Over the past few years, we’ve seen cybercrime affect just about every segment of our economy – from massive data breaches at Fortune 100 companies to intellectual property theft at innovative start-ups. The latest poster child for a headline-grabbing hack is Yahoo! Inc. The internet company disclosed late last year that it suffered the largest reported data breach in U.S. history, with 1 billion user accounts compromised.
In what can only be described as a case of poor timing, Yahoo disclosed the hack in the midst of a $4.8 billion deal to sell its internet operations to Verizon Communications, Inc. It was Yahoo’s second strike. Just three months earlier, the company disclosed that some 500 million user accounts were breached.
The Yahoo breaches underscore an increasingly complex, specialized, and sophisticated aspect of M&A transactions: cybersecurity due diligence.
Cyber is a relatively new dimension of M&A risk that organizations are only now beginning to grasp. And even the most sophisticated financial or strategic buyers, private equity firms, or venture capital investors — many of whom owe fiduciary duties to their own investors — have been slow to recognize the impact cyber can have on a transaction, including its deal terms, valuation, and post-closing conditions.
Yet cyber risk is developing at a rapid rate and has the potential to imperil a company, its critical infrastructure, brand, trade secrets, and consumer confidence. And this is not simply potential in the theoretical sense. The business world is littered with so many examples that the public has become desensitized to the latest data breach.
Given these evolving risks, cyber diligence is far from a boilerplate endeavor. It is a holistic process that requires deep expertise and should be tailored to the target company, its business, industry, and whether it collects and stores sensitive information or relies on intellectual property or trade secrets as a driver of its revenues, among other factors.
No doubt, there’s are big differences among cyber diligence on a retailer with consumer facing websites that store gigabytes of credit card data, a technology company with products and a revenue stream dependent on the protection of proprietary rights, and a brick-and-mortar enterprise with a limited digital footprint and very little proprietary data.
There are, however, general parameters and steps to consider when approaching cyber diligence.
One is that cyber diligence should be a priority from the outset of a potential transaction. Even at an initial stage, basic questions such as these must be asked to even begin the process of developing a cyber diligence strategy:
— What information is most critical to the target’s operations and revenues?
— How and where is that information collected and stored?
— Most importantly, how is it protected from unauthorized disclosure or access?
— What’s the target’s general cyber-risk profile? Some industries such as health care and financial services are more vulnerable to cybercrime than others.
— Have there been prior instances of hacking? If so, were the vulnerabilities sufficiently remediated?
— Has the target been on the receiving end of an inquiry or enforcement action from a regulator or subject to data security litigation?
— Does the target maintain a comprehensive data security program and corresponding policies, practices, and procedures that are updated on a regular basis?
While this is not an exhaustive list of preliminary questions, it does provide a sense of the target’s cybersecurity posture and can assist the M&A team in thinking through the most appropriate overall strategy for cyber diligence.
Another parameter to consider is that involving the need to create a cyber diligence strategy. Once a basic picture of the target’s cyber risk profile and current state of affairs is assembled, a much deeper strategic and tactical dive is required to understand the target’s cybersecurity program, potential liabilities, and regulatory risks.
Some industries — health care, financial institutions, government contracting, and communications among them — carry specific security and data privacy risks and requirements. And regulatory expectations evolve quickly, depending on the industry. Those regs might call for added expertise and specific industry knowledge, especially in areas with sector-specific data security and privacy regimes. In putting together an overall cyber diligence strategy, consider these actions:
— Is there a need for experts? Unlike many other areas of due diligence, cyber calls for specialized legal, regulatory and technical expertise. Does your M&A team have the bandwidth and knowledge level on both the technical and legal side? It’s one thing to be able to ask the right questions, it’s another to be able to understand the answers.
— Prioritize the diligence strategy based on the importance of the data to the target’s bottom line, including the risk of theft of trade secrets by competitors and insiders.
— Carefully consider the target’s existing cybersecurity program. Is it a comprehensive enterprise-wide approach, or is it a silo in the IT department? The latter suggests that the target is unlikely to have an effective plan in place and should be reason for further inquiry.
— With the help of technical experts, consider the target’s IT infrastructure and a diligence process for assessing its stability and vulnerabilities.
With their cyber diligence plan in hand, it’s time for acquirers to kick the proverbial tires of their potential targets. Cyber diligence questionnaires are only a starting point. Face-to-face meetings are needed for follow up and to serve as a basis for additional information requests.
Next, on-site testing and analysis should be conducted when appropriate. That typically includes penetration testing and vulnerability assessments, subject to appropriate safeguards and permissions.
Overall, acquirers should conduct an in-depth review of the target’s overall cybersecurity program and policies.They should also assess the target’s internal and external threat monitoring systems and programs. Further, if the deal involves merging IT networks, systems integration risks need to be assessed.
Focusing on third-parties with access to the target’s network or sensitive information, the acquirer needs to find out what sort of diligence process and protections are in place at the target. Several of the largest retail breaches involved data compromises through vulnerabilities accessed by vendors.
Acquirers should also review the target’s internal employee cyber training protocols. In addition, the target’s cybersecurity insurance should be be vetted including a close look at policy definitions, sub-limits, and coverage terms.
While these steps are far from exhaustive, they provide a solid starting point to understand the complexities and risks inherent in M&A cyber diligence, especially as these risks continue to increase and threats persist and evolve faster than our ability to detect and eradicate them.
Craig A. Newman is a partner with Patterson Belknap Webb & Tyler LLP and chair of the firm’s privacy and data security practice.