This article was written by Gonca Caliskan, associate

Background

Acquiring a company means taking on its digital operations and acquiring its past present and future data security problems. This means an effective cybersecurity due diligence is essential as it may uncover a number of technical, financial and legal risks in the target which can affect the final terms of the acquisition agreement, the level of consideration the purchaser is willing to pay or, if the identified cyber issue is very serious, jeopardise the transaction itself.

Recent events have highlighted the importance of cyber security to the front of many businesses’ minds. The costs associated with cyber incidents often are severe and may include:

  • forensic and investigative activities
  • assessment and audit services
  • crisis management
  • notification of affected third parties
  • consumer class action or other litigation with customers, suppliers, or business partners
  • regulatory investigations and fines
  • business interruption or contingent business interruption losses
  • loss of reputation and goodwill. 

Cyber-crime is estimated to cost the UK £27 billion a year and the average cost to a large organisation of a data security breach is between £1.46 million and £3.14 million. Nonetheless the risk of cyber incidents are not always addressed in-depth or dealt with in deal due diligence.

The 2016/2017 National Crime Agency Report (“NCA Report”) outlined the real and immediate threat of cybercrime to UK businesses. According to the NCA Report, the UK has been hit recently by numerous high-level attacks which were serious enough to warrant National Cyber Security Centre involvement, and countless lower level ones. Recent examples of such high-level attacks are the WannaCry and Petya attacks.

These encrypting ransomware cyberattacks affected organisations and companies including NHS, Honda, Nissan, TNT Express and international law firm DLA Piper. Cyberattacks targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments from the affected companies. WannaCry and Petya demonstrated the vulnerability of many companies to such attacks and the severity of disruption it can cause to the operation of their respective business.

Other reasons for cyberattacks might include gaining access to a company’s trade secrets or intellectual property. For instance, a pharmaceutical company’s formula for a drug or a manufacturer’s product design. Customer information or employee data, from personally identifiable information, personal health information, or credit card details, to other confidential information such as, historical financial data and projections, customer lists, or corporate strategies.

Why now?

The current cyber threat trends are underpinned by the fact that most business are almost totally dependent on digital data and network systems. Virtually all companies communicate with their customers and suppliers through emails, social media, or websites and nearly all of the daily transactions of a company and all of its key records are created and saved in electronic form using internet connected devices, many of which lack adequate security. 

As the number of internet connected devices grows, the attack surface and number of devices that can be leveraged to launch attacks expands. The dependence on electronic systems in running a business combined with the increased use of internet connected devices creates significant potential vulnerabilities that can result in major harm to a target and its shareholders. Malicious software can be downloaded from the internet for free by almost anyone and then used to launch an attack and wreak havoc on a business' IT infrastructure.

Given the increased exposure to such cybersecurity breaches and digital infections, it is critical for a purchaser to gain as much information as possible on a potential target’s current cybersecurity posture and any historic attacks it might have suffered. As detailed above, such attacks may result in a wide range of losses.

What are the consequences on a M&A deal?

Serious cybersecurity breaches can jeopardize a deal’s anticipated value by reducing the value of the target’s assets, damaging its brand and derailing its growth prospects.

A good example to such devaluation is Yahoo’s acquisition by Verizon. After being subject to two massive cyber breaches in previous years, the acquisition offer was reduced by $350 million of the original price. In addition, the part of Yahoo that wasn’t sold to Verizon agreed to assume 50% liability from any future lawsuits related to the data breaches.

According to a PWC survey, 63% of US CEOs are extremely concerned about cyber threats and consider it as one of the biggest treats to business growth. The 2017 Donnelley Financial Solutions/Mergermarket survey stated that 80% of global dealmakers have uncovered data security issues in at least one-fourth of their M&A targets in the previous two years.

Cybersecurity due diligence at an early stage of the M&A transactions is essential:

  • to determine the extent and effectiveness of the cyber defences the target has put in place to protect its data and intellectual property
  • to identify the target’s vulnerabilities in the event of a cybersecurity breach
  • to determine the potential of theft and cyber attracts
  • to assess the value of the target in light of the results of its assessment.

Issues with cybersecurity due diligence

Understanding and addressing cyber risks in connection with an acquisition is important for both purchasers and sellers. That, however, can be a difficult task. Cyber issues may be latent and the extent of potential damage often is difficult to quantify. The target might be unaware of a cyber intrusion and does not know what the attackers have done to or with the high-value digital data they accessed and compromised. Many data breaches, for example, are not discovered for many months or years after their inception. Parties run the risk of closing a deal well before an attack is discovered. Plus determining the “materiality” of apparent cyber incidents without knowing, other than by inference, the nature of the digital assets at risk or the harm that could flow from their compromise is very difficult. Similarly, assessing the potential devaluation of the target’s high-value digital assets without evidence of what was accessed and exploited is very complicated. 

Further, the current legal framework fails to address cybersecurity risks and issues effectively. There is no single set of mandatory cybersecurity rules with which companies must comply. Instead there are number of different laws, rules and regulations which apply depending on the context of the relevant incident and the nature of the organisation involved. The lack of clear set of rules makes it very difficult to assess a target’s current and historic cybersecurity posture.

Furthermore, the constantly advancing face of technology corresponds with the constantly evolving nature and variety of cyber-attacks.

Cybersecurity due diligence

Different companies have different requirements depending on their size, scope, geography or sector. Hence some transactions may only require a high-level enquiry, others may call for a thorough examination.

The main focus of cyber security due diligence is to identify and quantify the risks and liabilities in support of the deal and any subsequent integration of the target. It is designed to give a potential purchaser an understanding of any material exposure requiring action either pre or post-completion.

Possible cyber threats that might be discovered through effective cybersecurity due diligence may include:

  • an ongoing breach or attack
  • an unrevealed previous breach
  • a persistent intruder or vulnerability to its systems
  • a dirty, malware-ridden environment
  • inadequate security measures and corporate governance processes.

Cybersecurity due diligence might not uncover all potential cyber risks a target was or is exposed to, but it can provide a purchaser with:

  • a clearer picture of the target’s cyber vulnerabilities of those assets
  • whether the target has been adequately safeguarding and monitoring the control of those assets
  • any records of cyber incidents that may have resulted in compromises of those assets.

Knowing such facts, will enable the purchaser to take the necessary precautions and structure the acquisition agreement to mitigate the risks identified by making the required adjustment to the deal and the value of the target.

A successful cybersecurity due diligence process should raise relevant queries to get an understanding of, among others:

  • the target’s cyber-risk level
  • the nature, amount and value of the data assets being handled or held by the target
  • the nature of the target’s cybersecurity systems, networks and processes
  • the resiliency of such systems and networks to cyber incidents
  • the target's history of cyber-attacks and data breaches
  • the target's recovery plans in event of cyber-attack or data breach
  • if and how the target complies with regulatory standard and practices in the jurisdictions in which it operates
  • if such compliance adequately guards against industry-specific or other cyber threats
  • if the target's business relies on third parties to process, hold, transfer or otherwise manage information assets
  • what protection (indemnities) does the target have if the third party breaches its obligations
  • the target's internal processes to ensure that employees and senior management understand the business's cybersecurity risks and policies
  • the cost of addressing the above concerns
  • the impact of the above on the deal and pricing of the target
  • the impact of the above on the purchaser’s business, brand and reputation going forward. 

How to address the identified cyber security issues

If the threats and risks identified during the due diligence process are not so significant as to jeopardise the entire deal, it may be necessary to consider the inclusion of specific deal terms in response to the discovered issues, such as:

  • warranties warranties should be utilised to address any particular cyber risk or concerns identified during diligence
  • specific indemnities specific indemnity may be appropriate option if a particular cyber issue has been discovered which need to be remedied
  • closing conditions – completion condition allows the purchaser to walk away from the deal if an an identified problem has not been fixed and therefore provides the best protection for the purchaser
  • pre-closing covenants – pre-closing covenants could be included in relation to cybersecurity and the handling of data prior to completion.

Another option for dealing with uncovered cyber-risks is cyber insurance. Cyber insurance is very similar to warranty and indemnity insurance in that, that the level of cover (and the cost of any premium) is influenced by the thoroughness and quality of the due diligence exercise performed.

Conclusion

In light of the difficulties that cyber incidents can create, as observed in the WannaCry and Petya attacks or the Yahoo!/Verizon deal, the inclusion of cybersecurity due diligence early in a proposed M&A deal should be recognized as essential to protecting an acquirer’s interests. Failing to evaluate cybersecurity risks in debt during M&A due diligence or limiting such due diligence to a company’s IT systems only means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them. Purchasers should also consider employing an outside, unbiased cyber team to test the external and internal protection and procedures of the target to gain true understanding of a target’s cyber posture.