Cyber Caveat Emptor
For years, many of us have advised companies to include cyber-security risk assessments in their M&A due diligence. Yawn.
Verizon helped move the needle a bit in 2017 when it found out a few months before closing its acquisition of Yahoo that, several years earlier, the company had suffered one of the largest breaches of personal data on the planet (1.5 billion users). Since it was late in the game, there were two options: back out or shave the purchase price. Verizon reduced its bid of $4.8 billion for Yahoo by $350 million, which may not have been enough. After closing, Yahoo, as a subsidiary of Verizon, was embroiled in a class action lawsuit brought by the victims of the breaches, which dragged on for three years until the company negotiated a $117.5 million settlement in 2020.
Even so, Verizon may have gotten off easy. The theft of user information is not to be taken lightly, but it can pale in comparison to the impact of the exfiltration of valuable R&D data, intellectual property, and confidential and strategic information. When the crown jewels are stolen, the value of a company can decrease precipitously; so can its market share. This high-value data is what cyber criminals and nation states are now targeting. Unfortunately, this is also the information that often is not well managed and protected or included in data inventories.
In a 2017 report, “Cyber Due Diligence: Protecting M&A Value,”Grant Thornton smartly advised readers, “When you buy a company, you buy its data. And you take responsibility for its data security—past, present and future.” Thus, the acquirer also needs to determine whether the target entity has been breached and, if so, what occurred, what data may have been stolen or disclosed, the impact of the incident, and whether there is the potential for litigation, regulatory action, reputational harm, or loss of customers or market share as a result.
Ransomware attacks are fast becoming the cyber pandemic. As I noted in last month’s article, they have evolved from just encrypting data to exfiltrating, corrupting, and zeroing it out. Even if a company has been hit by ransomware and its systems are backed up and operational, it may not know whether any critical data were exfiltrated or whether that information is now being sold on the black market to nation states and willing buyers. A hard reality is that, if a company is on the market or about to enter it and has a cyber attack, it may not want to dig too hard to find out what happened.
Cyber attacks today are so sophisticated and difficult to detect that many companies are unaware they have suffered such an attack, and those that are aware may not understand the actual impact of the attack. Nation-state sponsored attacks are particularly difficult to detect. Microsoft’s 2020 “Digital Defense Report” indicates that the top-two targeted regions for nation-state sponsored attacks are the United States and United Kingdom. Together, they accounted for 85% of the attacks detected by Microsoft, which largely came from Russia, Iran, China and North Korea. The top-six targeted industry sectors (in order highest to lowest) are nongovernmental organizations, professional services, government, international, IT firms, and higher education.
Do Your Due Diligence
Today, cyber due diligence is so important that it should be one of the first activities undertaken in a transaction.
First, one needs to find out the maturity of the IT infrastructure and systems and the cyber-security program. Poorly architected systems, out-of-support software and hardware, and weak cyber-security programs create vulnerabilities. An M&A due diligence engagement that my company was involved in resulted in a recommendation that $250 million to $300 million be trimmed off the acquisition price just to upgrade the hardware and software and close gaps and deficiencies in the cyber-security program.
Second, the due diligence should focus on what data the organization has, whether data stores have been inventoried and classified, how they are protected, whether data owners have been assigned, and whether security policies and procedures are enforced. Information is the lifeblood of any organization today, but it is often the most neglected and overused asset. High-value data and data subject to privacy laws and compliance requirements can be a valuable asset or a looming liability.
Buyers need to conduct a serious review of the target’s cyber-security program, with an eye out for red flags. Depending on how forthcoming the target company is, this may be a straightforward process, or it may require some forensic investigation assistance.
Agents and brokers need to assist their clients in understanding the value of representation and warranty (R&W) insurance in protecting against cyber risks associated with M&A transactions. A recent article by Jeffrey Meagher and Jennifer Thiem of K&L Gates points out that some buyers (1) may want a representation or warranty that the company’s cyber-security program meets best practices and standards and (2) may ask that cyber R&Ws be treated as “fundamental” R&Ws so they have a six-year coverage period, which may be longer than the seller’s indemnification period. Most R&W insurance does not exclude cyber, and underwriting can be based on the seller’s incident history and cyber coverage as well as the buyer’s due diligence. Mike Rossi, founder of Insurance Law Group, observed, “An aware broker can also assist in the purchase of a tail to the target’s cyber insurance policy.” The broker has the opportunity to improve the protection by negotiating coverage enhancements to the cyber policy, which would broaden the coverage provided by the tail, he says. Rossi further noted, “Cyber insurers are more than willing to grant policy wording requests that can greatly expand the coverage afforded by a cyber policy, even in this hardening market, but you have to know what wording changes to request.”
Start your M&A cyber check with these basics:
- Review system architecture, including firewalls, network segmentation, and security configuration settings.
- Identify third-party vendors used, including cloud and managed providers, processes for vendor risk management, and the governance process.
- Check log retention and analysis, which should cover one year.
- Check access controls, whether multifactor authentication and password management solutions are deployed, and if remote access is via VPN.
- Check for monitoring software and anomaly detection to help spot insider threats.
- Review reports from cyber-security tools and managed security service providers.
- Determine whether all hardware and software are current on patches and are within vendor support.
- If software development is performed, review the system development lifecycle and secure coding practices.
- Review privacy and information security policies and procedures against best practices and standards; review available risk assessments.
- Review inventories of data and applications; see if critical apps and data are identified (especially IP, R&D, and high-value content).
- Check email security and if an email security service or tool is utilized to scan and filter email.
- Analyze business processes and controls against privacy policies.
- Assess adequacy of security training and qualifications of internal personnel.
- Determine whether any hands-on system checks or forensic actions need to be taken to examine the system for malware or indications of compromise.