Breach Response- Decoding the Target in an M&A Transaction

If nothing else, one key element for any organization when addressing the issue of cybersecurity is breach/disaster response.  We have discussed in previous blog posts that being able to deliberately and elegantly respond to a breach is the main difference between extinction and survive.  A Darwinian proposition: only the strong (and prepared) survive.  Never is this fact more evident than when dealing with an M&A transaction.

We have seen in the past few years that the focus for cybersecurity has shifted from defense to resiliency. What does that mean?  Basically, since breaches are a when and not if situation, the main differentiator is whether a company can respond quickly and effectively. And as we always say, luck favors the prepared.  In cybersecurity land, that means having a comprehensive, thoughtful and rehearsed breach response plan. Given this paradigm shift, examining a target’s breach response plan in an M&A transaction is now a vital piece of the due diligence. For example, if a target is well prepared to address and recover from an attack, they are far more valuable a commodity than a target that would respond in an ad hoc manner.

Reviewing the breach/disaster response plan of a target can also be beneficial in gaging the target’s cybersecurity maturity.  A good breach response “battle plan” will include, among other things: (i) clear guidance on the steps to implement if a data incident occurs; (ii) a clear chain of command with set roles and responsibilities; (iii) containment requirements; (iv) prioritized recovery of certain data and systems; (v) an identification of any sensitive, personal data; (vi) a timeline for state and federal reporting requirements; (vii) all contractual reporting requirement; and (viii) a timeline to bring critical systems back “online”. A good breach response plan should also include threat vectors and possible modes of attack. It should also point out means of improving based on past tabletop exercises (more on that later).

When developing the breach response plan, any prior incidents should be reviewed for how the target responded in accordance with its written plan.  The goal with any breach response plan is that it will evolve and improve as time goes on and the organization learns from its mistakes.  Because to err is human, to repeatedly err on the same issue is ridiculous and shows an inability to learn and grow.

Any good breach response plan needs to be battle tested, and an organization should not wait until the real battle to train its forces.  Organizations should use simulations, conducted randomly and involving different scenarios, to test and hone its plan. In performing due diligence, the M&A team should be looking at how the organization responded during these practice runs or tabletop exercises:  did the team follow the plan? What recommendations for improvement were made?  Were those recommendations followed? How did the employees and personnel charged with implementing the plan perform? Are they qualified? Have they been trained?  These are all key points when performing cyber due diligence and are valid questions to ask before signing on the dotted line.

Another area worth exploration is to review the cyber responses from the target company’s third party vendors.  We have all heard the story about the Target breach- it was the result of an HVAC vendor.  And we cannot begin to count the number of times we tell a client that “you are only as strong as your weakest vendor link”. But, when you are dealing with an M&A transaction, that horse has left the barn.  Now, we need to be considering how the target vets its vendors to determine the risk factors that exist from those third parties.  And, it is not enough to just consider how the target vets its vendors, but to review the due diligence on those vendors yourself. In other words, you need to look at the target and the target’s vendors to get an accurate security perspective. Part of the a review of the vendors must include an assessment of their incident response capabilities. We know that properly vetting the target’s vendors must be included in all good cyber due diligence- but you should need to also consider the target’s incident response capabilities as well.

Cybersecurity and data privacy in today’s world should be a key piece to any M&A transaction.  Due diligence in the target company’s breach response should not be an afterthought.  Examining a breach response plan of the target, and everything that flows from that, can mean the difference between purchasing an asset versus a liability.  Dissect their battle plan, learn their troop movements, and evaluate their assessment of the enemy. Because in the world of M&A cybersecurity, due diligence is always a good investment.

* * * * * 
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.