Inadequate data security can leave unwitting companies liable for the repercussions of a latent data breach
The company looks great on paper however, a key consideration often overlooked by buyers is: “What are the organization’s culture and practices surrounding data security and how relevant are its proffered security assessment reports?”
Last year’s Neiman Marcus data breach is a cautionary tale for all legal counsel who advise clients on mergers and acquisitions. Unbeknownst to investors and their advisors and counsel as they were in the midst of negotiating to acquire the company for $6 billion, hackers compromised the high-end retailer’s payment security system to steal the credit card data of hundreds of thousands of customers. Fast forward to today and effects of the breach are still being felt as breach-related expenses dragged down the company’s otherwise solid FY14 financial performance.
These investors and many others are learning the hard way that today’s M&A due diligence must evolve beyond traditional inquiries to include a clear understanding of the state of data security at the target company. There’s virtually no area of an organization that does not generate or interact with data, and as such, successful data security is inextricably bound to successful operational, functional and financial performance. Thus, advising on investment risks must account for those related to a potential target’s information security environment.
Cyber due diligence enables investors to identify, evaluate and quantify data security risks that can result in significant financial or reputational harm. It also affords investors the opportunity to exit or restructure an investment should problematic findings arise. But unlike more established due diligence activities, assessing data security is complicated by its inherent hyper-connected nature. At any moment in time, the interaction of operational systems, networks, third party integrations, endpoints and users presents an ever-changing picture of risk. Myriad laws and regulatory bodies both domestic and international — add another layer of complexity that must be addressed.
As a starting point to address these risks, M&A deal teams should include legal counsel who specialize in cyber-related issues. Often within the same firm, M&A lawyers can leverage their colleagues in the firm’s data security and privacy practice. These lawyers have the experience to efficiently and effectively:
- Guide activities of forensic experts in technical cyber diligence areas such as security controls risk assessment, endpoint monitoring and potentially, data breach incident response — to identify data security risks in the target company.
- Assess and quantify the impact of these cyber risks for the deal team for potential exposure, such as notification costs, fines and related expenses, as well as the newly discovered costs impacting the migration period post-closing.
- Forecast the long-term impact on transaction and business development expectations from the loss of critical intellectual property and trade secrets; a failure to comply with applicable laws (possible monitorship) and litigation; and most importantly, potential damage to the reputation and brand.
Yet another reason why technical cyber diligence is prudent can be found in a statistic from the 2014 US State of Cybercrime Survey. When asked how insider intrusions are handled, 75 percent of respondents answered that incidents are handled internally without legal action or law enforcement. Thus, it’s possible that in a target company, only a very few people might be aware of an incident. Given that many functional silos exist in today’s companies, it’s possible for an organization to self-certify in good faith about its data security posture if its representative has no knowledge of a prior issue. Who’s to say a lingering unaddressed vulnerability doesn’t continue to exist, let alone undiscovered ones?
Outside of the corporate and data governance issues, the technology and systems currently deployed by the target may not be sophisticated enough to even identify an issue. With a small IT team and a never-ending stream of alerts, it is very unlikely all leads are being chased down by the internal IT/Security team. As a prudent measure, the investment in one final technical inspection of your target is worth the peace of mind before the deal is closed.
Lawyers who specialize in data security have seen firsthand the repercussions of inadequate testing and/or preparation. They are well-informed when it comes to known and emerging threats and vulnerabilities, and are well-versed in privacy-related laws and regulations. They also bring the advantage of knowing which specialist partners investigators, forensic specialists, etc. are most experienced and have the best track records, who can respond with speed, and who can be trusted to meet client expectations. It’s time for cyber due diligence to take its place alongside traditional due diligence inquiries, and data security counsel to play a bigger role on every M&A deal team.
By Alexander Gross, former Director of Business Development for Kroll's Cyber Investigations and Breach Response practice.