Cyber security due diligence in M&A transactions
March 2019 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2019 Issue
It goes without saying that every company should have a cyber security policy that addresses prevention rather than cure, but it is clear that whatever preventative measures are put in place companies could still be the victim of an attack and without a response plan, a crisis could become a disaster.
However, it is not sufficient for a business to simply have a plan. Instead it must be developed, distributed, tested and revised on a regular basis.
The effects of a cyber incident can have a direct impact on the value of the business. Companies with a good track record and robust procedures and processes in place will, in general, secure a higher value than a business with a poor record and inadequate processes. It is therefore of paramount importance to both the seller and buyer in any merger or acquisition to ascertain precisely what the cyber issues are via robust due diligence.
In order to determine a company’s preparedness for a cyber incident we must first understand its risk profile. The range of potential risks is large, including inadvertent disclosure of business secrets via email, disclosure of confidential information via social media, failure to protect data and information in physical form, inappropriate use of insecure communication and hosting tools and services, failure to identify cyber criminal attacks through social engineering and emails, a breach of security by employees, contractors and disgruntled former employees and also hacking in a variety of forms and by a variety of actors. The list goes on. Businesses must have policies and procedures in place to enable their staff to recognise them and implement technical and organisational measures to repel or prevent such incidents.
In the event of an incident occurring, companies must have a ‘rapid reaction taskforce’ in place to ensure that losses are minimised. The make-up and experience of such a taskforce is something that companies should establish through due diligence.
Resilience is a mindset
Businesses today must cope with stringent compliance requirements as a result of the increasingly tight legislative and regulatory landscape in which they operate. This environment means any company unable to fulfil its cyber security obligations may face vigorous investigations and significant fines for non-compliance.
It is essential, therefore, for businesses to put policies and procedures in place which will allow them to carry out regular assessments or audits of resilience to cyber threats and which examine their vulnerabilities.
The focus of due diligence should be on the robustness of the company’s resilience assessment practices. Attention should be paid to the details of internal and external assessments, and audits of both organisational and technical measures.
Resilience cannot be achieved by adopting a ‘tick box’ approach; instead it requires cyber security to be part of the mindset of management and staff by default.
In relation to personal data, there is an increasing use of Data Protection Impact Assessments (DPIA) among companies as a mechanism to ensure that the privacy and security of personal data is embedded in the ethos of the company and the mindset of the company’s employees.
A buyer would not seek to acquire a manufacturing business without a full environmental assessment; as such, where the assets of a business are, increasingly, data, it would be foolhardy to acquire a data-rich business without assessing the value of that asset.
Training and education
Policies and procedures are of little value if they are not appropriately communicated throughout the business, and without training, individuals in the business may not fully understand their duties and responsibilities, or the consequences of their failure to follow policies and procedures.
Due diligence should be carried out to ensure that the company has technical and organisational measures in place which will demonstrate that policies and procedures have not only been distributed throughout the business, but that the individuals that have received the policies have read them, understood them, been trained on them and have signified their intention to adhere to them.
Data management, third-party risk, employees and others
It is never too early in the acquisition process to commence due diligence in relation to cyber security as it is unlikely that the target company will have all the information immediately to hand, and depending on the outcome of the enquiries, the direction and price of the transaction may be affected.
From the target’s perspective, the information that is to be provided is particularly price sensitive and may not have been made public previously, either to customers, suppliers or regulators. A detailed non-disclosure agreement should be put in place before any information is provided. This may encompass personnel in both the target and the acquirer who are not involved in the mainstream part of the deal.
Data management. Before an evaluation of the data management risk can be carried out, it is necessary to determine precisely what data and other information a target holds. Issues including where the data was acquired (or created if internal), where it is held (either physically or virtually), how important the data is to the business, why it is being held and the data’s uses must all be addressed.
Third-party risk. While all contracts with third parties will need to be evaluated from a due diligence perspective, it is important that such contracts, and perhaps less formal arrangements, are investigated to determine whether any third party has any degree of access or interface to the target’s systems or data. Particular attention must be paid to relationships where the target has outsourced any part of its administration infrastructure. In practical terms, the third party will need to be treated as if it were part of the target with the same degree of attention applied to its security processes and procedures.
Employees. The human factor is just as important as any technical measure, and for that reason attention should be paid to the target’s policies and behaviour toward its workforce. Phishing, or targeted emails, and lax internal controls can provide just as great a threat to a business as external hacking. Remember to include temporary workers, contractors, consultants and C-suite executives in the evaluation.
History. Has the target suffered a data breach in the past? Once a business has discovered the data breach, or believes it has suffered one, how it responds is of paramount importance. In many jurisdictions, there are specific breach notification requirements in relation to a data breach. Did the target comply with such obligations, or did it bury its head in the sand and hope that nothing bad would happen? If there has been an unauthorised access to the systems and apparent data exfiltration, it should not be assumed that only a small portion of the data set is at risk.
What policies are in place, when and how have these been communicated, and have they been tested?
Incident response and recovery policies and procedures should form part of a suite of policies and procedures across the business. It is not enough to just have these policies available on the business’ intranet or available from human resources, however. If they are to have any value, these policies must be living documents that are understood by all relevant employees in the business.
Perhaps they should also relate to the business’s ethical reporting policies. After all, the effect of the incident may be seen first by someone other than the C-suite executives or the IT department and, in all cases, time is of the essence.
There is little value in a target having carefully drafted policies and procedures, which have been properly and regularly communicated to employees and others, if the individuals responsible for their implementation, and for identifying and responding to incidents, do not have the requisite technical or business skills to do so.
For that reason, a major part of any evaluation of the cyber security status and capabilities of a target must be an evaluation of the personnel who have that responsibility. This should not be limited solely to employees of the target, however; external contractors can also be utilised to provide specialist expertise. If the target has chosen to do so, one of the issues to be addressed as part of the process is to ensure that there are no gaps in the capability and that when called upon, all resources will be made immediately available.
For that reason, close examination of third-party support contracts will be an essential part of the analysis. There is limited value in having part of the target’s cyber security response only available during regular business hours. At the very least, there must be a mechanism for securing out of hours support without lengthy discussions – or arguments – around costs.
Robert Bond is a partner at Bristows LLP. He can be contacted on +44 (0)20 7400 8250 or by email: email@example.com.
© Financier Worldwide