Several months ago in Brussels, the European Commission finished hammering out its sweeping General Data Protection legislation, slated to go into full effect starting in May of 2018. The legislation is designed to provide strong and uniform data privacy protections for individuals within the European Union as well as for any of their personal data exported outside of Europe.
Just as the commission’s work was being finalized, a major American pharmaceutical company decided to expand the footprint of its field sales staff onto the Continent by acquiring a technology business there. (Under ISF rules, the pharmaceutical company, a member of our organization, cannot be identified here.)
In theory, the acquired firm’s mobile applications would enable its U.S. owners to quickly deploy a mobile sales force, allowing its field representatives to transmit orders for patient medications remotely from essentially anywhere in Europe.
What the pharmaceutical company failed to realize, or at least didn’t take into account, was that the company it acquired had, in fact, been created through a series of earlier acquisitions. Its cyber architecture, instead of being uniform and visible, was actually a patchwork of legacy systems. None of those legacy systems would be able to satisfy the security requirements growing out of the emerging legislation’s protections for personally identifiable information of European citizens – particularly for any information related to a person’s health, such as their drug prescriptions. Failure to provide the Commission with convincing assurances of security would trigger heavy fines and injunctions.
As a result, the value that the American drug company thought it was receiving was essentially lost. In its zeal to acquire the European firm, it hadn’t gone to the trouble of looking behind the seller’s cyber curtain. And the oversight, which ultimately required a near-complete rebuild of the acquired company’s network, came at a huge and unexpected cost.
Results of a failure to adequately perform cyber security assessments in the run-up to a business acquisition can take other forms as well. For example, if the value of a company resides in its customer information, its proprietary research, or in the financial data it retains, that value can largely vanish if an intruder gains access to it. A competitor getting hold of a rival company’s product roadmap, personnel files, or marketing plans could generate a huge disruption. Beyond that, if an acquisition target has been hacked, integrating its compromised data files into those of the acquiring firm can expose both to malicious software, property theft, or blackmail.
A Few Floppy Disks
As recently as the 1990s, mergers and acquisitions focused on traditional financial metrics, and the merger process looked very different in terms of data security. Back then, of course, it was practically all done paper, maybe with a few floppy disks. You would box them up, store them in a room, lock it, make sure only one person had a key, and off you went.
Today it isn’t that simple. Because everyone relies so much on cloud and digital storage, you don’t necessarily know where the information resides, and you don’t necessarily know who has access to it. So all the standard security measures which an enterprise has put in place for its daily workings assume greater significance when it gets into an M&A discovery and negotiation period.
How you safeguard critical information that’s at the heart of the deal – while at the same time providing access to it for legitimate third parties like your lawyer or accountant – rises to a whole new level of importance. During that period, it falls to the CFO to make sure the right information ends up in the right places and doesn’t fall into the wrong hands. It’s a job that’s become much more complex now that essentially everyone has moved online and with third parties coming in and managing information in their own ways.
Traditionally, toward the tail end of the deal process, a company would call in its IT people. Their views – which are typically only sought on a narrow range of technology issues – are not generally pivotal to the negotiations. However in the world of information assets, it isn’t just about technology. Cybersecurity is too often thought of as something IT people do. But it’s more than that, and it affects everyone in the organization. So let me offer four recommendations:
- Hire a specialist. Preparing a company’s risk profile is a specialist task, not a do-it-yourself activity. For one thing, in-house IT departments are typically short-staffed and have their hands full keeping up with the company’s day-to-day business. Second, they typically don’t have the objective, independent perspective you need when you’re making a decision. So I strongly recommend leaning on outside experts to do that work for you. Typically, it’s the bankers who are brokering the deal or the parties’ law firms who engage the specialists. And, of course, it’s a pass-through of the deal cost.
- Examine mobility. The specialists should determine the target company’s approach to accessing information from remote locations, whether it’s on the move or from a remote office. The way that it’s done can create an unacceptable level of exposure to a company’s network, including to its most sensitive files. Critical information is constantly being shared throughout cyberspace, and there’s risk whenever it’s in transition.
- Manage third parties. It’s crucial to scrutinize third-parties, particularly those involved in data storage and transmission services. Among the questions that need to be answered are: How does the acquisition candidate manage third parties? What information is being shared with them? And how? Knowing the answers to such questions is critical because third parties often unintentionally create routes to information loss or cyberattack.
- Safeguard the crown jewels. CFOs need to understand whether the organization has a clear idea of what its risk profile actually looks like and how that profile relates to its mission-critical assets – the ones any buyer would prize most. When you buy a company you’re buying intellectual property as well as infrastructure. But before you sign onto the deal, it’s essential to understand how those cyber assets are being protected.
Finally, for many companies, the greatest value resides in its data files, not its tangible assets. Assessing the security of that data and evaluating the risk of it becoming exposed to unwelcome intruders is fundamental to evaluating the firm’s worth in a merger or acquisition.
Steve Durbin is managing director of the Information Security Forum (ISF).