Managing cyber-security risks in M&A
July 2014 | TALKINGPOINT | MERGERS & ACQUISITIONS
financierworldwide.com
FW moderates a discussion on cyber-security risks in M&A between Adam Pang, a director at Merrill DataSite, David Stanton, a partner at Pillsbury Winthrop Shaw Pittman LLP, and Timothy J. Nagle, counsel at Reed Smith LLP.
FW: Broadly speaking, how would you characterise cyber security risks in the context of M&A? Do dealmakers pay enough attention to this issue, in your opinion?
Pang: The dealmakers we engage with never underestimate the importance of securing their data, because they know the value of it and the power it holds when it falls into the wrong hands. The risks are based around competitors gaining advantage through information; accessing personal and customer data; and during the due diligence phase of a M&A transaction, all financial, commercial and operational data has to be disclosed, so there’s an inherent vulnerability associated with that. This is why dealmakers, in our experience, pay close attention to the issue of security.
Stanton: Cybersecurity is emerging as one of the most pressing concerns among the spectrum of risks presented by the loosely governed and complicated data infrastructures prevalent in today’s corporate enterprises. In the context of M&A deals, these data governance and control issues become exacerbated. All too often, organisations do not know their own data systems and contents well enough to appropriately anticipate and monitor potential attack vectors or to quantify and prioritise the risks these systems present. Moreover, corporations that are targets for acquisition may be under financial pressure, making appropriate attention to the emerging risks of cyber security unlikely. The lack of visibility into data systems and the lack of control over data flows within an organisation will confound the risk assessments of an acquiring entity, since the challenges of tracking, identifying and preventing cyber incidents are even more difficult to ascertain from the outside. Lawyers entrusted with the execution of an acquisition may not be technologically sophisticated or aware of the existential risk that cyber incidents can present to organisations large and small. Recent large-scale attacks and the notoriety they have gained may be increasing awareness of these issues, but understanding how best to address them requires specialised expertise that may be lacking among the dealmakers.
Nagle: The cyber, data security and privacy considerations during a transaction arise in three phases. First, the pre deal due diligence and how the seller can make sufficient sensitive – corporate and personal – information available to bidders and buyers while protecting it adequately. Second, evaluation by the prospective purchaser of the state of security and privacy – for instance, protection of corporate data assets – at the target company and any representations it has made to customers or regulators in those areas as part of the due diligence process. Third and finally, the transition phase where data is being transferred or exchanged, or the networks of the two companies are being integrated while continuing to support corporate operations. The importance of data – either intellectual property or customer information – as a corporate asset of the target entity will drive the attention that is given to the security and protection of that data. An online or consumer company will have significant amounts of personal information about its customers which represent both an obligation of the company – to protect it per the privacy policy – and an opportunity for the use of data analytics in marketing, developing new products or services or engaging partners. And a company that is either dependent on the integrity and availability of its online presence or the sanctity of its intellectual property is only as valuable as the extent to which these have been protected. The need to carefully value the intellectual property portfolio of a company, and ensure its protection, is well-established. The similar need regarding the company’s data is just beginning to be understood. An example of this is the public offering of Facebook shares. Much, if not all, of the value was in the data and its use. But there was significant uncertainty, as reflected in the stock price, as to whether and how that value could be realised. While the financial analysts who are conducting the due diligence are becoming more focused on data as an asset of the target firm, the investment bankers who are working through the process and getting the deal done are not as focused on the issue. Their focus is on execution. They want to conduct due diligence, or make the data available to a buyer for that purpose. They want to do it as quickly and easily as possible and provide it to as many people as possible. Limits on sharing or the means of doing so for the purpose of protecting the information are hindrances to the goal. They need to be reminded of the need to protect sensitive data – proprietary or personal – and provided with the most efficient means of accomplishing that.
FW: What specific types of cyber security risks are often connected with the M&A process? How have these risks evolved and changed in recent years?
Stanton: Some risks originate within the acquisition target in an M&A deal through loose or ineffective data security. Another species of cyber risk originates with the deal itself. Transacting parties possess valuable inside information and gain access to a company’s most sensitive corporate documents. Exposure of this material during negotiations and due diligence to unauthorised access can present liability hazards for all involved. Historically, the assessment of cyber risk has grown more important over time. It has shifted from a cursory assessment and predominately contractual matter, to an area of probing factual inquiry, requiring significant attention, scrutiny and care before a deal closes. Formerly, many of the risks associated with the exposure of insider information or with the potential for unauthorised access to company data could be shifted with contractual provisions and liability insurance. Today, however, this threat can be nearly existential, and requires direct triage and assessment as part of the due diligence process itself. Attacks have become more intentional, more organised, more targeted and more disruptive, and cyber hackers and activists have moved far beyond the annoyance of viruses and denial-of-service attacks to the deliberate theft of valuable information assets. Such attacks pinpoint a company’s important IP, its customer lists, know-how and growth strategies – anything that can be exploited or sold for profit. These targeted incidents can cripple an organisation, disrupt productivity, or deflate goodwill and customer confidence. Thus, the risks in this area can materially undermine the viability of the transaction or the value of the acquisition target and impact the central benefits and reasons for the deal to proceed.
Nagle: The two risks that arise through the process are the expanded sharing of sensitive corporate information due to the involvement of parties – bankers, attorneys, auditors, bidders – with whom the company might not otherwise interact, and the need to integrate the data and networks of the companies involved in the transaction. The increased exposure of data is exacerbated by the distributed and highly mobile set of devices that the parties and their agents now use. For example, bankers may not be at their desks but need to see sensitive deal information on their tablets or smartphones – devices which are not usually encrypted. While it is possible to use project code names and remove information which identifies the parties, there is still a significant amount of sensitive business information that is shared over systems that are not under the control of the technology staffs. And, unless the principals – buyer and seller – have regular relationships with the outside parties, for example, auditors, and have either assessed the security of their networks or have obtained representations regarding security, then the sensitive information is being sent to networks of uncertain integrity. The issue of integrating networks during the post closing transistion phase is similar to any other technology challenge. But the network of the target company may be functioning to unsatisfactory standards, have different architecture, operating systems and applications, and be open to unknown third parties. Over the transition period, these networks and their data must be combined or integrated, and rationalised into one functioning entity in a secure fashion while continuously supporting operations. That is like performing a heart transplant on someone running a marathon with a greater risk of infection.
Pang: Threats are coming from an ever increasing range of sources, including, but not limited to, individuals, organised crime networks, competitors, hactivists, employees or contractors, and even nation states. The old methods of preventing leaks, by limiting your ‘inner circle’, are no longer sufficient. Modern, sophisticated and highly targeted computer hacking means businesses need to do everything possible to mitigate risk. The resilience of third parties, when it comes to issues of data protection, has become as important as reviewing one’s own internal security standards. Not very long ago, and it still happens in some instances, companies engaging in a M&A project would have created a paper based data room to share documentation and files during the due diligence process. The physical security of the room was therefore paramount, as potential buyers would travel to the room, book into the secured unit – one at a time – manually go through the information and make return visits if required. Taking this process online has resolved the obvious flaws and drawbacks in having a paper data room, but it created other challenges – cyber security being first among them. Those capable of breaching online security have become greater in number and more sophisticated in terms of ability, using methods, such as APTs, network-travelling worms, Trojan horses, phishing and social engineering.
“Lawyers entrusted with the execution of an acquisition may not be technologically sophisticated or aware of the existential risk that cyber incidents can present to organisations large and small.”
FW: Prior to a close, firms must thoroughly assess the cyber security risk of their desired target. What particular issues should acquirers consider when conducting cyber due diligence on a potential target company?
Nagle: One question that should be asked is whether the target company has cyber risk insurance? Generally, as part of the underwriting process, the insurer will have a third party assess the security practices and standards of the company. Firms should review the corporate information security policy, privacy policy and website privacy policy. Are they up to date and consistent with current industry practice? If not, that may give some indication of the overall cyber security readiness of the company. Firms must also determine whether any audits, inspections or formal actions have been initiated or conducted by regulators or state attorneys general? Has the company conducted an internal audit or assessment or retained a vendor to conduct one? If credit card information is involved, is the company PCI compliant? Even if the target company has conducted assessments of its network, it may be prudent for the purchaser to arrange for an independent review, especially if the company has a significant online presence. Firms must ascertain what third parties are critical to the functioning of the company or process, store, or collect significant proprietary or personal information on behalf of the target company. What contract provisions govern such relationships and is there a vendor management or assessment program in place at the target company? Finally, how active is executive management and the board of directors in cyber security and privacy issues? And is there a chief information security officer and chief privacy officer?
Pang: A thorough assessment of the IT infrastructure of a target organisation is always advisable. IT processes, operating systems, documentation, risk assessment, security standards and previous breaches of security should all be reviewed during the due diligence phase. Neglecting to do this upfront and then discovering something after deal-close can cost the acquiring company both time and money to rectify – not the ideal thing to be doing in a post-merger situation when resources are better spent integrating the two entities. It’s also important to discuss the issues thoroughly with the incumbent expert in charge – the person responsible for the systems and processes securing the business. For practical reasons, it can be useful for these discussions to take place over time, as and when questions or issues arise during due diligence. High-quality virtual data rooms have Q&A functionality that enable questions to be directed to key departments, such as IT, and to have the experts in charge answer, with all responses tracked for future reference.
Stanton: Criteria assessing cyber risk depend in large measure upon the type of organisation and data systems involved, and should be tailored appropriately. The maturation of the organisation’s information governance systems should be assessed, including the existence of metrics, procedures and tools to effectively measure, monitor and validate physical, logical and network security concerns. The prevalence of uncategorised ‘dark’ data, outside governance mechanisms, should be determined, and the sufficiency of the control procedures and processes weighed in light of the organisation’s risk profile. Outsourcing arrangements and third-parties with access to the organisations data should be catalogued and evaluated for security concerns. Cultural factors also play an important part in this. Individual employee practices should be determined, since the human factor presents distinct cyber vulnerabilities to any organisation. In an environment where the acquired entity’s personnel have not been expected to comply with robust security protocols, this lax cultural milieu can present issues when they are hired into the acquiring company, and bring their old habits with them. Likewise, the attempt to enforce dramatically new, more rigorous security protocols upon the acquired employees can adversely impact their productivity and morale during integration of the two organisations. This is an area of some technical expertise, and a due diligence cyber security audit will likely require non-lawyer technical expertise to conduct.
FW: Corporate transactions necessarily involve a multitude of professional advisers and financiers. How does transferring sensitive data between such individuals open up the process to cyber risk? In what ways can this risk be managed and mitigated?
Pang: The first and most obvious point to make is that we would never advise transferring data – particularly sensitive data – via email between parties involved in an M&A transaction, as this is rife with security risks. It’s wrong to assume email is a secure medium for communication, because it’s not. Servers can be accessed, emails cloned, or simply forwarded by accident without malicious intent. File sharing platforms also need to be assessed carefully to ensure they’re fit for purpose. There have been very recent examples where sensitive and personal data has been made openly and publicly available, not because someone hacked it and exposed it, but because functionality created a loophole. The best course of action is to assess and select a secure virtual data room solution, in which multiple parties can concurrently view information within a protected online environment, built for the purpose of managing confidential data.
Stanton: Insider trading risks have expanded through cyber threats beyond the actual participants to include those seeking to obtain unauthorised access to inside information, the transmission and exchange of information among these parties present opportunities for data to be accessed and exploited. Virtual data rooms are widely used and should be encouraged. In some cases, a return to physical, hard-copy datarooms may actually provide the best defence. At a minimum, the parties involved should be subject to confidentiality agreements, whereby they attest to having met an expected level of data security protections within their respective organisations, and agree to abide by suitable practices with respect to deal documentation and communications. Participant awareness and training is critical, and conducting all-hands cyber-security training at the onset of a deal is worthwhile.
Nagle: If the security and privacy practices of these advisers are unknown to the principals, any engagement documents should include some representations regarding data privacy and security in addition to the standard nondisclosure terms. Those partners are agents of the principals and should be required to comply with certain standards during and after the transaction. Any problems will ultimately be the responsibility of the principals.
FW: What kinds of technology are available to keep sensitive documents private and secure during the transaction process? Where does the future of this technology lie?
Stanton: Virtual data rooms remain viable alternatives for centralising and tracking access to transaction documents, but robust security in these environments is critical. Physical and logical controls at the server locations, strong passwords, SSL encrypted transmission, document watermarks and data access audit trails are essential. ISO information security certification is desirable as well. On the other hand, generic file sharing sites such as Dropbox, Google Docs and the like are not sufficiently secure and should be avoided. Technology is not, however, the only answer. Training and education are also critical components.
Nagle: To the extent possible, all paper or electronic documents should remain within the physical and technical control of the seller, as related to the due diligence phase, or the parties, for deal documents. This is frequently not feasible given the variety and number of advisors and auditors. Technology such as virtual ‘reading rooms’ which are accessible from the Internet but require authentication provide security, accountability and an ability to monitor access. There are also means of ‘tagging’ the most sensitive documents to ensure they are not distributed or to account for their location. The challenge will be to maintain some level of technical control in the mobile environment. One consideration may be to issue devices that have been configured with security features such as encryption to the members of the deal team that will have the greatest access to highly sensitive documents. Once the deal is complete, the devices can be returned, wiped and reused for future deals.
Pang: It’s important to recognise though that people are just as important as technology when it comes to the issue of cyber security. You can’t afford to be complacent in this area – all our employees, for example, undergo extensive background checks and must sign stringent NDAs. To meet the security standards required to guarantee a system is being operated securely, ISO/IEC 27001:2005 for instance, over 200 internal security protocols need to be in place and it’s these that significantly reduce the security risks associated any technology being used. In our experience, the future of this technology lies in securing mobile devices and tablets; investment is heavily focussed in this area to balance convenience with iron-clad security.
“We would never advise transferring data – particularly sensitive data – via email between parties involved in an M&A transaction, as this is rife with security risks.”
FW: Monitoring information access can help guide the negotiation process as well as highlight suspicious activity connected with a deal. What systems and processes can firms put in place to gain such benefits?
Nagle: There are no technologies that are specific or unique to the M&A context. Rather, existing network security, monitoring and access management tools should be in place to provide the level of security commensurate with the sensitivity of the data that is being accessed.
Pang: We use real-time reporting capabilities, which means the sell-side teams engaged in a project can at any moment see which individual has accessed exactly what information down to page-level, as well as when they looked at it and for exactly how long. This gives them advantage in that any suspicious activity would send up red flags without delay. It also importantly means that in a deal negotiation it’s easy to see who is seriously interested in the asset based on what data has been review and how much time has been spent looking at it. There really isn’t a better way of monitoring suspicious activity and progressing deal negotiations to get the best end valuation.
Stanton: Most virtual data room platforms established in the M&A context provide robust audit trail capabilities, whereby all document views can be tracked and monitored. Secure passwords and dual-level encryption, particularly with physical random number keys, will deter unauthorised users from accessing a site with a stolen or borrowed password. Access controls and locked doors for physical data rooms should be aligned with a key-card tracking system to monitor people going in and out. Data also should be appropriately segmented, so that only those who actually require access are provided the ability to obtain or view highly sensitive materials.
FW: Could you outline some of the key legal and regulatory developments on cyber security that have unfolded in the last year or so? Will these have an impact on the M&A process going forward?
Pang: State governments have increasingly taken a more active role in reviewing cyber security issues within the private sector. This activity is leading to new regulatory requirements throughout the industry – this includes an increase in regulatory compliance obligations on how networks are secured, particularly in heavily regulated industries, increased involvement by law enforcement, and an expansion of disclosure obligations with respect to cyber security incidents. In the UK, the FSA now has specific guidelines and suggested good practices, which an organisation should consider as part of their information management processes. Additional obligations apply to specific sectors, such as telecoms, which are now required to report breaches to authorities and in some cases, individuals too. The financial sector must control and organise their data more responsibly and effectively than ever before, with adequate risk-management systems in place, including taking appropriate steps to protect themselves against cyber attack. As this is an ever evolving process, it will be increasingly important for companies to regularly review these guidelines to make sure they are compliant with the latest legal framework, along with their chosen partners.
Stanton: The SEC’s cyber risk disclosure requirement, the FTC’s scrutiny of hacking incidents and privacy breaches, the publicity of cyber incidents under HIPPA regulations and by state attorneys general, and the activist plaintiff’s bar are all encouraging greater care, and a more detailed and nuanced assessment of cyber risk in and outside the M&A context.
Nagle: The highly regulated industries – financial services, health care, energy – have cyber security requirements in place which will continue to develop. Other industries, for example online retail, telecommunications, government contractors, will begin to experience more stringent cyber security controls as government initiatives such as the NIST Framework process continue to unfold, or as significant events such as the Target data breach occur. At some point, companies in any industry and of any size will be asked about their practices by customers, insurance companies and boards of directors. Another forcing function is the recent initiatives by the Securities and Exchange Commission (SEC), extending cyber security regulation to financial services firms that have not been impacted such as investment managers, funds, and broker dealers; and requiring more substantive disclosures in public filings by all publicly-held companies.
“At some point, companies in any industry and of any size will be asked about their practices by customers, insurance companies and boards of directors.”
FW: What final advice can you offer to acquirers and vendors on managing and mitigating cyber risk during the M&A process?
Stanton: Engage legal counsel familiar with cyber issues and risks. Engage outside experts as needed to conduct inspections and audits. Explore cyber insurance, since coverage under traditional policies may not cover cyber incidents. Quantify the risks. It is always worthwhile to establish through audits and due diligence inquiries what kinds of risks are present, where the vectors of attack are most likely, what systems may be impacted and how prepared the target organisation is to respond. But also, actually put a dollar amount on those risks and weigh this with the probability of these adverse events occurring. This kind of bottom-line assessment helps the parties to appropriately price the acquisition and to budget for the remedial steps that will be necessary during the integration of the acquired company into its new parent. Finally, educate, educate, educate. The prevalence of cyber incidents is growing faster than our awareness and responsiveness to them. Members of the deal team should be well-trained and warned of the risks of cyber attack, and best practices during the deal process should be enforced culturally and contractually.
Nagle: Data and intellectual property are corporate assets which impact the valuation of a company. Privacy practices and data security standards are essential elements of any corporate governance structure. And cyber security risks – from the malicious outsider to the well intentioned but misguided insider who opens a suspicious email – are present in all industries. Consider these assets, practices and risks as you would any other element of the M&A process. You must be able to say that you have considered and accounted for these issues in your process.
Pang: Typically a merger or acquisition follows six specific phases – preparation; engagement, selection and appointment of external advisors; initial approaches; preparation of information about the business; financing terms of the transaction; and completion. During preparation, it’s wise to limit the number of people brought into the ‘inner circle’. Then information and process flows can be mapped out, current working practices reviewed and a third party data room provider appointed. Think about how diaries and meetings are planned and communicated, and then consider your social media profile to limit the likelihood of ‘spear phishing’. When engaging advisers, establish a shared principal of governance, think about due diligence procedures and put in place an incident plan. At the point of initial approaches, consider the risk profile of the sector and country, and any local regulatory norms. Then consider what information you will provide and how you will share that with the parties involved in the transaction. Limit the number of people receiving information and obtain the relevant approvals, before disclosure. It’s also a good idea to have confidentiality agreements with all parties in place before sharing any data, then continuously monitor who accesses information and when – ideally through a real-time report available in premier VDR solutions. Also, consider whether some information can be kept offline and whether the information requested is beyond market practice. If acquiring a business, it is now common practice to carry out diligence on the organisations cyber security measures and past records on how it dealt with any previous issues. Finally, upon completion continue to monitor information relating to the transaction, transfer funds securely and be conscious that your organisation may be at increased risk of cyber-attack. It is time to consider reviewing and strengthening security policies across the new organisation and how the combined entities will manage information, it’s possible, for example, to continue to use a VDR for secure post-integration purposes.
Adam Pang is a director at Merrill DataSite. Mr Pang joined the firm in June 2006. He has over 13 years of experience in financial and information solutions management, working both in London and Hong Kong. Based in the London office, Mr Pang is focused on driving the International sales effort in the UK and Emerging Markets. He can be contacted on + 44 (0)20 7422 6268 or by email: adam.pang@merrillcorp.com.
David L. Stanton is a partner in the litigation practice of Pillsbury Winthrop Shaw Pittman LLP. He leads the firm’s nationally recognised Information Law and Electronic Discovery group, oversees the firm’s nationwide Litigation Support department, and is a member of Pillsbury’s Privacy, Data Security & Information Use group. Mr Stanton is also a member of the firm’s Professional Responsibility Committee and serves as Pillsbury’s executive partner for Anti-Bribery/Anti-Corruption Compliance. Mr Stanton can be contacted on +1 (213) 488 727 or by email: david.stanton@pillsburylaw.com.
Timothy J. Nagle is a counsel at Reed Smith LLP and a member of Reed Smith’s Data Security, Privacy & Management practice group. His most recent experience prior to joining the firm is as in house counsel with a global financial services firm where he supported security, privacy and technology executives., With a broad background in security and privacy across government and industry, Mr Nagle supports clients in the areas of government contracts, financial services, energy and health care regulatory matters. He can be contacted on +1 (202) 414 9225 or by email: tnagle@reedsmith.com.
© Financier Worldwide
THE PANELLISTS
Merrill DataSite
Pillsbury Winthrop Shaw Pittman LLP
Reed Smith LLP