Check under the hood: make it part of your due diligence process
Failure to assess cyber risks can lead to litigation and a depreciated value of the acquisition.
You have acquired a competitor to help your business grow by accessing new customers and technology. However, you learn shortly afterwards the target company had a major data breach that it didn’t disclose to bidders.
This scenario is not hypothetical. It describes what occurred with the Yahoo! – Verizon deal. As a result of the breach, Yahoo! is now facing multi-year litigation, damage to its reputation and the real possibility that Verizon will walk away from the transaction.
Little wonder businesses now require detailed cybersecurity due diligence before the completion of a deal.
There are inherent risks when acquiring a business and it’s the buyer’s responsibility to ensure the level of risk is known and acceptable. Failure to do so will expose issues and liabilities later that diminish the value of the acquired business and require significant resources to fix.
Identifying cybersecurity risks during a strategic acquisition is essential. The longer a company takes to detect and contain a data breach, the higher its costs. In fact, recent results from a Ponemon Institute and IBM study in June confirmed breaches identified in less than 100 days cost companies an average of $3.23 million, while breaches discovered after 100 days cost companies an additional $1.15 million.
Common issues resulting from a breach include:
- Business continuity
- Legal liability, including litigation
- Regulator investigation and enforcement action
- Failure to meet contractual obligations
- Loss of critical data (such as intellectual property, trade secrets)
- Reputational harm
- Inconvenience to customers
- Expenses related to recovering the data
- Loss of revenue
- Covering the bases
When considering a strategic acquisition, include the following baseline elements in your cybersecurity due diligence:
Initial identification at the engagement stage. Identify the target’s key processes and systems. Aim to authenticate key assets, major threats and potential vulnerabilities. Ensure the target is aware of its operational risks rather than relying on the target’s assurances made in good faith.
Assess target’s security measures. Have the target complete due diligence questionnaires based on recognized standards (NIST, ISO 27001) to determine what security controls are in place to protect critical business data. The findings will help determine if the target has a crisis management plan, approved by senior management in place, and whether employees have been effectively trained to respond to potential cyber attacks.
Tailoring diligence. After reviewing the information obtained from the initial risk assessments, tailor and focus due diligence efforts accordingly. You’ll have a better idea about what has been going on, the industry it will be operating in, and how important information security is to the target.
Engage cybersecurity experts. Many parties involved in transactions likely don’t possess the technical skills necessary to thoroughly assess risks. Experts conduct on-site testing and assess the suitability of the programs in place to manage underlying data risks. They’ll also ascertain costs and consequences of any potential vulnerabilities identified during the engagement stage. The findings will help shape the transaction accordingly.
Setup a risk oversight team. Consider establishing a cybersecurity risk oversight team. Regularly brief the team on cyber-risks uncovered during the diligence process and inform key stakeholders. The team liaises with the target to ensure security measures are comprehensive and oversees the integration process to ensure the buyer’s network is not put at risk.
Check the past. When purchasing a company, you’re directly acquiring its past, present, and future data security problems. Ask the target about past cybersecurity incidents and any pending litigation or investigations by regulators. If the target has suffered numerous cyber incidents leading up to the transaction, security hasn’t been a priority. This also signals that the target’s business secrets may have been compromised.
Assessing cyber insurance. To what extent are cyber risks mitigated by insurance coverage, including whether enhancements to the cyber program may be available post-closing? Most policies cover data breaches and the expenses involved in complying with notification laws.
Given the accelerated pace businesses are digitizing operations and assets, the importance of cybersecurity must not be underestimated. Including it in the due diligence process ensures acceptable risks are mitigated and all parties are satisfied with the outcome of the transaction.
Imran Ahmad is a partner specializing in cybersecurity law at Miller Thomson LLP in Toronto. Gary Volman is a business law associate at Miller Thomson LLP.