Where does the responsibility lie for an acquiring company to understand and evaluate cyber risks in an acquisition? How can these risks be identified and mitigated in the middle of a fast-paced deal? A data breach can have serious financial consequences to both the buyer and the seller. A significant security breach can lead to a nearly instantaneous devaluation of assets and can severely damage the acquiring company’s business viability, raising serious questions as to purchase price and follow-on integration issues.
Trillions of dollars are spent on M&A each year, yet reports suggest that less than 10% of deals integrate cybersecurity into the due diligence process.1
Despite the FBI and private watch dog groups raising multiple warning flags about ransomware groups hitting more and more companies in the middle of significant transactions like M&A, and despite increased focus from the FTC and the SEC on data security failures as legitimate reasons for shareholder and government enforcement actions, companies continue to struggle with how to capture and mitigate cyber risk in an M&A transaction. Even with increased top down pressure from Boards of Directors and the potential for breach of fiduciary duties related to lax data security measures, companies are fumbling the ball on what questions to ask and how to measure the security risk in a target.
Where does the responsibility lie for an acquiring company to understand and evaluate cyber risks in an acquisition? How can these risks be identified and mitigated in the middle of a fast-paced deal? A data breach can have serious financial consequences to both the buyer and the seller. A significant security breach can lead to a nearly instantaneous devaluation of assets and can severely damage the acquiring company’s business viability, raising serious questions as to purchase price and follow-on integration issues. Unresolved risk can also push investors to question the impact of future attacks. And for good reason: An increasing number of deals have stalled or not gone through at all since the widely publicized 2017 Yahoo disclosure of a data breach which led to a decrease in the deal price for Yahoo in its acquisition by Verizon Wireless Inc. Initially Yahoo did not disclose any significant cyber events but later disclosed an earlier data breach affecting more than 500 million users. The following day Yahoo’s stock dropped 3%, and it lost USD 1.3 billion in market capitalization.
Verizon determined that the incident was a material adverse event under the stock purchase agreement and the parties agreed to reduce the purchase price by USD 350 million, or 7.25%. In response to this and similar incidents, and as cyber events increase in scope and complexity, investors are requiring more detailed quantification of cyber risk exposure, including risks of financial loss and reputational harm.
Preemptive and proactive cyber integrity risk assessment must be incorporated into the M&A process. This means that dedicated cyber and security experts must be involved at an early enough stage of the transaction to gauge a company’s cyber security and resiliency. Risk reports should inform both initial deal-making and stay relevant through the lifecycle of the deal.
There is no simple playbook for an acquiring company to address cyber risk but the diligence process is key to getting it right.
As part of efforts to uncover cybersecurity risks or incidents at a target, some key areas for an acquiring company to direct its focus include:
Sharing information with third parties: How does the target vet third party security infrastructure, policies and records? Does the target ensure audit rights in contracts with third parties? Has the company assessed its obligations to notify customers and regulators in case of a breach?
Ultimately, while these examples provide a starting point for appropriate cybersecurity diligence, it is critical that the acquiring company tailor its diligence on data privacy and security matters to the target company by also understanding its data collection and use practices. Foremost, the forthrightness of the target in these matters is of increasing importance. A blank stare or a vague response to any of the data security questions is itself an answer and should be given attention.
Cybersecurity and resilience has become increasingly important for successful business practices. Executive teams are judged on lax security measures and appropriate breach response. Ransomware is increasing at an alarming rate. Ignorance or the inability to obtain a straight answer from a seller company no longer appeases shareholders and regulators when significant fines and enforcement actions could be at stake. Cyber integrity and proper data security due diligence is no longer a “nice to have,” it is a necessary and critical part of M&A.
Jake Rubenstein contributed to this article.
1. Aon Cyber Solutions, 2020 Cyber Security Risk Report
Cyrus Vance Jr. is a partner in Baker McKenzie’s North America Litigation and Government Enforcement Practice as well as the Firm’s Global Investigations, Compliance & Ethics Practice. He is based in New York and serves as Global Chair of the Cybersecurity Practice. Prior to joining Baker McKenzie, Cyrus served three consecutive four-year terms as Manhattan District Attorney. In this role, he oversaw a team of more than 600 prosecutors handling landmark criminal prosecutions and more than 100,000 cases each year, including investigations and prosecutions of complex, high-profile white collar and business crimes both in the US and internationally, coordinating with global crime-fighting partners including City of London Police, Paris Prosecutors’ Office, Singapore Attorney General, Europol, and Interpol. Cyrus is a Fellow of the American College of Trial Lawyers. Throughout his career, he has been a visible and vocal advocate on a range of justice issues. He is a sought-after speaker and author, and has testified multiple times before the US Congress and state agencies.
Alan Zoccolillo is the Chair of the North American Transactional practices, the past Chair of the North American Healthcare group and co-managing partner of the New York office. Mr. Zoccolillo was named by Chambers & Partners, the Legal 500 and Acritas as one of the leading lawyers in the US for mergers and acquisitions.
Cynthia Cole is an Intellectual Property Partner in Baker McKenzie’s Palo Alto office, as well as a former CEO and General Counsel. Before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in digital transformation, data privacy, and cybersecurity strategy. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields. She acts as outside general counsel to a number of executive teams and boards of directors.
You must be logged in to post a comment.
© Copyright 2022 – Global Compliance News