FORUM: Managing cyber and technology risks in M&A
June 2017 | SPECIAL REPORT: MERGERS & ACQUISITIONS
Financier Worldwide Magazine
June 2017 Issue
FW moderates a discussion on managing cyber and technology risks in M&A, between Michael Bruemmer at Experian Consumer Services, Emilian Papadopoulos at Good Harbor Security Risk Management, Jonathan Trull at Microsoft, and Samuel Pearse at Pillsbury Winthrop Shaw Pittman.
FW: To what extent can cyber and technology risks impact an M&A deal? Is the transaction process particularly vulnerable to these threats?
Trull: The risks posed by cyber threats and from outdated or poorly managed technology can significantly impact an M&A deal. The most recent and highly publicised example is the acquisition by Verizon of Yahoo’s internet business. Though the deal finally closed, it was thrown into serious doubt after Yahoo reported that customer accounts had been breached in two separate hacks. In the end, the cyber attacks resulted in Verizon cutting its price by a reported $350m. That is a significant impact. The transaction process is a vulnerable time for both companies involved in the transaction. If there is significant money involved, you can bet that both insiders and outside threat actors will potentially target the companies for their own financial gain. Maintaining good operational security surrounding the M&A deal is essential to reducing the risks involved.
Pearse: There are numerous ways in which cyber and technology risks can impact an M&A deal. A hack or a leak about the potential transaction can cause tremendous disruption. For example, previously confidential discussions can force parties out into the open with resultant issues regarding customers, clients, suppliers, creditors and staff. Rather than the parties executing a carefully considered strategy of engagement with those groups, they are then on the back foot and the target will have to have awkward conversations at a time when they are under pressure to get the deal done. From a buyer’s perspective, knowing a company is in-play can bring unwanted attention from other would-be suitors, weakening their hand in negotiations and perhaps forcing the purchase price up.
Papadopoulos: Cyber and technology risks affect M&A in three ways. First, these risks should be part of due diligence and may affect a deal’s value or terms. The perfect example is the Verizon-Yahoo acquisition. After Verizon, and the world, at nearly the same time, learned about Yahoo’s two huge data breaches, Verizon reduced the price by $350m, or eight percent of $4.5bn. Second, if cyber or technology risks are not uncovered in diligence, they can plague the acquirer or both parties post-transaction. If an acquired company has systems that are not secure and resilient in the face of disruption, that could affect business value. If the companies integrate IT, one company’s lack of security could result in the other company’s networks getting compromised. Third, the M&A transaction itself can be targeted. Cyber criminals have already hacked law firms to profit by trading on secret M&A data. The transaction process is especially vulnerable because many people across multiple companies and law firms have to exchange highly sensitive data, and criminals know where to find it.
Bruemmer: Cyber risks can largely impact M&A deals. Take, for example, the recent Verizon and Yahoo deal. After Yahoo’s disclosure of two massive user-data breaches affecting more than one billion accounts, Verizon cut the deal by $350m for Yahoo’s internet business, months after the companies reached their initial agreement in July 2016. The M&A transaction process can certainly be vulnerable to security risks. When large financial deals hit the headlines, they attract the attention of financially-driven cyber criminals and become susceptible to corporate espionage. As it is not always realistic to keep such M&A activity out of the news, it is vital that businesses increase their security precautions to assess the cyber risks of both companies involved in the deal and protect critical data during integration.
FW: How important is it for parties to have a thorough understanding of the cyber and technology risks that could disrupt or derail a deal? What are the potential consequences if highly sensitive data is accidentally exposed, lost or stolen, for example?
Trull: As part of the due diligence process, the parties involved in an M&A deal should closely evaluate the existing and potential risks posed by technology and cyber threats. This should include obtaining assurance that there is not a current and ongoing breach of sensitive data. Breaches are not only expensive to remediate but can significantly impact stock price once disclosed. Equally concerning would be a scenario in which a breach had occurred in one company and then spread to the acquiring party, or vice versa. Once the two companies merged and joined their networks and productivity suites. It is equally important to understand the current state of protective and detective measures in place to fully understand the cost associated with bringing the acquired company to acceptable levels. In addition, during the M&A process, the companies involved will typically share and evaluate sensitive and proprietary information regarding intellectual property, customers and sales and marketing plans. Disclosure of this information by either party, or through a cyber attack, could de-value the deal or prevent an acquisition. Companies must have sufficient visibility into the total risk they are managing. As part of the M&A process, the acquiring party must evaluate the additional risk they would now be responsible for managing, and must determine whether they need to mitigate additional risks or transfer some of the risks to a third party via insurance.
Pearse: Not only could a deal process be disrupted if facts about the potential deal are obtained, but a deal itself could be prejudiced if parties are not respectful of cyber security and technology integrity. Inadequate protection of data or systems, and a poor response to an attack, could put off potential suitors or lead to a price-chip or indemnities being sought, whether for a loss of proprietary information or potential action from regulators, such as the Information Commissioner’s Office or third parties.
Papadopoulos: Parties need to think more broadly about risks than just theft of sensitive data such as personally identified information or trade secrets. The risks vary depending on the company. For an e-commerce company, hackers might compromise its website or technology platform and disrupt its ability to sell or track merchandise for days at a time. For a private equity firm, hackers could take over an executive’s login credentials and use them to steal money, like hackers did when they stole $81m from the Bank of Bangladesh by creating fake funds transfer requests. Any company could suffer a ransomware attack that encrypts important files and interrupts the business materially. Parties in M&A transactions need to understand the full range of risks that can have a material effect on a deal or company.
Bruemmer: It is critical for parties to have a thorough understanding of the potential cyber risks that could disrupt or derail a deal because during a merger companies acquire both the benefits and threats of another organisation – a critical detail to keep in mind. As it is not always clear how well a company has prepared for or handled data breach response in the past, it is vital that participants carefully assess the associated cyber risk. An acquiring company, for example, must truly understand the type of data the other company holds and ensure that security controls are in place to protect it. Conducting a thorough audit of security practices is a good place to start. While a company may have an incident response plan in place, the acquiring company should request documentation that the plan is being activated correctly and regularly updated. Companies can look for third-party vendor audits, updated plans and proof of fire drills, among other things, to truly understand their risks. If highly sensitive data is exposed, potential consequences include reputational damage, financial losses, settlements and legal fees, and disruption of the business deal at large.
FW: If an M&A transaction falls victim to a cyber attack or technology shortfall, what initial steps can parties take to limit the damage? How should the issue be communicated to maintain confidence and credibility in the process?
Pearse: The victim of the attack must look both inward and outward. First, it must initiate its disaster response plan. All companies must ensure a robust security strategy is in place for the sake of their own day-to-day activities and at least preserving company value. That response should include technological support to address the issue, legal support to help identify legal exposures and countermeasures, and PR to formulate an effective strategy to preserve confidence and get ahead of the story. The second action would be to be upfront and honest with the potential acquirer. Ideally, the communication would have the benefit of being the first step, so that the message being communicated is that the issue was detected promptly, it was quickly addressed and the potential exposures have been identified. While the attack or shortfall itself is a negative, they are no longer viewed as being exceptional. It is often about the reaction.
Papadopoulos: Parties need to do three things to keep confidence. First, they need to study cyber risks as part of their due diligence activities. Shareholders expect companies to discover things that could materially affect value before or after a transaction. Second, each company needs to have its own house in order. It should have reasonable systems to know if its IT has been compromised and what information was stolen or disrupted, and it should be prepared to mitigate a significant cyber incident. Finally, if a cyber hack affects the M&A transaction, the companies should be prepared to respond in a thoughtful and coordinated manner, telling investors what happened, what the impact is and how the companies will proceed. The key to success in all three areas is starting the conversation early, planning ahead, and preparing for the worst-case scenario by practicing crisis management through exercises and simulations.
Bruemmer: If a transaction is subjected to a cyber attack, the parties involved should immediately contact legal counsel and document as much information about the data breach as possible. To help preserve any evidence for law enforcement, if brought in, companies should swiftly secure the premises and take affected machines offline to prevent additional data loss. Beyond notifying lawyers, the entire response team must be alerted so preparedness plans can be activated to ensure that all necessary steps are being taken. In terms of communicating the issue, companies should revisit state and federal regulations first and foremost to determine which entities need to be notified and the mandated timeframes for notification. While notifying employees, partners and impacted individuals, companies should be transparent, factual and accommodating. For instance, impacted individuals should be offered remedies from the breached organisation, including credit monitoring, ‘dark web’ and internet records scanning, fraud resolution services and identity theft insurance. Taking care of those impacted, and properly notifying internal and external audiences prior to the breach being leaked or publicly announced, will help protect companies’ reputations and relationships.
Trull: Companies should respond to a cyber attack or technology issue impacting operations according to their incident response processes and procedures. The priority is to identify, assess and resolve the attack or technology issue that is causing the problem and restore operations to normal. This may include removing infected machines from the network and restoring data from backups or blocking IP addresses that are flooding a company’s network with traffic causing a denial of service. Communication is a key component of any IT event, and all external communications should follow company policies and be reviewed by legal counsel. With that said, however, it is important to share material information during the M&A process to the relevant parties. The communication should be clear, factual and free of conjecture and demonstrate the ability of the impacted company to deal with such situations.
FW: To what extent can bespoke systems help parties to manage and mitigate cyber and technology risks in M&A? Is security improving to cope with increasingly sophisticated threats?
Papadopoulos: Technology solutions and processes do exist to help companies manage these risks. These have improved over time, moving from an old, perimeter-based philosophy of trying to stop bad guys from entering corporate networks, which is practically impossible, to a more sophisticated philosophy that focuses on designing resilient IT systems, detecting and stopping the bad guys if they do get in, and protecting the most critical data. The right place to start is not with technology, but risk discovery and risk management. Companies need to consider their own unique business operations, decide what risks are most consequential and develop a strategy to mitigate those risks. When executives talk together about cyber risks, they almost always discover new risks or that each person was prioritising risks differently. This conversation is the first step in successfully mitigating cyber risks in M&A and writ large.
Bruemmer: A business’ systems can help manage and mitigate risks in M&A by keeping communications about the deal secure and confidential. For instance, using an encryption programme that provides cryptographic privacy and authentication for data communication can ensure that emails about the deal are protected between parties. Another example includes using a secure file sharing service that has a definitive retention timeframe and access controls to ensure only those with permission can view the transferred information. These offerings are constantly evolving to cope with increasingly sophisticated threats, so it is vital that businesses take advantage of these security measures, and install programmes and update systems regularly to ensure that appropriate safeguards are in place.
Trull: Whether bespoke or commercial, good security engineering principles must be used to ensure that systems are resilient to attack. Coupled with strong internal controls, well-engineered systems can significantly mitigate cyber and technology risks during the M&A process. Security has improved significantly over the last decade, both from a strategy and product perspective. What we continue to experience is that, though we are adding more and more protective measures, attackers quickly innovate and find additional attack vectors, most directed at socially engineering employees to unknowingly help them carry out their attacks. We are seeing a consistent shift in security spending and prioritisation related to threat detection. The companies that are seeing the most success in mitigating cyber risk are those that can identify and quickly contain an attack before considerable damage occurs. Rarely is it the initial stages of an attack that causes the damage, but the ongoing lateral movement through a company’s network and systems over a period of weeks or months that results in outages and lost records. Advances in machine learning, artificial intelligence and data analytics are showing great promise in helping overwhelmed security teams identify and respond to attacks. Passwords also continue to be the proverbial ‘thorn in the side’ of most security teams. We are seeing an increased focus and success in replacing the username and password with more robust authentication methods, which can significantly reduce the risks posed by a cyber attack.
Pearse: A bespoke system may not have been developed on the same budget as other systems and there may be a smaller pool of readily available experts to assist with emergencies. However, a bespoke system may offer better coverage than one-size fits all software. Also, a breach of a bespoke system, built to a contractually agreed specification, may give the victim a better legal argument for recovery. With regard to the deal process itself, there are a number of online hosting platforms for data rooms. The cheaper options are used more and more by clients intent on cost-saving. For complex or high value matters, we would suggest using specialist M&A services due to the higher levels of sophistication. Hacks of data rooms are almost unheard of, but in the event a bad actor wished to access these repositories, all parties would hope the security matched the value of the content.
FW: In terms of legal and regulatory developments, how have these influenced the way parties manage cyber and technology risks as part of an M&A deal? What particular challenges arise in a cross-border deal?
Trull: Privacy and security regulations should be top of mind for any company considering a cross-border deal. Whether the EU General Data Protection Regulation (GDPR) or the Chinese cyber law, the geographic location of companies and their customers can create significant obstacles to merge systems and operations, and could add additional regulatory risks. During a cross-border M&A deal, the companies should obtain a clear understanding of the types of data being processed and data storage locations. Using this information, the pertinent regulations and laws impacting the companies involved in the M&A deal can be identified and then evaluated. Cost-benefit analysis can then be performed on market opportunity versus costs associated with regulatory compliance, fines or worst case, potentially shutdown due to government interference or geopolitical instability.
Pearse: The proliferation of new technology and the increased risk of a cyber breach has prompted many governments to introduce legislation requiring entities to review their data privacy and cyber security practices. Europe is seen to be leading the charge in terms of a comprehensive legislative framework; potential fines of €20m or 4 percent of global annual turnover under the GDPR has driven data privacy and cyber security to the top of compliance priorities. One obvious example of how the GDPR could impact an M&A deal is the deadline for data breach notification, which runs from the date of knowledge. Given that data retrieved as part of a cyber breach is often not published or sold for months, or even years, buyers may suffer the fallout from a breach which occurred well before they purchased the target company. In response to these risks, we have seen an increased focus on IT and data security due diligence, stronger warranties and indemnities, and an increased use of cyber security insurance.
Bruemmer: Regulators in all regions have increased their focus on further evolving the legal and regulatory frameworks that govern data protection and cyber security. Most regulators require entities that hold consumer data to implement and maintain reasonable procedures to ensure that data is secured from unauthorised access. To meet these requirements, companies should make year-over-year, sustained and appropriate investment in technology, monitoring, testing, training, policies and procedures. These investments should be in relation to the size, scale, scope and sensitivity of the data a company holds. The data breach notification requirements of US states and the EU’s GDPR are most often used as examples of the growing regulation in the areas of cyber security and data protection. However, policymakers in India, Japan, Australia, Singapore and China have also recently updated their data protection laws. Countries like Brazil, Indonesia and Russia are considering new legislation. With respect to cross-border data, there continues to be an interest in some economies in enacting data localisation laws that would limit global data flows. Finally, it is important to remember that when it comes to data protection laws, each country and region has its own standards and culture which will guide their respective privacy frameworks. However, it is critical that there is some interoperability between these systems, like the ‘privacy shield’ or APEC Cross-Border Privacy Principles, to allow for global data sharing that fosters commerce and innovation.
Papadopoulos: There are two positive developments in emerging cyber security regulations. The first change is that risk management is now at the heart of achieving cyber security. Doing a risk assessment is a critical step under the new rules from New York state’s Department of Financial Services (DFS), as well as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, to give just two examples. For companies that do M&A, this must be part of the risk assessment. Also, a risk management culture will improve cyber security around M&A. The second change is about governance and accountability. We increasingly expect senior executives to oversee cyber security risk management. The DFS rules require a corporate officer to sign off each year that they have reviewed and approved their company’s cyber security programme. Draft legislation on Capitol Hill requires corporate boards to have or retain cyber security expertise and, though I do not expect that bill to become law soon, it sends a strong signal about the importance of governance and oversight of cyber risks. With emerging regulations, cyber security is undeniably a C-suite issue.
FW: What final piece of advice would you give to parties involved in an M&A transaction on managing the cyber and technology risks they face?
Bruemmer: Above all else, parties must investigate the security posture of their potential partners before making a business decision. While most companies have a data breach response plan in place – 86 percent of firms, according to a recent Ponemon study – this does not signify that they are truly prepared for a breach or have responded correctly in the past. Additionally, it is vital that companies investigate the security posture of their own employees. Be it negligence or malicious intent, there is the risk of insiders divulging important information about M&A transactions. According to our survey, 55 percent of organisations experienced a security incident or data breach due to employees in 2016, so equal attention must be placed on both internal and external audiences, especially during business deals when concerns around job security are heightened. Companies should maintain a culture of security during transactions, providing employees with incentives to report security issues and safeguard confidential and sensitive information.
Pearse: Companies will not be readily forgiven for failing to create and implement reasonable cyber security measures and compliance plans. Conversely, demonstrating that efforts have been made should help to reduce the risk of regulator fines and civil action. Having to disclose inadequate policies as part of a due diligence exercise is a potentially damaging action that could be avoided. It is the question of how a business reacts to a data breach which is essential to instilling trust and confidence in customers and suitors alike, and not the fact that an attack has occurred.
Papadopoulos: First, incorporate cyber risks into due diligence. Take a broad view of cyber risk that is not limited to theft, and take a broad view of cyber security that includes governance and risk management, not just IT solutions. Second, ask your own company’s chief information security officer how he or she is protecting your M&A data. Third, ask your law firm the same thing. How are they protecting your data, who in the law firm is accountable for this, what systems do they use and how will they respond if M&A data is stolen and published?
Trull: Companies should build a structured process and set of tools for assessing and documenting the risks related to cyber and technology as part of their M&A process. Companies should include either their internal security and IT teams or use a third party to work with the broader M&A team to perform cyber and technology risk assessments, and ensure the risks are captured and included as part of the due diligence process. Management will then have a clear picture of any additional risks arising from the M&A and can then put plans in place to accept, mitigate or transfer these new risks.
FW: Do you expect cyber and technology risks to take on greater importance during M&A over the coming years? Is it a key part of the process that parties cannot afford to underestimate?
Pearse: There is value in all proprietary data. Organisations in all sectors are at risk. Ashley Madison and WADA have both been attacked, and for different motivations, including blackmail and greenmail. Companies must take data security seriously and we are seeing increased involvement of CTOs and their teams in due diligence processes. There is an increasingly high level of sophistication being applied to technology due diligence and all companies which are potential targets will find themselves paying for inadequate attention being shown to their security.
Papadopoulos: Cyber threats are already affecting M&A. Law firms have been hacked to steal M&A data for profit and the Verizon-Yahoo merger was materially changed because of a cyber breach. These are just the tip of the iceberg and more examples will follow. Plus, companies are becoming more and more dependent on IT systems, so disruptions to those systems, and a lack of resilience in recovering IT and business operations quickly, will become more critical for all businesses. My hope is that parties engaged in M&A will become more proactive by incorporating cyber risk into due diligence and will be as sophisticated in assessing these risks as they are with financial risks, market risks, competitive risks and legal risks. This will drive better cyber security for everyone and make the hackers’ jobs harder.
Trull: Cyber and technology risks will take on greater importance during M&A over the coming years. This is partly due to the media attention from the Yahoo and Verizon deal, but more importantly is based on the increased digital transformation of companies. As businesses digitally transform, technology will becomes part of the core fabric of a company’s operations and their ability to drive revenue and profits for shareholders. Therefore, technology and attacks against information systems will have a greater impact on the valuation of companies and will demand greater scrutiny during the M&A process. Companies undergoing M&A activity should absolutely include a thorough evaluation of the technology and cyber risks as part of their due diligence activities and should incorporate the results into the final offer.
Bruemmer: As the frequency and severity of cyber attacks continue to increase, these incidents are frankly unavoidable for companies, and the targeting of business deals is no exception. Cyber criminals recognise the opportunity to fly under the radar during M&A transactions, and therefore profit substantially, as there are so many moving parts to these types of deals. Knowing this, and considering the reputational damage and financial losses at stake, companies cannot afford to overlook or underestimate security incidents occurring during M&A. The recent Yahoo breach is just one example and a painful lesson around the importance of cyber security and due diligence. Hopefully this breach will stay fresh in the minds for companies and will serve as a wakeup call for those considering a merger or acquisition.
Michael Bruemmer is vice president of the Experian Data Breach Resolution Group at Experian Consumer Services, which offers companies swift and effective incident management, notification, call centre support and fraud resolution services while serving millions of affected consumers with proven credit and identity protection products. With more than 25 years in the industry, he brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery. He can be contacted on +1 (949) 294 8886 or by email: firstname.lastname@example.org.
Emilian Papadopoulos is president of Good Harbor Security Risk Management, a cyber risk management advisory firm. Mr Papadopoulos leads the firm’s business operations and advises boards, CEOs, investment professionals and government leaders on managing cyber risk. He has helped clients across sectors including energy, insurance, law, technology, defence and manufacturing. Mr Papadopoulos’ experience in strategic planning and international security risk management spans North America, the Middle East, Latin America and Asia. He can be contacted on +1 (703) 812 9199 or by email: email@example.com.
Jonathan C. Trull leads Microsoft’s team of worldwide chief security advisers in providing thought leadership, strategic direction on the development of Microsoft security products and services, and deep customer and partner engagement around the globe. Mr Trull joined Microsoft in 2016 as an experienced information security executive bringing more than 15 years of public and private sector experience. Previously, he was vice president and chief information security officer with Optiv. He can be contacted on +1 (720) 528 1838 or by email: firstname.lastname@example.org.
Samuel Pearse, a Pillsbury partner based in London, advises clients on a wide range of complex corporate and securities transactions. Experienced in M&A transactions, capital markets, joint ventures, investment funds, private equity and finance, he advises on cross-border investments, acquisitions, disposals, restructurings, accessing capital markets and corporate issues. He works with Fortune 50 companies, venture capitalists and leading-edge startups in the financial services, technology, energy, aerospace and defence sectors. He can be contacted on +44 (0)207 847 9597 or by email: email@example.com.
© Financier Worldwide