The Need for Cyber Due Diligence in M&A Transactions
As technology continues to advance, allowing more companies to collect, share, and use data, privacy and cybersecurity due diligence in the M&A context becomes even more important. Unfortunately, companies often ask boilerplate questions about cybersecurity, privacy and data without understanding the particular risks associated with the target company.
A lack of due diligence in evaluating a company’s cybersecurity controls and privacy requirements during the M&A process can result in a host of short-term and long-term problems. This may include subsequent data breaches or privacy complaints, loss of business revenues, higher cybersecurity premiums, underperforming stock value, and loss of consumer confidence.
Marriott, for instance, inherited a massive breach crisis in its 2016 acquisition of Starwood that went undetected at the time of the merger. In contrast, gaps in due diligence may provide an acquiring company a competitive advantage as in the example of Verizon’s reduction of its purchase price of Yahoo by $350 million dollars after a significant data breach came to light before the acquisition was finalized.
With security and data incidents so widespread and potentially damaging to acquiring companies’ valuation and reputational health, a target’s cybersecurity vulnerabilities and privacy risks should be as closely investigated as financial documents within the M&A due diligence process.
Adequate due diligence requires consideration of a mix of legal and technical questions, some of which include:
- Scrutinize internal and external vulnerability assessments, penetration testing, and other security reports and confirm vulnerabilities were remediated appropriately
- Consider whether the company has an information security and privacy program, whether such a program has been implemented, and employees trained on the programs
- Depending on the risk, consider hiring an independent computer security firm to investigate the information security program and possible security gaps
- Search the dark web for evidence that the target company’s data exists for sale
- Investigate whether the company has received regulatory inquiries or complaints regarding its data privacy practices
- Assess whether the company is subject to sector-specific data privacy and security laws or requirements, and review the applicable policies and compliance programs
- Analyze whether the company’s internal and external privacy policies are compliant with regulatory requirements and whether the company complies with the representations in these policies
- Ask what cyber risk mitigation and data retention policies are currently in place and whether these policies are audited
- Review any contractual privacy or security requirements or obligations, and consider whether the company meets these obligations
- Review contracts and SLAs for any vendors used by the company examine their access to systems, and access and use of company data
- Consider any legal restrictions on the use, sale, or transfer of data
- Ensure the company has adequate cyber insurance
- Investigate the company’s process for identifying, investigating, and responding to data or security incidents. An organization that claims never to have suffered a security incident in any capacity most likely lacks a mature cyber program.
Failing to conduct adequate due diligence for cybersecurity and privacy risks during the M&A process can negatively impact the organization after the deal is closed. After all, no entity wants to have malware injected into its system that causes the purchasing entity to suffer a breach or system failure because of a failure to recognize a security risk prior to integrating the new company with its current systems.