M&A and cybersecurity – top nine ways to mitigate risk through due diligence

October 28, 2020 | Michael Caruso, Sara Josselyn, David Krebs

The authors would like to acknowledge the contribution of Iain Paterson, Chief Executive Officer at Cycura, a global team of leading cybersecurity experts headquartered in Toronto, Ontario.

While the COVID-19 pandemic[1] is by no means over, increasing M&A activity and other significant commercial transactions are a sign that economic activity is on the rise. But are the legal considerations during the due diligence process the same in the midst of the pandemic, or have they changed over the course of 2020? While COVID-19 has impacted most aspects of the due diligence process to some degree, the landscape as it relates to vetting cybersecurity and data privacy risk has evolved considerably. A sizeable remote workforce in many sectors, combined with the rise of motivated cybercriminals and the ever-increasing value and importance of data, has led to an undeniable requirement to place additional focus and resources on cybersecurity and data privacy due diligence. This includes both the technical and legal aspects of cybersecurity and data privacy, and the reciprocal impact of both considerations. In this short article, we wanted to share our view on the “Top Nine Ways” a purchaser can mitigate cybersecurity and data privacy risks in M&A due diligence.

It is imperative that a purchaser of assets or shares in another organization know what is “under the hood” when it comes to IT infrastructure and associated cybersecurity risk. Not only does IT due diligence help identify where the main risks lie, but it is also an essential aspect of valuating a business, and identifying how best to proceed with post-acquisition integration. Ransomware, phishing attacks, and other social engineering tactics are on a significant rise and have a deep-reaching impact when they strike, posing a tangible and oftentimes very material risk for purchasers, third party creditors and financing entities. Consequently, IT due diligence is an integral part of a transaction’s risk assessment, no matter the size or breadth of the target organization and, for the most part, irrespective of the sector at issue.

Notably, when conducting due diligence, it is also important for the purchaser to consider the requirements of the Personal Information Protection & Electronic Documents Act (Canada), provincial privacy legislation and applicable laws in foreign jurisdictions relating to personal information shared during the due diligence process. This includes being clear in deal documentation about the purposes for which, and to whom, data is being shared, as well as whether such data will be retained or deleted.

Here are our 2020 “Top Nine Ways” to Mitigate  Cybersecurity and Data Privacy Risks in M&A:

  1. Understand the Data. Understand the value of the target’s data, as well as the nature of the data and how the organization has classified it (such as personal, financial, health or other confidential information). Understand the data flows and processing activities; i.e., what data is collected, how much data is collected, and for what purposes.
  2. Data Protection. Ask how data is protected, both technically and organizationally, and query how the target is protecting personal information, intellectual property and other confidential information. Where does the data reside and will that be a problem post-transaction (such as storing personal health information in non-Canadian cloud services)?
  3. Cybersecurity Posture. Consider the maturity and sophistication of the target’s cybersecurity program. Is it appropriate for the volume and sensitivity of the data? This assessment should include a review of whether cyber insurance policies are in place and whether they are sufficiently robust.
  4. Testing. Investigate whether the target has properly tested its controls. For example, has it conducted thorough technical assessments such as Penetration Tests or “red team” exercises?
  5. Target Organization. Query whether there are inherent risks arising from the nature of the target’s workforce, distribution of IT assets, or legacy systems (including in respect of past M&A activity). Many organizations suffer from “Shadow IT” and undocumented systems that do not have proper ownership, business alignment and maintenance. For many organizations, the shift to employees working from home leads to an increase in insider threat behaviour, both intentional and unintentional. How does the target manage such risk and what programs are in place to identify insider threats?
  6. Privacy Law Considerations. Identify and assess all relevant privacy legislation that currently applies, or that will apply, to the target post-acquisition. Does only Canadian law apply[2], or is the target subject to the European General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”), for example? Are current privacy policies and data protection standards compliant? If not, what are the risks? Does the organization have processes and standards in place to run a meaningful privacy program?
  7. Third Party Vendors. Consider the vendor landscape. How robust are third party vendors relating to security and privacy compliance? What contracts are in place and are they appropriate? Are there any known issues relating to cybersecurity incidents at any of the target’s vendors? Conducting an OSINT (Open Source Intelligence) assessment can have tremendous value in assessing exposure to third party risks. Contracts and agreements with third parties should be reviewed to identify mutual obligations related to cyber risks or breaches.
  8. Existence of Past Security Breaches. Ask whether the target has experienced any data security incidents or data breaches. Query whether the target has systems in place to identify, assess, and report data security incidents. Does the organization have a defined, tested and fully implemented Incident Response (IR) Program and the resources to execute on it? Does the target have a retainer in place for IR services or breach coaching?
  9. Programmatic Governance and Training. Last but not least, ask whether the target trains its staff. If so, determine whether the training is mandatory and how often it is updated to address current risks. How is the effectiveness of this training measured? Who is responsible for the overarching program?

Cybersecurity risks are a reality but, much like any other risks, they are manageable with the right approach and attention. Communication and information sharing with commercially focused due diligence and technical IT review is also crucial in understanding the overall risk profile in this area.


[1] See our previous blog article, entitled Privacy and cybersecurity during COVID-19 – Tips for Canadian organizations

[2] See previous blog article, entitled Data Breaches, GDPR Fines, and Transborder Transfers – the Challenges of Assessing Cybersecurity and Privacy Risk

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.