Cyber risks in M&A


Financier Worldwide Magazine

December 2016 Issue

December 2016 Issue

For companies embarking upon an M&A deal, there are countless obstacles and issues to meticulously plan for and overcome if the transaction is to be a success and if the newly merged company is to be prosperous. One of these issues, which companies must get to grips with, is cyber risk.

A look at some of the most high profile – and damaging – cyber breaches to emerge in the last few years reveals the importance companies should attach to mitigating cyber risks. From Sony to Ashley Madison and from Target to TalkTalk, companies of all shapes and sizes find themselves the victim of an expensive, damaging and hugely embarrassing breach.

Corporate agenda

Given the frequency with which firms suffer the ignominy of a cyber breach, the arrival of data privacy and cyber security at the top of the corporate agenda cannot come soon enough. Companies are storing more and more data about their products, staff and customers, and the integrity of that data has become paramount. Accordingly, companies must do all they can to protect their data. In the context of M&A, lax controls can imperil the whole deal. “Transactions are normally conducted under strict confidentiality terms, where a breach of security could also amount to a breach of contract if the affected party is unable to demonstrate that it has taken appropriate organisational and procedural steps to protect its information systems,” points out Stewart James, a partner at Ashfords LLP.

In September, Yahoo, hot on the heels of its announced acquisition by Verizon, revealed it had suffered what could be the biggest data breach in history. At the time of writing, the deal reportedly hangs in the balance.

The size of a company subject to cyber attack makes very little difference. Though we have seen giants like Yahoo breached, smaller companies are also in a perilous position. “One major risk companies should look out for during M&A are hacks on the smaller company as it merges with a larger organisation. Often companies that are being acquired have less security infrastructure, making them an easy target, and can potentially lead to a breach of the acquiring company’s systems,” says Michael Bruemmer, vice president of Experian Data Breach Resolution.

Irrespective of the size of the companies involved, as Yahoo may be about to find out, the value of any deal can drop sharply if, after the deal is finalised, disclosure of a past or ongoing data breach surfaces. Potential buyers need to sufficiently investigate the cyber health and safety of the target company before acquiring it. One of the most worrying aspects of a breach is the timescales involved in determining whether data has been compromised, as Melissa Sawyer, a partner at Sullivan & Cromwell LLP, notes. “Recent data breaches show that it can take months – or even years, in Yahoo’s case – for companies to uncover and report breaches. Even when a company does not have a history of known breaches, the growing number and sophistication of cyber attacks means that no company is immune to cyber risks. The apocalyptic scenario for a buyer would be to merge a target into the buyer’s systems and, in so doing, infect the buyer’s entire platform with a hidden vulnerability,” she adds.

For those in the M&A profession, the Yahoo scenario highlights not only the importance of resolute cyber security protocols but also the issue of cyber risks in transactions. Without detailed knowledge of what they are buying, acquirers could be taking on a ticking time bomb. Cyber security is a multi-headed beast, and there are a wide variety of breaches that companies, if they do not do their homework, could inherit. Arguably, the worst possible breach – the ongoing breach – may result in the acquirer also being plundered of sensitive data and high-value intellectual property.

A prior breach that the acquirer failed to identify can be hugely embarrassing. It is possible, if not probable, that valuable data may have been compromised. Furthermore, the perpetrator could still have access to the company’s network.

Due diligence

In light of these different forms of cyber risk, it is imperative that acquirers know exactly what they are buying. It is here that the importance of due diligence procedures becomes clear. While a deal may look attractive on the surface, underlying risk can change the picture. The extent of the seller’s cyber weakness may turn a good deal into a bad one. Yet information security has rarely been part of M&A due diligence. Going forward, this has to change and cyber due diligence must become an integral part of any deal. “In light of the recent £400,000 fine imposed on TalkTalk by the ICO, due diligence exercises should consider the quality of the organisational and procedural steps taken by the target to protect the personal data it holds and to identify whether there have been any breaches,” notes Mr James. “The due diligence exercise should also consider whether it would be appropriate to conduct a forensic review of the target’s ICT systems to identify the presence of any advanced persistent threats.”

Without detailed knowledge of what they are buying, acquirers could be taking on a ticking time bomb.

However, the process cannot be done merely for the sake of completion. “The lesson is that cyber diligence must not be a check-the-box effort; it must be rigorous and detailed,” says Emilian Papadopoulos, president of Good Harbor Security Risk Management. “In the lead-up to a $4.8bn acquisition, Verizon didn’t know that Yahoo had suffered the largest breach ever of personal data, over 500 million records. I have seen other companies make an acquisition and then go looking for the target’s cyber security programme, only to find there isn’t one.”

According to Mr Bruemmer, thorough due diligence will help the acquiring firm determine how the target has previously prepared for and responded to a breach, as well as the extent to which it has attempted to protect its data and its assets. “A thorough audit of security practices will allow the acquirer to understand the data the company they are buying has stored and the security controls that are in place to protect it,” he says. “While a company may have an incident response plan in place, the acquiring company should request documentation that the plan is being activated correctly and regularly updated. Companies can look for third-party vendor audits, updated plans and proof of fire drills, among other things, to truly understand their risks.”

According to a recent report from AT&T, in the wake of a breach companies should utilise a cross-functional team and rely on all aspects of their internal infrastructure. The C-suite, IT, security, legal, communications and other teams should form a united and coordinated response. Failure to do so could demonstrate a lack of preparation when it comes to responding to a breach.

Though companies should do much more to ensure the safety and security of data and internal systems, it is impossible to eliminate the chance of suffering a breach. Despite internal programmes and education sessions, companies are always under threat from malicious actors. Dissatisfied employees who may have been overlooked or earmarked for redundancy, for example, may facilitate a cyber attack on their own terms. This type of behaviour is becoming more common. According to a recent study on managing insider risks by the Ponemon Institute, 55 percent of organisations have had a security incident or data breach due to a malicious or negligent employee.

For security professionals, the sheer scale of cyber breaches, although costly, has served to flag the deficiencies in existing security practices. Shawn Henry, chief security officer and president of CrowdStrike Services, believes that cyber attacks highlight the importance for organisations to deploy robust tools, processes, technologies and intelligence to protect their critical assets. “As a matter of cyber security hygiene, companies need to conduct a comprehensive assessment to identify the gaps in their security posture. This should involve examining the state of the network to ensure there are no intruders, ensuring there are advanced endpoint detection and response mechanisms in place in case breach prevention fails, and establishing proactive threat hunting to stop breaches holistically,” he says.

However, the task of reinforcing a company’s cyber prevention mechanisms is tough, given the widening cyber security skills gap. In a recent survey released by Tripwire, 75 percent of respondents said their organisations did not have enough security professionals to detect and respond to a data breach. A lack of trained cyber security and compliance professionals can be catastrophic, and though some companies may try leveraging even more technology to plug the gaps, this too may be inadequate in the long run. While the tech industry needs to address the cyber skills gap, companies themselves can do more on an individual basis to address the issue, such as developing new programmes to help recruit and retain cyber security professionals.

Avoiding unwanted surprises

There can be little doubt that cyber security is one of the key business issues of our time. We can no longer bury our heads in the sand. The way individuals, companies and legislators respond to cyber threats in the short to medium term will have a profound impact on long term attitudes. Ultimately, businesses must continue to evolve with the times. “Organisations will be in a position of strength if they are able to continually and proactively hunt for threats in their environment and apply next-generation prevention,” says Mr Henry. “New approaches such as machine learning can augment human knowledge, swiftly and accurately analysing billions of events in real-time, allowing organisations to detect unknown threats.”

New approaches must also be adopted in the boardroom. In the US, changes are under consideration which would call on public companies to appoint of a board member or an independent adviser as a cyber security expert, who would take overall control of the company’s cyber security efforts. This is an important step. In fact, companies should consider creating such a position independently, regardless of any legislative development, as it shows attention is being given to the issue of cyber security. “Governance, more than any single technology or ‘solution’, has a big impact on a company’s long-term cyber security. For diligence, this means it is important to evaluate the governance of targets, not just their technology and IT programme,” says Mr Papadopoulos.

Indeed, cyber risk governance is a hugely important issue – particularly for financial institutions. In the US, federal banking regulators are in the early stages of drawing up a rule that would demand enhanced cyber security risk oversight and preparations. As comptroller of the currency Thomas Curry stated: “In the face of these [cyber] threats, we must ensure that US financial entities that provide critical services to the financial sector remain vigilant and resilient because a cyber incident that affects the safety and soundness of one entity may harm the safety and soundness of others, and could end up having systemic consequences.”

In the context of M&A transactions, there are myriad cyber security risks which must be addressed. But there is no silver bullet to eliminate them. Acquirers need to fully examine a potential target’s approach to cyber risk, to ensure they are not taking control of a business that has already been compromised. Shareholders typically take an unforgiving view of deals that increase risk exposure due to weaknesses that go unidentified during the due diligence process.

© Financier Worldwide


Richard Summerfield

©2001-2019 Financier Worldwide Ltd. All rights reserved.