In structuring strategic transactions, business and legal professionals rightly focus on areas that have the potential to increase transaction costs and result in legacy liabilities, such as product liability, environmental and employment and labor matters. It would be problematic to negotiate a transaction without taking these specific matters into account in the overall transaction as they are likely to significantly impact the valuation, documentation and implementation of the transaction. However, the same level of attention and focus has not historically been placed on due diligence relating to cybersecurity. It is not only prudent but necessary to review cybersecurity in connection with all aspects of a potential transaction as cybersecurity, including data protection and privacy, are foundational parts of every business.
There are numerous real-world examples of cybersecurity issues becoming front page news, including phishing and hacking scams, data breaches, and third parties accessing internal networks, monitoring emails or obtaining personally identifiable information. The costs can be staggering and, in an M&A context, can result in large write-offs (e.g., Marriott is facing a currently undetermined liability, which has been estimated to be more than $500 million, to fix a preacquisition breach by Starwood). While news reporting is often limited to incidents occurring at large multinational corporations, cybersecurity impacts all businesses. According to the 2019 Cost of a Data Breach Report by IBM Security and the Ponemon Institute, the risk of a company having a cyber event within the next two years is 29.2% and the average cost of such an event in the United States is $8.2 million. Moreover, small and medium-sized businesses are the subject of approximately 67% of such breaches.
With the increase in the likelihood and severity of such incidents, it has become critical to assess cybersecurity as part of the due diligence process for any strategic transaction. On the buy-side, any issues that are uncovered in cybersecurity due diligence may impact valuation and may indicate whether there are issues to be addressed in the transaction documents or in connection with integration of the businesses. On the sell-side, a target should be prepared to provide information regarding its standard policies and procedures with respect to cybersecurity as well as to review any known breaches or attacks.
We recommend a holistic review of a target’s business when performing cybersecurity due diligence for a strategic transaction, including the following:
• Business Evaluation. Understanding a company’s cybersecurity starts with understanding the systems that support the company’s business, including how technology is used in the products and/or services provided by the company. As an initial step, we recommend reviewing from an operational perspective how the target company uses technology, including a review of the various groups that are involved in supporting the company’s technology (customers, clients, vendors, employees, etc.) and how the company currently addresses cybersecurity risks. For example, a review of the company’s policies and procedures relating to cybersecurity should also address how the policies are implemented, whether the policies are followed, and how employees are trained relative to cybersecurity. In addition, we would suggest reviewing the company’s plans for business continuity and management of cybersecurity risks. Conducting a review of the current cybersecurity policies, procedures and protocols provides a framework for the due diligence review.
• Technical Evaluation. After the overview of the target’s business has been provided, a more detailed technical review should be performed to assess how the company’s networks and systems are performing. This technical review should include a review of all types of devices that are used by the company, including phones, printers, security cameras, etc., as well as the data protection and containment of information controls for such devices. In addition, we would suggest that vendors used by the target company also be reviewed to understand each vendor’s security controls.
• Regulatory & Compliance Evaluation. Regulatory and compliance evaluations review the laws and regulations that apply to a particular business and whether the level of cybersecurity controls are sufficient in light of such laws and regulations. For example, a company that regularly handles information that is covered under the Health Insurance Portability and Accountability Act should have additional procedures in place regarding such information. Similarly, there are additional requirements for entities that are government contractors and a regulatory and compliance evaluation would determine whether the company is currently in compliance with those requirements and whether it is taking adequate steps to anticipate new legal and compliance standards (e.g., the Department of Defense has a new cybersecurity certification process that will become effective in June 2020). Many states also have data protection laws (e.g., California, Nevada and New York have enacted legislation relating to data protection) and new ones are being enacted. The failure of a target company to comply with legal and regulatory requirements could result in liabilities for the acquiror or the surviving entity following the closing of a strategic transaction.
• Transaction Documents. Once the review of the target company’s current cybersecurity situation has been completed, any issues that have arisen may be addressed in the transaction documents. The target will be expected to make representations and warranties regarding cybersecurity. However, there are a number of other potential ways in which cybersecurity may be addressed in the transaction documents. For example, if incidents of non-compliance have been identified, then the acquiror may seek to include a specific indemnification obligation in the acquisition agreement with respect to any losses that arise as a result of the target’s past incidents. Alternatively, in a transaction that is structured with a delay between signing and closing, an acquiror could seek to include a covenant requiring that the target take certain specific actions to rectify such incidents.
• Integration Considerations. Finally, an area that is often overlooked is how the target business may impact the existing business of the acquiror post-closing, including what integration steps will be taken with respect to cybersecurity. Vulnerabilities in cybersecurity often arise from a gap within a system of extensive controls. The process of combining multiple operations and integrating systems creates a potential for gaps. In addition, integrating systems, policies, contracts, employees and vendors of different companies requires expertise, which internal teams may not have. There is also the potential that the combined entity will be subject to different laws and regulations than the stand-alone businesses and may need to meet additional cybersecurity standards as a result of the strategic transaction. We suggest identifying cybersecurity integration challenges as early as possible in a strategic transaction—ideally, these matters would be addressed in connection with the initial due diligence review of the target.
As companies embrace digital technology, including analytics, big data and AI, the volume of sensitive data maintained will grow dramatically. Business and legal professionals will need to devote considerable time and attention to data protection and privacy. In recognizing that poor cybersecurity has the potential to cause extensive disruption to business operations, we recommend that all companies consider how they might protect themselves. A business’s attention to cybersecurity may be seen as a competitive advantage as cybersecurity due diligence becomes the new normal.