The increasing importance of effective cyber security diligence in corporate transactions
August 2017 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
August 2017 Issue
Kleiner Perkins Caufield & Byers partner Mary Meeker’s extensive ‘2017 Internet Trends’ report reflects that the category of online advertising and e-commerce is growing and is increasingly measurable, with data increasingly actionable. Likewise, the categories of interactive games, media distribution and healthcare are all at inflection points. Although Meeker’s analysis is limited to ‘internet trends’, it implies that the broader economy is increasingly becoming electronic and digital. In fact, while companies still hold extensive physical assets and intellectual property, business is run on the basis of data collection, data use, data sharing and, necessarily, the protection of that data.
Concurrently or perhaps coincidentally, with the rise of electronic assets and networked productivity, the cyber security risks organisations of all types must confront are increasing at a torrid pace. A February 2017 report from the International Chamber of Commerce (ICC) and the International Trademark Association (INTA) estimated the value of counterfeit and pirated goods to be upwards of $900bn. From the WannaCry malware to ransomware, as well as hackers and old-fashioned IP theft, firms contemplating corporate transactions need to understand this relatively new category of business risk in the deal. As recently as 2015, privacy, data protection and cyber security rarely warranted a significant role within the assessment of a transaction, except perhaps when the target’s business model centred on personal information. The business landscape is changing, however, and now acquisitive firms and investors increasingly recognise the impact of cyber security risk in all sorts of transactions.
Last year, NYSE Governance Services, an affiliate of the New York Stock Exchange, published a report: ‘Cybersecurity and the M&A Due Diligence Process’. One purpose of the report was to provide benchmarking guidance to companies and their advisers with respect to cyber security risk in transactions. As a reflection of the time, the report stated: “Buying a company [now] translates to buying data. And buying data means you are buying past, present, and future data security problems. The economic impact of a transaction can shift dramatically if, after the deal is consummated, past or ongoing data breaches come to light”. Of the nearly 300 organisations polled in the NYSE report, 85 percent indicated that the discovery of “major vulnerabilities” during diligence would “likely” or “very likely” affect the transaction. In what might have been prophetic, over 20 percent of directors said that a high-profile data breach would deter them entirely from the target company. The ‘prophecy’ almost became true in the recent acquisition by Verizon of Yahoo!, in which Yahoo!’s disclosure of two large breaches eventually caused Verizon to reduce its purchase price by $350m.
Cyber security has indeed become a material component of due diligence by two-thirds of companies surveyed by NYSE Governance Services. This is particularly so when there are clear regulatory demands, such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), for any firm accepting or storing credit card information, or the General Data Protection Regulation (GDPR) – directly applicable to EU operations and arguably applicable wherever EU personal data is processed. Beyond simple arguments for compliance with applicable rules and the costs associated with a data breach, acquiring firms that conduct insufficient cyber security diligence may be at risk of shareholder claims of negligence or a lack of due care.
In case an organisation thinks that data breach risk is largely a consideration for acquirers targeting US firms, in June 2017, the Ponemon Institute, in conjunction with IBM, published a report entitled ‘2017 Cost of Data Breach Study: Global Overview’ covering 419 companies across 13 country or regional samples. Some key data points from the survey include the observations that the average total cost of a data breach was over $3.5m and, perhaps of greater consequence, the likelihood of a recurring material data breach over the following two years is 27.7 percent.
Ponemon identified several components impacting (positively and negatively) the costs to an organisation. While some of these are predictable and difficult to manage – such as the unexpected or unplanned loss of customers – other components actually reflect good cyber security practices. For example, the size of the breach or the number of lost records. This sounds obvious, but the cyber security lesson is that proper data classification, retention and segmentation can reduce the access of an unauthorised person to more valuable data or greater volumes of data. Ponemon also reports that the average number of days between the event of a breach and the recognition or identification that a breach has occurred was 191 days. That is over six months delay in the awareness that a security incident has occurred. Upon discovery, it then took the average firm 66 days to contain the breach.
So, how can organisations mitigate this risk in an acquisition or investment? Certainly, if you are targeting an ‘average’ company, six months to even recognise a breach and another two months to recover are likely data points to give the board of directors reason for pause. Since a primary goal of diligence generally is to manage potential future liability and to limit a buyer’s exposure to historical liability, the cyber security arena should be a core component of this assessment.
Numerous articles contain suggested lists and criteria for security-oriented diligence, but proportionate to the investment or the strategic nature of the transaction, high-level questions include the following. What sort of documentation exists of internal and external security audits? And because these audit invariably identify weakness, how can the target demonstrate remediation of – or at least a plan for – the gaps? Has the target a clear understanding of the types of data it holds, where that data is stored and who needs access to what data? It is truly difficult to protect an asset if one does not know the location, be it a database, a vendor’s cloud network, or an employee’s smartphone.
What sort of training and awareness is required of the target’s employees and contractors? Studies vary as to whether human error or hackers, phishing or malware are responsible for more incidents. But in any event, it is likely that a well-intentioned employee has simply made a mistake clicking on an attachment, leaving a device unlocked or being fooled by a fake email. Training, of course, should evolve from an organisation’s documented cyber security programme, which will be much more effective if it has actually been developed around how the firm operates and is based upon a recognised or applicable standard.
How involved is the target’s board and senior management? Tone and attitude for cyber security must come from the top, without any special exemptions because of a person’s seniority. How does the target manage its vendors, and not simply those with responsibility for processing personal information? Published articles about the breach at the US retailer Target reported that the company’s payment systems were accessed indirectly via the HVAC vendor.
Performing due diligence before buying or investing in a company is not a new exercise, but the importance of cyber security risk has become deserving of greater attention. Given that corporate assets are increasingly represented by personal data, intellectual property and proprietary information, all of which are stored in and processed by a company’s information systems, buyers and investors who skip or skim through cyber security diligence do so at their own risk.
Peter F. McLaughlin is of counsel at DLA Piper LLP. He can be contacted on +1 (617) 406 6010 or by email: firstname.lastname@example.org.
© Financier Worldwide
Peter F. McLaughlin
DLA Piper LLP