Ignore Cybersecurity Due Diligence at Your Peril

Ignore Cybersecurity Due Diligence at Your Peril
Whatever the size, scope or sector there is no such thing as a typical merger or acquisition and cybersecurity is emerging as an area of concern for business acquirers. Security breaches continue to cost organisations millions of pounds and cybersecurity due diligence should be considered right alongside with legal and financial due diligence considerations.

Companies are vulnerable to all types of attacks such as theft of customer data, but not just payment and card details, the theft of trade secrets is becoming more widespread. The effects of a cyberattack on the valuation of target or its brand image is unknown and there is also the future risk of fines and liability.

Due diligence is an investigation undertaken to examine a business where there is an interest in merging or acquiring said business. Traditionally there are three types of due diligence; legal, financial and commercial. Key areas include profits, financial risks and legal issues but often cybersecurity overlooked. The current data of a target organisation forms part of the M&A. Along with this come any existing security problems, cybersecurity risk should not be discounted.  

Thorough due diligence is vital to help companies or private individuals understand the target they are buying, as it can guide the strategy to obtain the best value from a deal. With greater insight and a realistic picture, it will determine whether to proceed and if so, how to structure the transaction and how much to pay. Identifying the risks and liabilities is the main focus of any due diligence process and identification of cyber-related risk covers areas such as compliance, market or product claims, technical assets and intellectual property. Failure to adequately assess these risks could result in a devaluation of the target pre-acquisition and ruin negotiations.  

The M&A process creates a high-stress environment where timing is crucial, and cybersecurity can be underestimated. IT systems are complex and there are many devices attached to these IT systems that are at risk; not just from human error, but from common cyberattacks such as malware, phishing and SQL injections. Cybersecurity has not always been a key factor when contemplating a merger or acquisition, but nowadays it’s not just about the merging of bank accounts or people, there is also the potential of bringing thousands of new devices onto the network. 

Cybersecurity due diligence in M&A – a vital activity, take responsible steps

The acquirer must take reasonable steps to determine whether the target has taken the appropriate measures to protect the data with which it has been entrusted.  

  • Assessing and scrutinising the internal and external vulnerabilities by carrying out penetration testing
  • Identifying and taking into consideration the current information security and privacy programs
  • Ascertaining the current level of the security programs compliance with regulatory requirements
  • Identifying the target’s level of cyber-risk mitigation and reviewing current data retention policies
  • Following through with a full audit of current security processes
  • Determining the current processes for investigations and response to security incidents

The risk is heightened during negotiations and consequently privacy and cybersecurity due diligence, in the M&A context becomes more important and research should take a more central role in future M&A.

Past breaches in security uncovered during the stages of M&A negotiations can disrupt the deal, as was in the case of the Verizon’s purchase of Yahoo in 2017. When it emerged that at least 500 million Yahoo user details were stolen in a breach that went undetected since 2014, Yahoo’s sale to Verizon came into question. The billion-dollar sale of Yahoo’s core business was still in the early stages, and they found themselves in a weaker negotiating position. Thus, Verizon cut its offer by $350m and under the terms, Yahoo and Verizon will split future cash liabilities.

In 2019 the UK’s Information Commissioners Office (ICO) announced its intent to impose a £99m GDPR fine on Marriott as a result of its acquisition of Starwood, after the 2018 discovery of a data breach dating back to 2014. This followed the ICO’s intention to fine British Airways £183m following the theft of data from 500,000 customers from its website in 2018. These fines could have significant implications on future M&A transactions involving cybersecurity and data privacy matters.

As technology advances and there is more reliance on computer systems, more and more data is being held in places which allows companies to collect share and use data. Owing to the complexity of cybersecurity it becomes one of the biggest challenges faced by companies, as data is always at risk from cyberattacks and that risk will only grow.

Cyber incidents are almost never straightforward and it’s entirely possible that at the time of an M&A even a thorough investigation may not uncover any existing issues. Therefore a target performing its own risk assessment could offer several benefits, such as using any security gaps identified in the risk assessment to begin addressing significant issues before they even arise in the context of the transaction. Any resulting certification or compliance assessment can be used to demonstrate the security position of the target and defend against any future regulatory investigations.