Managing cybersecurity in M&A transactions: How to mitigate risk through due diligence

September 30, 2022 | Sara Josselyn, David Krebs

As companies have become increasingly technology-driven in recent years, a target’s cybersecurity posture has become a key focal point in the diligence process. The COVID-19 pandemic has made this concern particularly acute: notwithstanding that an increasingly large number of people have returned to the office in recent months, there remains a sizeable remote workforce in many sectors. Combined with the rise of motivated cybercriminals and the ever-increasing value and importance of data, there is an undeniable requirement to place additional focus and resources on cybersecurity due diligence during M&A transactions, from both a technical security perspective and a legal perspective.

Why is cybersecurity due diligence important?

It is imperative that a purchaser of assets or shares in another organization know what is “under the hood” when it comes to IT infrastructure and associated cybersecurity risk. Not only does IT due diligence help identify where the main risks lie, but it is also an essential aspect of valuating a business and identifying how best to proceed with post-acquisition integration.

Ransomware, phishing attacks and other social engineering tactics are becoming increasingly prevalent and have a deep-reaching impact when they strike, posing tangible and oftentimes very material risks – from both an economic and reputational perspective – to purchasers, third party creditors and financing entities. The impact of the deficiencies may not become apparent until well after a deal closes.

Cyber and privacy risks are real and can have a massive bottom-line impact. In connection with Verizon’s acquisition of Yahoo! in 2017, Yahoo!’s disclosure of pre-existing security breaches resulted in a whopping $350M reduction of the purchase price for that deal. More recently, the UK’s data protection authority, ICO, levied very material fines on Marriott Hotels on account of breaches of the European General Data Protection Regulation (GDPR) relating to the target’s pre-acquisition’s security controls and Marriott’s failure to conduct proper diligence and remediate the issues.

While these are notable and well-known cases affecting large multinationals, cyber and privacy risks do not discriminate based on size or sector. We are regularly involved in proactively identifying these risks and managing them during the diligence process, and our crisis management and incident response practice is also regularly involved in breaches where diligence or vulnerability remediation failed in third-party transactions.

While the degree of cybersecurity and privacy due diligence may vary depending on the target’s industry and the nature of its specific operations, IT and privacy due diligence is an integral part of every transaction and there are a number of ways in which a purchaser can assess a target’s overall cybersecurity posture. Below we have set out some key considerations which will enable a purchaser to both identify all applicable risks, as well as take the necessary steps to mitigate against cybersecurity and data privacy risks going forward.

How to mitigate cybersecurity and data privacy risks in M&A:

  1. Understand the Data. Understand the value of the target’s data, as well as the nature of the data and how the organization has classified it (such as personal, financial, health or other confidential information). Understand the data flows and processing activities; i.e., what data is collected, how much data is collected, and for what purposes.
  2. Data Protection. Ask how data is protected, both technically and organizationally, and query how the target is protecting personal information, intellectual property and other confidential information. Where does the data reside and will that be a problem post-transaction (such as storing personal health information in non-Canadian cloud services)? Is there appropriate training in place?
  3. Security Controls and Testing. Does the target have appropriate EDR (Endpoint Protection and Response) tools in place? Is the IT infrastructure vulnerable by design? Are systems no longer supported/end-of-life? Investigate whether testing and monitoring are in place. Are vulnerability scans and penetration tests conducted regularly?
  4. Target Organization. Are there indications that executive management and Board oversight is lacking? Is there sufficient accountability for both security and privacy considerations? Query whether there are inherent risks arising from the nature of the target’s workforce, distribution of IT assets, or legacy systems (including in respect of past M&A activity).
  5. Privacy Law Considerations. Identify and assess all relevant privacy legislation that currently applies, or that will apply, to the target post-acquisition. Does the organization have processes and standards in place to run a meaningful privacy program?
  6. Supply Chain Management. Consider the vendor landscape. How robust are third-party vendors relating to security and privacy compliance? What contracts are in place and are they appropriate? Are there any known issues relating to cybersecurity incidents at any of the target’s vendors? Conducting an OSINT (Open Source Intelligence) assessment can have tremendous value in assessing exposure to third-party risks. Contracts and agreements with third parties should be reviewed to identify mutual obligations related to cyber risks or breaches.
  7. Existence of Past Security Breaches. Ask whether the target has experienced any data security incidents or data breaches. Query whether the Target has systems in place to identify, assess and report data security incidents. Does the organization have a defined, tested and fully implemented Incident Response (IR) program and the resources to execute on it? Does the target have a retainer in place for IR services or breach coaching?

Cybersecurity risks are a reality but, much like any other risks, they are manageable with the right approach and attention. Communication and information sharing with commercially focused due diligence and technical IT review is also crucial in understanding the overall risk profile in this area.

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.