[BreachExchange] The importance of cyber due diligence in M&A transactions

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 25 20:36:12 EST 2016


http://www.lexology.com/library/detail.aspx?g=24153ebd-af81-4826-ad35-06de9bad88ce

The number of M&A transactions in 2015 has hit record highs, with volumes
expected to increase by 11% from 2014, according to Bloomberg. Indeed, one
of the hottest areas for M&A activity has been cybersecurity companies,
with deals including AVG Technologies’ acquisition of Privax and Blue Coat
systems’ acquisition of Perspecsys.

Cybersecurity is one of the top five business risks identified by major
corpo­rates, particularly those in retail, health, and technology. Every
day, we read of a new data breach somewhere in the world.

In this environment, one would assume that buyers would undertake detailed
cyber due diligence as a matter of course. However, this does not seem to
be the case. Certainly, a survey on cybersecurity in M&A carried out by
Freshfields in 2014 indicated that 78% of respondents thought that
cybersecurity was not analysed in any detail in their deals. This is
despite the same respondents indicating that cybersecurity deficiencies
could derail a deal or adversely affect value.

Our experience is not dissimilar. Cybersecurity due diligence tends to be
un­dertaken by the in-house IT team of a buyer, if at all. The scope and
scale of the due dili­gence tends to be cursory and high level. The
representations and warranties in transaction documents covering
cybersecurity tend to be relatively high level and have, until recently,
tended to relate to past events – has the target suffered a data breach
that has been notified to a regulator or to customers? They may go as far
as asking for a warranty that the target has implemented reasonable
cybersecurity systems, processes and procedures having regard to the
industry that it is in. In very few cases, some sellers may be required to
warrant the likelihood of data breaches occurring after completion (or
recurring, if historic breaches have been disclosed) – but this seems to be
the exception rather than the rule.

The question is whether or not this is adequate in the current digital
envi­ronment. Would directors of the acquirer be derelict in their duties
if their company did no, or only limited, cyber due diligence? Could an
acquiring company afford not to undertake cyber due diligence if the target
controls or processes valuable data? What would the consequences be if
adequate due diligence had not been undertaken prior to the acquisition?

Could an acquiring company afford not to undertake cyber due diligence if
the target controls or processes valuable data? What would the consequences
be if adequate due diligence had not been undertaken prior to the
acquisition?

We know that the occurrence of a cy­bersecurity breach in the lead-up to an
ac­quisition is not unusual. In a well-known in­cident in January 2015,
Australian incumbent Telstra discovered after completing its acqui­sition
of pan-Asian network provider PacNet, that sometime after signature but
before completion, PacNet’s corporate IT systems had been compromised,
meaning it was likely customer information had been stolen. To its credit,
Telstra notified affected customers of the likely compromise as soon as it
became aware of the incident, so that they could take steps to protect
themselves.

Of course, there are situations in which it is difficult to carry out cyber
due diligence, particu­larly in a hostile or a competitive sale process.
But in many cases, acquirers are simply not taking enough steps to
understand the cybersecurity risks facing their targets, and how they might
ad­dress cyber-security issues post acquisition.

Why might cyber-security not be prioritized in a transaction?

A study carried out in 2014 by NERA Economic Consulting found that cyber
inci­dents do not appear to impact share prices sig­nificantly in the
medium to long term. And even where there is a drop, it often does not take
long for the share price to recover. The table on page 40 illustrates this.

Whether this trend will continue re­mains to be seen. But it certainly
appears that in recent history, the correlation between a cybersecurity
incident and the share price is weak, at least in relation to listed
companies for which the data is readily available.

Looking at some recent data, the share price of TalkTalk fell dramatically
after the data breach announced on 22 October, and has since been very
volatile. The fact that this was TalkTalk’s third data breach in 2015 may
have been a contributing factor. It is true that there seemed to be little
effect on TalkTalk’s share price in the months following the previous two
data breaches, in February and August.

THE SEVEN PILLARS OF CYBER RESILIENCE

GOVERN

Ensure that your governance bodies have taken the proper steps to ensure
that the organisation is cyber-resilient and to protect it against
cyber-risks and threats

KNOW

Know the data you hold, the value of that data, and how well it is being
protected.

REVIEW

Review and test the adequacy of your cyber-reilience processes, procedures
and systems.

IMPROVE

Identify areas of weakness and improve your cyber-resilience processes,
procedures and systems.

PROTECT

Take steps to ensure that your organisation actually imple­ments the
processes and procedures which have been established and improved

RESPOND

Activate incident management plans immediately to address the situation

RECOVER

Have plans and mechanisms in place to recover as swiftly as possible from a
cybersecurity incident and to draw key learnings from the incident.

What is the value of Cyber Due Diligence?

A good cyber due diligence report will take a holistic view (using, for
example, our 7 Pillars methodology below) of the target’s cyber-resilience
posture. This is important because cyber-resilience is not just an IT
issue, it is a business and a risk issue. The fact that an organisation
treats cyber-re­silience just as an IT issue will tell you something
significant about its level of maturity. In our view, a good cyber due
diligence investigation should be carried out by business, legal and
tech­nical advisers, to obtain a holistic view of the target’s overall
cyber-resilience.

Broadly speaking, a cyber due dil­igence should determine whether the
target has inadequate cyber-resilience protections. If the protections are
in­adequate, it follows that there will be a reasonable likelihood that the
target’s systems may have been or will shortly be com­promised. This is
important because:

it allows the buyer to determine whether the valuation needs to be
dis­counted for this risk. If, for example, the target is an intellectual
proper­ty-rich company, and it is the intellectual property that is
valuable, then one must con­sider the possibility that the intellectual
property has been stolen, meaning that the target’s exclusivity or trade
secrets may have been compromised;
if the target processes credit card transactions and is not PCI-DSS
com­pliant, then a buyer must factor in the pos­sibility of significant
fines from the card schemes, the risk of investigations and audits, and
possibly a loss of the ability to process card payments until the situation
is rectified;
a buyer may also need to value the regulatory risk, customer compensation
costs and the cost of remediation should there have been a data breach; and
at the very least, the buyer knows it must prioritise a full and detailed
cyber-resilience review and improvement program post-ac­quisition, and
should perhaps discount the purchase price or obtain indemnities for the
cost of doing so.

If, however, cyber due diligence indi­cates that the target has taken
reasonable and industry standard steps to ensure that it is
cyber-resilient, and there are no warning signs that would indicate that
the target may have been compromised, then the buyer can be confident that
there is no need to adjust valuations and can instead focus on normal
integration post-acquisition. In this instance, there is no necessary rush
to carry out a full and detailed cyber-resil­ience review and improvement
program. Of course, a buyer must recognise that a clean cyber due diligence
report cannot guarantee that the target’s systems have not been
com­promised, so it is helpful to have a contin­gency plan in place.

A good cyber due diligence report will also enable the buyer to make
decisions (and potentially gain leverage) in relation to:

seeking and obtaining appropriate warran­ties as to the target’s level of
cyber-resilience;
obtaining a specific cyber-security indem­nity that sits outside the normal
baskets and limits and covers the costs of investigation, remediation,
regulatory action and customer compensation, should there be a cyber
inci­dent, which has its origins in an act or omis­sion of the target
before completion;
whether or not the occurrence of a cyber incident between signing and
completion should be material adverse change, entitling you to terminate
the sale agreement, should you be undertaking a split signing and
com­pletion; and
obtaining a warranty and indemnity (W&I) insurance policy, should the
acquir­ing company or vendor be seeking to obtain one, as it is becoming
increasingly difficult for underwriters to cover broad cyber-war­ranties
that may extend to the adequacy or sufficiency of systems in place or
indeed to future breaches, without an appropriate cy­ber due diligence
exercise.

The latter point is of particular interest. Underwriters may not have had
particular issues with covering warranties in M&A trans­actions that
referred only to historic breaches. But as Andrew Graham, Vice-President of
the International Mergers and Acquisition Division at Allied World
Assurance Company informed the present authors:

“We do not see a great deal of spe­cific due diligence done in
cybersecurity at present. I wonder whether this is be­cause not all law
firms have the necessary expertise to advise appropriately on
cy­bersecurity issues. From an underwriter’s perspective on W&I deals, as
warranty protection around cybersecurity increases, we may find ourselves
in the position, on certain deals, that we will need to see tar­geted and
appropriate due diligence under­taken by the insured so that we can
ade­quately wrap up such risk within the scope of the W&I policy.”

Click here to view the table.

Why should cyber due diligence be a focus in telecoms M&A?

Telecoms companies are not immune from cybersecurity issues. On the
contrary, they are perhaps more vulnerable to cyber-re­lated threats, as
the TalkTalk incident shows. Perhaps more importantly, telecoms com­panies
are, in many cases, subject to a higher level of scrutiny by regulators due
to their unique position of operating the networks and services over which
a large proportion of internet data flows.

Telecoms companies are, in many cases, subject to a higher level of
scrutiny by regulators due to their unique position of operating the
networks and services over which a large proportion of internet data flows.

In Europe, providers of electronic communications services are typically
required to ensure that their services are secure (see EU Directive
2002/58/EC). They must also inform their national reg­ulatory authority of
any personal data breach within 24 hours and, if the per­sonal data or
privacy of a user is likely to be harmed, they must also be informed unless
specifically identified technological measures have been taken to protect
the data. Many communications providers are also required to retain data
relating to communications over their networks (although the extent to
which this is re­quired differs from country to country after a series of
judicial challenges to data retention laws). Requirements to coop­erate
with law enforcement authorities can often mean that telecoms companies
have access to particularly sensitive stores of data that may include
telephone re­cordings, email records and details of other internet
communications and web traffic. But they must still comply with their data
protection and privacy obliga­tions in respect of the data they handle.

For these reasons, there may be greater regulatory consequences in the
event that a telecoms industry target is affected by a cybersecurity
breach, and there will ordi­narily need to be a high degree of maturity in
terms of the target’s cyber-resilience.

Conclusion

Cyber threats are here to stay. Organisations need to be vigilant in
ensuring that they are cyber-resilient and to take appropriate steps to do
so. They must do so within their own business operations, and also in
relation to busi­nesses they acquire. Forewarned is, in the cyber world,
forearmed. And it is crucial to be forearmed in telecoms M&A.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160225/a05efd6a/attachment-0001.html>


More information about the BreachExchange mailing list