[BreachExchange] The importance of cyber due diligence in M&A transactions
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Feb 25 20:36:12 EST 2016
http://www.lexology.com/library/detail.aspx?g=24153ebd-af81-4826-ad35-06de9bad88ce
The number of M&A transactions in 2015 has hit record highs, with volumes
expected to increase by 11% from 2014, according to Bloomberg. Indeed, one
of the hottest areas for M&A activity has been cybersecurity companies,
with deals including AVG Technologies’ acquisition of Privax and Blue Coat
systems’ acquisition of Perspecsys.
Cybersecurity is one of the top five business risks identified by major
corporates, particularly those in retail, health, and technology. Every
day, we read of a new data breach somewhere in the world.
In this environment, one would assume that buyers would undertake detailed
cyber due diligence as a matter of course. However, this does not seem to
be the case. Certainly, a survey on cybersecurity in M&A carried out by
Freshfields in 2014 indicated that 78% of respondents thought that
cybersecurity was not analysed in any detail in their deals. This is
despite the same respondents indicating that cybersecurity deficiencies
could derail a deal or adversely affect value.
Our experience is not dissimilar. Cybersecurity due diligence tends to be
undertaken by the in-house IT team of a buyer, if at all. The scope and
scale of the due diligence tends to be cursory and high level. The
representations and warranties in transaction documents covering
cybersecurity tend to be relatively high level and have, until recently,
tended to relate to past events – has the target suffered a data breach
that has been notified to a regulator or to customers? They may go as far
as asking for a warranty that the target has implemented reasonable
cybersecurity systems, processes and procedures having regard to the
industry that it is in. In very few cases, some sellers may be required to
warrant the likelihood of data breaches occurring after completion (or
recurring, if historic breaches have been disclosed) – but this seems to be
the exception rather than the rule.
The question is whether or not this is adequate in the current digital
environment. Would directors of the acquirer be derelict in their duties
if their company did no, or only limited, cyber due diligence? Could an
acquiring company afford not to undertake cyber due diligence if the target
controls or processes valuable data? What would the consequences be if
adequate due diligence had not been undertaken prior to the acquisition?
Could an acquiring company afford not to undertake cyber due diligence if
the target controls or processes valuable data? What would the consequences
be if adequate due diligence had not been undertaken prior to the
acquisition?
We know that the occurrence of a cybersecurity breach in the lead-up to an
acquisition is not unusual. In a well-known incident in January 2015,
Australian incumbent Telstra discovered after completing its acquisition
of pan-Asian network provider PacNet, that sometime after signature but
before completion, PacNet’s corporate IT systems had been compromised,
meaning it was likely customer information had been stolen. To its credit,
Telstra notified affected customers of the likely compromise as soon as it
became aware of the incident, so that they could take steps to protect
themselves.
Of course, there are situations in which it is difficult to carry out cyber
due diligence, particularly in a hostile or a competitive sale process.
But in many cases, acquirers are simply not taking enough steps to
understand the cybersecurity risks facing their targets, and how they might
address cyber-security issues post acquisition.
Why might cyber-security not be prioritized in a transaction?
A study carried out in 2014 by NERA Economic Consulting found that cyber
incidents do not appear to impact share prices significantly in the
medium to long term. And even where there is a drop, it often does not take
long for the share price to recover. The table on page 40 illustrates this.
Whether this trend will continue remains to be seen. But it certainly
appears that in recent history, the correlation between a cybersecurity
incident and the share price is weak, at least in relation to listed
companies for which the data is readily available.
Looking at some recent data, the share price of TalkTalk fell dramatically
after the data breach announced on 22 October, and has since been very
volatile. The fact that this was TalkTalk’s third data breach in 2015 may
have been a contributing factor. It is true that there seemed to be little
effect on TalkTalk’s share price in the months following the previous two
data breaches, in February and August.
THE SEVEN PILLARS OF CYBER RESILIENCE
GOVERN
Ensure that your governance bodies have taken the proper steps to ensure
that the organisation is cyber-resilient and to protect it against
cyber-risks and threats
KNOW
Know the data you hold, the value of that data, and how well it is being
protected.
REVIEW
Review and test the adequacy of your cyber-reilience processes, procedures
and systems.
IMPROVE
Identify areas of weakness and improve your cyber-resilience processes,
procedures and systems.
PROTECT
Take steps to ensure that your organisation actually implements the
processes and procedures which have been established and improved
RESPOND
Activate incident management plans immediately to address the situation
RECOVER
Have plans and mechanisms in place to recover as swiftly as possible from a
cybersecurity incident and to draw key learnings from the incident.
What is the value of Cyber Due Diligence?
A good cyber due diligence report will take a holistic view (using, for
example, our 7 Pillars methodology below) of the target’s cyber-resilience
posture. This is important because cyber-resilience is not just an IT
issue, it is a business and a risk issue. The fact that an organisation
treats cyber-resilience just as an IT issue will tell you something
significant about its level of maturity. In our view, a good cyber due
diligence investigation should be carried out by business, legal and
technical advisers, to obtain a holistic view of the target’s overall
cyber-resilience.
Broadly speaking, a cyber due diligence should determine whether the
target has inadequate cyber-resilience protections. If the protections are
inadequate, it follows that there will be a reasonable likelihood that the
target’s systems may have been or will shortly be compromised. This is
important because:
it allows the buyer to determine whether the valuation needs to be
discounted for this risk. If, for example, the target is an intellectual
property-rich company, and it is the intellectual property that is
valuable, then one must consider the possibility that the intellectual
property has been stolen, meaning that the target’s exclusivity or trade
secrets may have been compromised;
if the target processes credit card transactions and is not PCI-DSS
compliant, then a buyer must factor in the possibility of significant
fines from the card schemes, the risk of investigations and audits, and
possibly a loss of the ability to process card payments until the situation
is rectified;
a buyer may also need to value the regulatory risk, customer compensation
costs and the cost of remediation should there have been a data breach; and
at the very least, the buyer knows it must prioritise a full and detailed
cyber-resilience review and improvement program post-acquisition, and
should perhaps discount the purchase price or obtain indemnities for the
cost of doing so.
If, however, cyber due diligence indicates that the target has taken
reasonable and industry standard steps to ensure that it is
cyber-resilient, and there are no warning signs that would indicate that
the target may have been compromised, then the buyer can be confident that
there is no need to adjust valuations and can instead focus on normal
integration post-acquisition. In this instance, there is no necessary rush
to carry out a full and detailed cyber-resilience review and improvement
program. Of course, a buyer must recognise that a clean cyber due diligence
report cannot guarantee that the target’s systems have not been
compromised, so it is helpful to have a contingency plan in place.
A good cyber due diligence report will also enable the buyer to make
decisions (and potentially gain leverage) in relation to:
seeking and obtaining appropriate warranties as to the target’s level of
cyber-resilience;
obtaining a specific cyber-security indemnity that sits outside the normal
baskets and limits and covers the costs of investigation, remediation,
regulatory action and customer compensation, should there be a cyber
incident, which has its origins in an act or omission of the target
before completion;
whether or not the occurrence of a cyber incident between signing and
completion should be material adverse change, entitling you to terminate
the sale agreement, should you be undertaking a split signing and
completion; and
obtaining a warranty and indemnity (W&I) insurance policy, should the
acquiring company or vendor be seeking to obtain one, as it is becoming
increasingly difficult for underwriters to cover broad cyber-warranties
that may extend to the adequacy or sufficiency of systems in place or
indeed to future breaches, without an appropriate cyber due diligence
exercise.
The latter point is of particular interest. Underwriters may not have had
particular issues with covering warranties in M&A transactions that
referred only to historic breaches. But as Andrew Graham, Vice-President of
the International Mergers and Acquisition Division at Allied World
Assurance Company informed the present authors:
“We do not see a great deal of specific due diligence done in
cybersecurity at present. I wonder whether this is because not all law
firms have the necessary expertise to advise appropriately on
cybersecurity issues. From an underwriter’s perspective on W&I deals, as
warranty protection around cybersecurity increases, we may find ourselves
in the position, on certain deals, that we will need to see targeted and
appropriate due diligence undertaken by the insured so that we can
adequately wrap up such risk within the scope of the W&I policy.”
Click here to view the table.
Why should cyber due diligence be a focus in telecoms M&A?
Telecoms companies are not immune from cybersecurity issues. On the
contrary, they are perhaps more vulnerable to cyber-related threats, as
the TalkTalk incident shows. Perhaps more importantly, telecoms companies
are, in many cases, subject to a higher level of scrutiny by regulators due
to their unique position of operating the networks and services over which
a large proportion of internet data flows.
Telecoms companies are, in many cases, subject to a higher level of
scrutiny by regulators due to their unique position of operating the
networks and services over which a large proportion of internet data flows.
In Europe, providers of electronic communications services are typically
required to ensure that their services are secure (see EU Directive
2002/58/EC). They must also inform their national regulatory authority of
any personal data breach within 24 hours and, if the personal data or
privacy of a user is likely to be harmed, they must also be informed unless
specifically identified technological measures have been taken to protect
the data. Many communications providers are also required to retain data
relating to communications over their networks (although the extent to
which this is required differs from country to country after a series of
judicial challenges to data retention laws). Requirements to cooperate
with law enforcement authorities can often mean that telecoms companies
have access to particularly sensitive stores of data that may include
telephone recordings, email records and details of other internet
communications and web traffic. But they must still comply with their data
protection and privacy obligations in respect of the data they handle.
For these reasons, there may be greater regulatory consequences in the
event that a telecoms industry target is affected by a cybersecurity
breach, and there will ordinarily need to be a high degree of maturity in
terms of the target’s cyber-resilience.
Conclusion
Cyber threats are here to stay. Organisations need to be vigilant in
ensuring that they are cyber-resilient and to take appropriate steps to do
so. They must do so within their own business operations, and also in
relation to businesses they acquire. Forewarned is, in the cyber world,
forearmed. And it is crucial to be forearmed in telecoms M&A.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160225/a05efd6a/attachment-0001.html>
More information about the BreachExchange
mailing list