Cyber risks are increasing. As a result, due diligence inquiries and valuations are increasingly focusing on the cybersecurity and privacy risks inherent in a business’s collection, use, retention, and disposal of data. The business’s information security posture and vulnerability to cyberattacks has become a key concern in corporate due diligence. Liabilities and assets are no longer just limited to a company’s books but have more wide-reaching implications around possessing data and the ability to safeguard that data.
Why Is Cybersecurity Due Diligence Important?
Cybersecurity is front and center for businesses and a top concern for executives, boards of directors and investors. Ransomware attacks, loss of company data, business interruptions, data breaches, and damage to critical technical infrastructure, all consequences of a cyberattack rank among the highest costs to businesses today.
A business’s reliance on technology, and use of data, has become a yardstick for the inherent risks the business presents during and after closing. Sadly, less than 10% of deals globally contain cybersecurity due diligence. Traditionally, cyber has not been considered material enough to make the due diligence checklist pre-deal and was often left to post-deal review and remediation. Similarly, dealmakers mistakenly assume that intellectual property or IT reviews cover cybersecurity.
On the global stage Marriott which acquired Starwood several years ago paid an £18.4 million fine, a substantial reduction from the £99.2 million contemplated by the ICO’s notice of intention to fine. Sadly, the decision failed to give any detailed explanation for the reduction in the level of the fine to £28 million although a further 20% reduction to £22.4 million was designed to acknowledge Marriott’s cooperation, and £4 million to reflect the impact of the coronavirus pandemic. The ICO recognized the challenges with pre-acquisition due diligence when engaging a third-party consultant while simultaneously acknowledging that the ultimate responsibility for breaches rests on the company itself https://mailchi.mp/6c5f8f26d224/heres-what-you-missed-in-the-80-ico-fine-reduction-against-marriott
This decision creates difficulty for businesses lacking Marriott’s resources. To what extent is it reasonable for smaller businesses to rely on expert security providers? While they might not be as obvious a target as Marriott, ransomware is still a disproportionate problem for small- and medium-sized businesses, with around 60% of attacks affecting businesses with revenue of less than US$50 million. It will be difficult for those businesses to demonstrate compliance with the GDPR and other regulations unless they rely on advice from cybersecurity experts.
And, after the disclosure of two massive data breaches Yahoo and Verizon confirmed new terms for the sale of Yahoo to Verizon: Verizon will pay $350 million less than originally planned.
We all know in the US your data is your data and while you may have a cause of action against an outsourced vendor YOU and you alone remain liable for your data. This stemmed from a 2008 data breach of a third-party vendor of the University of Utah. https://www.computerworld.com/article/2535291/thieves-steal-tapes-holding-2-2m-billing-records.html, and https://www.computerworld.com/article/2518592/insurer-says-it-s-not-liable-for-university-of-utah-s–3-3m-data-breach.html
What Should Cybersecurity Due Diligence Look Like?
We typically see five main areas of due diligence that most mergers and acquisitions should focus on as it relates to data privacy and information security concerns.
Networks and Systems
Anytime the buyer is acquiring technology that will be integrated post-closing, there is a risk of unforeseen cyberattacks. Due diligence should focus on identifying dormant threats in the acquired infrastructure and implementing effective mechanisms for mitigating those threats. It is also important to note that during the M&A process, IT resources may be over-burdened as they try to integrate technology between entities, and this could potentially lead to extended periods of IT change gaps, and a failure to properly address threats, provide security patches, or monitor threat activity, which could subsequently create a significant attack vector.
It is important to identify IT assets, systems, software, websites, and applications, whether proprietary or third party, and how company data or personal information is stored or processed. Additionally, for businesses that collect, store or process non-U.S. data, it is important to understand if that data is exported to personnel or servers located in other jurisdictions. Various legal regulations, such as GDPR, may be implicated and could affect whether and how data can be transferred post-merger.
Understanding the underlying technical infrastructure of the target company serves to provide a clearer picture of the risks involved in acquiring those networks, servers, and other technical systems and can make the difference in whether those become assets or liabilities post-merger. Several questions that should be part of any due diligence checklist:
- Is there documentation or information that can be provided about the seller’s network and system architecture and data flows, including the use of cloud providers and third-party applications?
- Do any of the target company’s systems store any individual personal information or sensitive personal information?
- If yes, what are the security controls in place to protect this type of information (MFA, access controls, etc.)?
- Does the seller have on-premises servers or use cloud storage for storage of sensitive personal information?
- Does the seller use any legacy applications or providers for critical functions that are subject to long-term contracts or that would be difficult to port to an alternative platform?
Cybersecurity
Similarly, specific cybersecurity questions should be posed to determine how mature the target’s cybersecurity program is. Some examples of relevant questions may include:
- What are the types of privacy/cybersecurity risks that the target company faces in its industry sector, geographic reach, and the nature of the products or services that it manufactures, develops, or provides?
- Has the target company conducted any privacy impact assessments, vulnerability scans, penetration tests, SOC audits, etc. in the last 24 months?
- Has the target company experienced any cybersecurity events, including data breaches or ransomware attacks, and how did it respond to such events?
- Does the target company have any internal reports or reports from external forensics or law firms relating to any cybersecurity events or any other evaluation, impact assessment or questionnaire?
- Does the target company have a written information security program/policy, business continuity plan, or incident response plan? If so, please provide a copy of the plan(s).
Legal Obligations—Information Security
Identifying applicable privacy and data security regulations and legal obligations is also an important part of the due diligence process. For example, do U.S. state privacy law apply or does international privacy law apply where a data breach could cost 4% of global revenue? Similarly, does the target company use or process health data?
Data Collection and Processing Practices
Another area of inquiry during cybersecurity due diligence focuses on the types of data collected, how that data is processed, and whether sensitive personal data is stored by the target company. Not all data is created equal, and certain types of data pose a greater risk if that data is compromised due to a security incident. For instance, biometric or children’s data may pose additional risks. Additionally, how long the target company keeps this type of data may also inform the buyer about the potential risks involved. Here are a few typical questions you may see relating to data collection of the target company:
- What categories of any personally identifiable information are collected, used, stored, transferred, or otherwise processed by or on behalf of the target company?
- Does the target company have a data retention and deletion program?
- Does the target company collect any biometric information from its customers or from its employees?
- Does the target company collect data of children?
- Will the buyer need to obtain any consents to use personal or private information of the seller post-closing?
Data Incidents and Complaints
Finally, understanding any previous data incidents, breaches, or regulatory inquiries is critical in calculating risks pre-closing as it relates to the compromise of the target company’s systems and data. For example, the target company should be able to address:
- Any incidents of unauthorized access to, misuse, modification, exfiltration or disruption of the target company’s information systems or proprietary technology systems, including any data stored on such information systems or otherwise, including whether such matters have been remediated.
- Whether the target company has assessed its data breach notification obligations and whether the company has ever reported a data privacy incident to any regulator, governmental agency or other third party.
Cybersecurity is not going away, nor are the risks associated with the use of technology in today’s world. As companies begin to consider the value of acquiring or merging with other businesses, it will continue to be imperative to ensure that specific due diligence is conducted as it relates to those cyber risks.
We offer an option to mitigate your cyber security exposure in an M&A transaction.
Why navigate this treacherous slope alone? The best planning is proactive!
Richard Freiberg
Profitability Consultant
Richard Freiberg CPA PC
Phone (980)339-3352
Cell (914)393-0033
www.rmfreibergcpa.com
LinkedIn
to subscribe to Cyber Insights Today
to subscribe to LinkedIn Newsletter Cyber Security
Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today’s challenging environment
|
1 thought on “5 Critical Concerns In An M&A Deal”
Cybersecurity is such a big deal now. Crazy!