Several months ago in Brussels, the European Commission finished hammering out its sweeping General Data Protection legislation, slated to go into full effect starting in May of 2018. The legislation is designed to provide strong and uniform data privacy protections for individuals within the European Union as well as for any of their personal data exported outside of Europe.
Just as the commission’s work was being finalized, a major American pharmaceutical company decided to expand the footprint of its field sales staff onto the Continent by acquiring a technology business there. (Under ISF rules, the pharmaceutical company, a member of our organization, cannot be identified here.)
In theory, the acquired firm’s mobile applications would enable its U.S. owners to quickly deploy a mobile sales force, allowing its field representatives to transmit orders for patient medications remotely from essentially anywhere in Europe.
What the pharmaceutical company failed to realize, or at least didn’t take into account, was that the company it acquired had, in fact, been created through a series of earlier acquisitions. Its cyber architecture, instead of being uniform and visible, was actually a patchwork of legacy systems. None of those legacy systems would be able to satisfy the security requirements growing out of the emerging legislation’s protections for personally identifiable information of European citizens – particularly for any information related to a person’s health, such as their drug prescriptions. Failure to provide the Commission with convincing assurances of security would trigger heavy fines and injunctions.
As a result, the value that the American drug company thought it was receiving was essentially lost. In its zeal to acquire the European firm, it hadn’t gone to the trouble of looking behind the seller’s cyber curtain. And the oversight, which ultimately required a near-complete rebuild of the acquired company’s network, came at a huge and unexpected cost.
Results of a failure to adequately perform cyber security assessments in the run-up to a business acquisition can take other forms as well. For example, if the value of a company resides in its customer information, its proprietary research, or in the financial data it retains, that value can largely vanish if an intruder gains access to it. A competitor getting hold of a rival company’s product roadmap, personnel files, or marketing plans could generate a huge disruption. Beyond that, if an acquisition target has been hacked, integrating its compromised data files into those of the acquiring firm can expose both to malicious software, property theft, or blackmail.
A Few Floppy Disks
As recently as the 1990s, mergers and acquisitions focused on traditional financial metrics, and the merger process looked very different in terms of data security. Back then, of course, it was practically all done paper, maybe with a few floppy disks. You would box them up, store them in a room, lock it, make sure only one person had a key, and off you went.
Today it isn’t that simple. Because everyone relies so much on cloud and digital storage, you don’t necessarily know where the information resides, and you don’t necessarily know who has access to it. So all the standard security measures which an enterprise has put in place for its daily workings assume greater significance when it gets into an M&A discovery and negotiation period.
How you safeguard critical information that’s at the heart of the deal – while at the same time providing access to it for legitimate third parties like your lawyer or accountant – rises to a whole new level of importance. During that period, it falls to the CFO to make sure the right information ends up in the right places and doesn’t fall into the wrong hands. It’s a job that’s become much more complex now that essentially everyone has moved online and with third parties coming in and managing information in their own ways.
Traditionally, toward the tail end of the deal process, a company would call in its IT people. Their views – which are typically only sought on a narrow range of technology issues – are not generally pivotal to the negotiations. However in the world of information assets, it isn’t just about technology. Cybersecurity is too often thought of as something IT people do. But it’s more than that, and it affects everyone in the organization. So let me offer four recommendations:
Finally, for many companies, the greatest value resides in its data files, not its tangible assets. Assessing the security of that data and evaluating the risk of it becoming exposed to unwelcome intruders is fundamental to evaluating the firm’s worth in a merger or acquisition.
Steve Durbin is managing director of the Information Security Forum (ISF).