18 September 2018

Cybersecurity risks in mergers and acquisitions transactions

This article was written by Barri Mendelsohn and Gonca Caliskan.

Background

Acquiring a company could mean taking on its digital operations and its past present and future data security issues. This means in many cases that an effective cybersecurity due diligence is essential as it may uncover a number of technical, financial and legal risks in the target which can affect the final terms of the acquisition agreement, the level of consideration the purchaser is willing to pay or, if the identified cyber issue is very serious, jeopardise the transaction itself.

Recent events have highlighted the importance of cyber security to the forefront of many businesses’ minds. The costs associated with cyber incidents are often severe and may include:

  • forensic and investigative activities

  • assessment and audit services

  • crisis management

  • notification of affected third parties

  • consumer class action or other litigation with customers, suppliers, or business partners

  • regulatory investigations and fines

  • business interruption or contingent business interruption losses

  • loss of reputation and goodwill. 

Cyber-crime is estimated to cost the UK approximately £27 billion a year and the average cost to a large organisation of a data security breach is estimated between £1.46 million and £3.14 million. Nonetheless the risk of cyber incidents are not always addressed in-depth or dealt with in deal due diligence.

The 2016/2017 National Crime Agency Report (“NCA Report”) outlined the real and immediate threat of cybercrime to UK businesses. According to the NCA Report, the UK has been hit recently by numerous high-level attacks which were serious enough to warrant National Cyber Security Centre involvement, and countless lower level ones. Recent examples of such high-level attacks are the WannaCry and Petya attacks.

These “encrypting ransomware” cyberattacks affected organisations and companies including NHS, Honda, Nissan, TNT Express and international law firm DLA Piper. The attacks targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments from the affected companies. WannaCry and Petya demonstrated the vulnerability of many companies to such attacks and the severity of disruption it can cause to the operation of their respective business.

Other reasons for cyberattacks might include gaining access to a company’s: 

  • trade secrets or intellectual property (for instance, a pharmaceutical company’s formula for a drug or a manufacturer’s product design) 

  • customer information or employee data (such as personal health information or or credit card details), and/or

  • other confidential information (such as, historical financial data and projections, customer lists, or corporate strategies). 

A recent example of customer information theft by hackers is the British Airways cyber-attack. It was reported that around 380,000 personal and financial customer information were stolen by cyber criminals. Reportedly British Airways could face a fine of up to £500 million and possible a group compensation action. 

Why now?

The current cyber threat trends are underpinned by the fact that most business are almost totally dependent on digital data and network systems. Virtually all companies communicate with their customers, suppliers and business partners through emails, social media, or websites and nearly all of the daily transactions of a company and all of its key records are created and saved in electronic form using internet connected devices, many of which lack adequate security. 

As the number of internet connected devices grows, the attack surface and number of devices that can be leveraged to launch attacks expands. The dependence on electronic systems in running a business combined with the increased use of internet connected devices creates significant potential vulnerabilities that can result in major harm to a target and all its stakeholders. Malicious software can be downloaded from the internet for free by almost anyone and then used to launch an attack and wreak havoc on a business' IT infrastructure.

Given the increased exposure to such cybersecurity breaches and digital infections, it is critical for a purchaser to gain as much information as possible on a potential target’s current cybersecurity health and any historic attacks it might have suffered. 

Why is it relevant for a M&A deal?

Serious cybersecurity breaches can jeopardise a M&A deal’s anticipated value by reducing the value of the target’s business/assets, damaging its brand and derailing its growth prospects.

A good example to such devaluation is Yahoo’s acquisition by Verizon. After being subject to two significant cyber breaches in previous years, the acquisition offer was reduced by $350 million of the original price. In addition, the part of Yahoo that wasn’t sold to Verizon agreed to assume 50% liability from any future claims related to the data breaches.

According to a PWC survey, 63% of US CEOs are extremely concerned about cyber threats and consider it as one of the biggest treats to business growth. The 2017 Donnelley Financial Solutions/Mergermarket survey stated that 80% of global dealmakers have uncovered data security issues in at least one-fourth of their M&A targets in the previous two years.

Therefore, cybersecurity due diligence at an early stage of the M&A transactions is essential: 

  • to determine the extent and effectiveness of the cyber defences the target has put in place to protect its data and intellectual property

  • to identify the target’s vulnerabilities in the event of a cybersecurity breach

  • to determine the potential of theft and cyber attracts

  • to assess the value of the target in light of the results of its assessment.

Issues with cybersecurity due diligence

Understanding and addressing cyber risks in connection with an acquisition is important for both purchasers and sellers. That, however, can be a difficult task. Cyber issues may be latent and the extent of potential damage often is difficult to quantify. 

The target might be unaware of a cyber intrusion and does not know what the attackers have done to or with the high-value digital data they accessed and compromised. Many data breaches, for example, are not discovered for many months or years after their inception. Parties run the risk of closing a deal well before an attack is discovered. Plus determining the “materiality” of apparent cyber incidents without knowing, other than by inference, the nature of the digital assets at risk or the harm that could flow from their compromise is very difficult. Similarly, assessing the potential devaluation of the target’s high-value digital assets without evidence of what was accessed and exploited is complicated.  

In addition, the current legal framework in the UK does not address cybersecurity risks and issues effectively. There is no single set of mandatory cybersecurity rules in the UK with which companies must comply. Instead there are number of different laws, rules and regulations, comprised of laws enacting EU Directives as well as standalone laws specific to the UK, which apply depending on the context of the relevant incident and the nature of the organisation involved. Legal obligations under UK law relating to cybersecurity can be found in various statutes and regulations, including the following:

  • Network and Information Systems Regulations 2018

  • General Data Protection Regulation 2018

  • Communications Act 2003 

  • Privacy and Electronic Communications Regulations 2003 

  • Data Protection Act 1998 

  • Computer Misuse Act 1990.

The lack of clear set of rules makes it a complex process to assess a target’s current and historic cybersecurity risks. 

Furthermore, the constantly advancing face of technology corresponds with the constantly evolving nature and variety of cyber-attacks creates added difficulty to cybersecurity due diligence.

Cybersecurity due diligence

Different companies have different due diligence requirements depending on their size, scope, geography or sector. This means that some transactions will only require a high-level cybersecurity enquiry and others may call for a more thorough examination.

The main focus of any cybersecurity due diligence is to identify and quantify the risks and liabilities in support of the deal and any subsequent integration of the target. It is designed to give a potential purchaser an understanding of any material exposure requiring action either pre or post-completion.

Possible cyber threats that might be discovered through effective cybersecurity due diligence may include:

  • an ongoing breach or attack

  • an unrevealed previous breach

  • a persistent intruder or vulnerability to its systems

  • a dirty, malware-ridden environment

  • inadequate security measures and corporate governance processes.

Cybersecurity due diligence might not uncover all potential cyber risks a target was or is exposed to, but it can provide a purchaser with:

  • a clearer picture of the target’s cyber vulnerabilities of those assets

  • whether the target has been adequately safeguarding and monitoring the control of those assets, and

  • any records of cyber incidents that may have resulted in compromises of those assets.

Knowing such facts about the targets cyberhealth, will enable the purchaser to take the necessary precautions and structure the acquisition agreement to mitigate the risks identified by making the required adjustment to the deal and the value of the target.

What queries should be raised?

A successful cybersecurity due diligence process should raise relevant queries to get a detailed understanding of, among others: 

  • the target’s cyber-risk level

  • the nature, amount and value of the data assets being handled or held by the target

  • the nature of the target’s cybersecurity systems, networks and processes

  • the resiliency of such systems and networks to cyber incidents

  • the target's history of cyber-attacks and data breaches

  • the target's recovery plans in event of cyber-attack or data breach

  • if and how the target complies with regulatory standard and practices in the jurisdictions in which it operates

  • if such compliance adequately guards against industry-specific or other cyber threats

  • if the target's business relies on third parties to process, hold, transfer or otherwise manage information assets

  • what protection (indemnities) does the target have if the third party breaches its obligations

  • the target's internal processes to ensure that employees and senior management understand the business's cybersecurity risks and policies

  • the cost of addressing the above concerns

  • the impact of the above on the deal and pricing of the target

  • the impact of the above on the purchaser’s business, brand and reputation going forward.

Where relevant these queries should be included in the information request send to the seller during a M&A due diligence process. If the cyber-risks are perceived to be high, the purchaser should also consider employing an external professional cyber team to test the external and internal protection and procedures of the target to gain true understanding of a target’s cyber health.

How to address an identified cybersecurity issue

If the threats and risks identified during the due diligence process are not so significant as to jeopardise the entire deal, it may be necessary to consider the inclusion of specific deal terms in the relevant agreement in response to the discovered issues, such as: 

  • warranties – warranties should be utilised to address any particular cyber risk or concerns identified during diligence and allow the seller to disclose against these (a breach of a warranty may enable a buyer to bring a claim to recover its loss) 

  • specific indemnities – specific indemnity may be appropriate option if a particular cyber issue has been discovered but may not be quantifiable or is contingent

  • closing conditions – completion condition allows the purchaser to walk away from the deal if an identified problem has not been fixed and therefore provides the best protection for the purchaser

  • pre-closing covenants – pre-closing covenants could be included in relation to cybersecurity and the handling of data prior to completion.

Another option for dealing with uncovered cyber-risks is cyber insurance. This is similar to warranty and indemnity insurance in that, that the level of cover (and the cost of any premium) is influenced by the thoroughness and quality of the due diligence exercise performed. 

Conclusion

In light of the evolution of technology and the dependence of companies on digital data and network systems in running their businesses, the inclusion of cybersecurity due diligence early in a proposed M&A deal should be recognised as essential to protecting a purchaser’s interests. 

Failing to evaluate cybersecurity risks in detail during M&A due diligence or limiting such due diligence to a company’s IT systems only means ignoring the serious risks that cyber threats pose to all companies and to M&A transaction involving them. 

The difficulties and consequences that cyber incidents can create are clearly demonstrated in high profile cyber-attacks such the WannaCry, Petya and British Airways as well as the Yahoo!/Verizon deal. 

Digital Intelligence

Digital innovation will be a game changer across a wide variety of industries globally. Our Digital Intelligence hub contains a number of resources to help you embrace and face digital disruption head on.

Digital Intelligence

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter Share on Google+
    You might also be interested in

    Whose business is national security anyway?

    19 July 2018

    Big Data has been considered in several areas of law, particularly data protection, consumer and privacy law, but as yet, competition authorities have not intervened.

    07 December 2016

    Under AIFMD, marketing a private equity or venture capital fund in the EU has either got somewhat easier, or considerably harder – depending on access to a marketing passport.

    04 November 2016

    Significant revisions to the transaction reporting requirements under MiFID.

    12 October 2016

    You may also be interested in...