This text appeared in Cybersecurity Regulation & Technique, an ALM publication for privateness and safety professionals, Chief Info Safety Officers, Chief Info Officers, Chief Know-how Officers, Company Counsel, Web and Tech Practitioners, In-Home Counsel. Go to the web site to study extra.
For the informal observer, mergers and acquisitions (M&A) offers within the 20th century occurred in a staid and established world rigorously managed and choreographed by Wall Road funding bankers and legal professionals. Like poorly-behaved faculty youngsters, new applied sciences and mental property (IP) are more and more disrupting the M&A institution. Digital and knowledge applied sciences revolutionized transactions within the 1970-80s; mental property got here to the forefront as a supply of serious worth and collateral within the 1990s and, Web know-how created huge wealth within the early 2000s.
Cybersecurity has grow to be the newest disruptive newcomer to the M&A celebration. As increasing know-how permits corporations and platforms to seize, retailer and distribute essential enterprise, provider and buyer info, assaults are spreading. Conventional M&A due diligence processes wrestle to maintain tempo with growing cybersecurity issues.
Cybersecurity: The New Child on the M&A Due Diligence Block
The distinctive ways in which info strikes by way of the networks and channels of entities and M&A members exposes new vulnerabilities in the course of the M&A course of. Interconnected networks prolong connectivity and entry past a single firm’s management. Complete cybersecurity due diligence is required to think about the processes and techniques that shield the integrity and worth of proprietary knowledge, personally identifiable info (PII), and enterprise and monetary info. Hacks and cyber threats happen in any respect levels of M&A offers. The current materials dangers to impression the worth of the deal and the businesses concerned. Issues for cybersecurity due diligence are totally different at every stage of the M&A course of.
Verizon’s current acquisition of Yahoo! illustrates the necessity to begin cybersecurity due diligence earlier than a deal’s announcement. Verizon was caught unaware studying about two unreported knowledge breaches of Yahoo which occurred pre-announcement. The sudden breach info resulted in Yahoo! being devalued by $350 million and induced vital delays in closing the deal. The legal responsibility didn’t finish there. Publish-deal, Yahoo!’s successor entity was ordered to pay $85 million to settle a class-action and was topic to FTC remediation measures. A complete cybersecurity due diligence course of carried out earlier than the announcement might have alerted deal makers to the materiality of the difficulty enabling them to raised mitigate dangers earlier than saying the deal.
A deal announcement may also grow to be the impetus for hacking. In 2005, shortly after the acquisition of Seisint, Reed Elsevier discovered that a hacker had compromised a pc belonging to a police officer in a small city in Florida. As soon as behind the firewall of the police division’s community, hackers have been capable of entry data at Accurint, a database service of Seisint. By executing a “Cross-Website Scripting” assault they have been capable of fold malicious content material into the content material being delivered from the police division website to Accurint. Accurint offered a path for hackers into the Reed Elsevier Lexus database. This allowed hackers to steal passwords, names, addresses, Social Safety and drivers’ license numbers of 310,000 individuals. Reed Elsevier’s share worth fell 1.03% on information of the breach. Cybersecurity due diligence earlier than the deal announcement would have recognized Accurint’s vulnerability.
Breaches Throughout Offers Can Be Recreation-Changers
A breach which happens throughout an M&A deal course of could be equally devastating. Think about for instance, TripAdvisor’s acquisition of Viator. TripAdvisor paid $200 million for Viator. Lower than two months after the deal closing, Viator’s bank card cost processor knowledgeable them that the bank card info of over 880,000 clients had been stolen. Forensic evaluation decided that a further 550,000 clients had their PII uncovered. TripAdvisor’s inventory then dropped four%, leading to a $580 million lower in market capitalization. Moreover, remediation prices have been estimated to be over $350 million. A website scan and forensic evaluation might have dramatically decreased, if not eradicated, this breach and its influence
M&A due diligence ought to additional think about and account for alternatives for dormant breaches. By means of instance, a dormant breach occurred in a 2017 merger of healthcare suppliers Ladies’s Well being Care Group of PA and the Regional Ladies’s Well being Group of northern New Jersey. A virus had been hidden on a server and workstation of Lady’s Healthcare Group previous to the merger, however was not found till after closing. By activating this dormant breach on the post-merger community, a hacker gained system-wide entry — exposing 300,000 affected person data and ensuing within the second largest healthcare business ransomware knowledge breach.
Cybersecurity Due Diligence for Merged Cultures
Together with new knowledge, a merger or acquisition brings totally different company and IT cultures collectively. New methods and choices of the merged entity improve info being pulled throughout numerous and/or incompatible methods utilizing unproven processes, by unfamiliar staff, companions and clients who have no idea what to anticipate. For instance, a system which will have been designed to combine seamlessly with one other might not because of an undocumented customized set up or configuration, the addition of a long-forgotten software programming interface (API), or from the failure to put in an improve or “repair” to a bug. Cybersecurity due diligence might want to modify to think about the totally different company and IT cultures and techniques previous to, throughout and after the merger.
Past bodily methods, human elements play a big position in M&A cybersecurity. Mergers of two organizations change processes, inner worker and buyer relationships and reporting hierarchies. Departments, features and places have much less familiarity, forcing staff to cope with individuals, locations, techniques and processes which might be unfamiliar to them. Hackers use this variation and lack of familiarity to launch social engineering assaults, like phishing scams or ransomware, trying to trick staff into defeating safety measures or divulging confidential info.
In 2005, a hacker satisfied Wachovia financial institution staff to promote account info on greater than 676,000 clients by claiming to be a set company. Inside a brief interval, staff that usually carried out 50 account searches a day started looking as much as 500 accounts, copying and promoting the info. Wachovia was not alone. Merged and purchased entities are notably weak to worker breaches when entities fail to rationalize worker id and entry controls. On this case, safety protocols ought to have flagged a 10-fold improve in account searches and not using a corresponding improve in want.
Subsequent Steps for M&A Professionals
The M&A business might profit from contemplating disruption from previous technological improvements in analogous authorized processes. As a brand new lawyer within the early 1990s, I spent months overseeing the guide assessment and cataloging of truckloads of banker’s packing containers of paperwork for litigation discovery. E-discovery introduced new strategies and means to determine, protect and catalogue paperwork to be used in litigation which at the moment are norms for professionals in litigation. Likewise, in recent times, M&A processes have targeted on privateness points and the dangers related to reporting knowledge breaches. M&A professionals would profit from contemplating wanted modifications for the M&A course of to account for cybersecurity along with knowledge privateness and breach. Richard Harroch, managing director and international head of M&A for VantagePoint Capital Companions, cautions that conventional M&A legal professionals might lack consciousness of the broader cybersecurity points and wish so as to add new functionality to their groups — akin to IT and cybersecurity experience. M&A professionals will want a level of schooling as to the technical dangers and prospects to think about influence on their processes.
Regulatory considerations are additionally prompting this new consideration of cybersecurity. The SEC’s current steerage on cybersecurity disclosures requires corporations to reveal materials cybersecurity dangers and incidents. Materiality considers, amongst different issues, “hurt to an organization’s status, monetary efficiency, and buyer and vendor relationships, in addition to the potential for litigation or regulatory investigations or actions, together with regulatory actions by state and federal governmental authorities and non-U.S. authorities.”
To adjust to privateness and shopper safety legal guidelines, together with regulatory and business requirements, M&A groups might want to develop organizational cybersecurity maps and danger assessments that contemplate the sort and means of knowledge assortment, storage and entry in addition to authorized assessments of insurance policies, procedures and contracts. The due diligence may even be clever to think about the post-M&A entities and realities of cybersecurity in contemplating post-closing deal issues and attribution of legal responsibility and worth.
Dangers related to human elements must be addressed. Issues can embrace: technological controls, rationalizing worker id, background checks and entry controls to methods and knowledge, in addition to insurance policies and authorized agreements reminiscent of mental property insurance policies and agreements, non-disclosure agreements, non-compete agreements and severance agreements.
Due diligence may additionally want to think about system testing together with unbiased assessments and “Darkish Net” type penetration checks, critiques of previous breaches for remediation measures and ongoing obligations from each a technical in addition to a authorized perspective.
The due diligence course of additionally would profit from contemplating disaster administration, continuity plans, catastrophe restoration, hosted options offering staff with assets and instruction for responding in addition to steerage on who to direct inquiries to within the occasion of a breach or disaster through the M&A course of or after a merger. This would come with a authorized appraisal of underlying contractual, legal responsibility and governance agreements for these points not sometimes addressed in lots of M&A conditions.
Briefly, complete cybersecurity due diligence acknowledged the brand new and altering world being shaped by cyber threats and cybersecurity. M&A processes will proceed to wish to shortly adapt to think about and combine cyber consciousness with authorized dangers and alternatives to offer a complete appraisal and answer to cyber-related vulnerabilities related to methods, people, knowledge processes, impression on worth and authorized and business issues.
Thomas McThenia is a shareholder and managing director at GrayRobinson’s Gainesville workplace the place he practices in cyberlaw, mental property, know-how, licensing, M&A and business transactions. Tom represents a wide selection of shoppers together with multinational firms, nonprofit organizations, universities, start-up and emerging-growth corporations, know-how and web corporations, and particular person entrepreneurs. He could also be contacted at email@example.com. Richard Markow is a regulation clerk and at present pending Florida Bar Admission.