Cybersecurity is Always a Good Investment IN M&A Transactions
Whether you are the target or the acquirer, cybersecurity is the number 1 issue in an M&A transaction. The reason? Money. If you are the target, failure to appropriately address cybersecurity can significantly devalue your company. If you are an acquirer, failure to conduct appropriate cyber due diligence before the deal is signed can result in purchasing a liability instead of an asset. No matter which side of the table you sit, cybersecurity should be top-of-mind.
With hacking incidents on the rise, cybersecurity cannot be ignored in the world of M&A. And it is not just a single question of whether the target company has ever experienced a breach. With cybercriminals becoming more and more proficient at infiltrating systems and lurking in those systems undetected, really understanding what you are buying or selling can be a challenge. Along with these issues, targets often delay disclosing the type of information that could adversely affect their position (i.e. a breach or incident) while acquirers need to know this information as early in the process as possible.
Cybersecurity is more than just a fancy term used on the news to create fear in the heart of every business owner. We live in a digital world. People used to say an increasingly digital world, but the only thing increasing is the amount of data we generate. We live in a digital world filled with technology that we cannot live without. Growing up I did not have a cell phone (yes I realize this is dating me). Today, I am literally panicked if I cannot find it or if it is not working properly. We function almost exclusively in the digital realm. It follows that businesses are similarly situated. A company’s digital assets are its brand and, often times, its value. Yet, many companies do not have good cyber infrastructure in place. Companies that existed before this digital revolution did not build their business on a foundation of cybersecurity. They had to coble it together and create it on the fly. The result? Systems that are designed for a user experience but not necessarily security. And cybersecurity is not a one-size-fits-all proposition. Each company is different; the size of the company, the location of its digital assets, its dependence on digital information and processes, and its use of vendors and third parties.
As we see from the daily headlines, cyberthreats never sleeps. Companies are constantly under attack, both externally and internally. In addition, those individuals charged with corporate defenses are at a huge disadvantage. Those defenders have to literally have eyes in the back of their heads to be able to track every movement. They have a million issues to consider. A million leads to follow. Yet attackers only need one. They only need one open port. One unpatched application. One click-happy employee and they are in. And the threats have significantly evolved. The perimeter is dead. Gone are the days where a defender only needs a good firewall and antivirus software. And when dealing with cybersecurity in an M&A transaction, the due diligence team needs to know it all.
Any cyber due diligence team should understand: (i) where is the target’s data (both critical and non-critical) and how is it accessed; (ii) who is accessing the data; (iii) types of threats and threat vectors; (iv) security controls; (v) supply chain dependence; (vi) security programs in place; (vii) incident response procedures; (viii) breach and response history; (ix) incident and response history; and (x) the applicable regulatory landscape. Understanding these factors can give the team a bird’s eye view of the target’s digital assets, their vulnerabilities, the vulnerabilities of the target’s business and operations, its dependence on critical infrastructure, and potential contamination issues involving the acquirers systems.
Unfortunately, the target often does not know this information the acquirer is seeking. Due diligence seeks the unknowns and until these unknowns become known, the acquirer cannot and should not move forward with the deal. Yahoo did not disclose the largest breach in the history of the world (well thus far anyway) until it was subject to the cyber due diligence that was part of the Verizon acquisition. The result? A significant, and by significant I mean hundreds of millions of dollars, reduction in the purchase price.
So what does all of this mean for attorneys? Well first, traditional or customary due diligence reviews are a thing of the past. Just looking at the usual issues involved in M&A due diligence will cause you to overlook a significant amount of critical, yet unknown, information. It also means recruiting a team of experts; cyber due diligence is complex and implicates all areas of a business. Failing to understand the technological environment, and the implications from a legal perspective, can be detrimental to the deal and ultimately your client (and may also result in putting your malpractice carrier on notice). Dabblers will simply not do. To truly understand this world, you must live in this world. Technology is not enough. Legal is not enough. Business is not enough. All three intersect in cybersecurity M&A due diligence. Therefore, a specialist who understands these three pillars must be engaged in order to ensure the acquirer is getting a full and accurate picture of the cyber assets and liabilities of the target.
Addressing cybersecurity issues, not just at the M&A stage, but as part of a business’ everyday operations, having a culture of security at an organization, can benefit it significantly. Not just during a sale, but in every facet of operations. Good cyber practices make a company stronger and more marketable. Afterall, cybersecurity is always a good investment.
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.