While vendor relationships are important, it gets “real” when your company contemplates a merger, acquisition, joint venture, or major partnership deal. Recall that Verizon cut $350 million off Yahoo!’s price tag after the latter revealed three breaches involving three billion accounts. It was a defining event in cyber history. And it continues to serve as a poignant reminder to all companies—buyers and sellers, large and small, public and private—about the criticality of robust cyber diligence. It is literally true that a company can buy a cyber incident that subsequently exposes it to potentially substantial liability. Marriott’s 2018 disclosure of a Starwood breach that allegedly began in 2014 (prior to Marriott’s acquisition of Starwood) proves this unfortunate point.
According to a 2016 New York Stock Exchange and Veracode survey,1 22% of directors said that they would not acquire a company that had experienced a high-profile data breach. Nearly half of the respondents in a 2016 Brunswick Insight survey2 said that they would discount a target’s valuation based on a data breach—whether the breach was discovered before, during, or after the transaction. More recent studies suggest that while more cyber diligence is being performed, it may be resulting in fewer deals. According to a 2018 study by West Monroe Partners,3 which analyzed survey findings over the past three years: A greater percentage of dealmakers are discovering a cybersecurity problem at the target only after a deal has closed—up from 40% finding post-deal problems in 2016 to 58% in 2018; nearly half of corporate buyers are dissatisfied with cybersecurity due diligence—up from 3% dissatisfied in 2016 to 49% in 2018; and executives are citing cyber-related red flags as among the top reasons for abandoning a deal.
It is important to note that comprehensive soup-to-nuts diligence is often impractical and unrealistic. M&A transactions, for example, typically involve multiple suitors competing for the same target. Compromises and concessions are part of negotiating a complex deal. Timeframes are tight. Resources are limited. It is also exceedingly difficult to find an opening, or willingness, to perform the type of technical penetration tests and compromise assessments, and compliance reviews, that a buyer might otherwise pursue.
As with vendor management, the publicly available guidance on cyber diligence is plentiful. That guidance draws from diverse viewpoints, including but not limited to banking, consulting, accounting, legal, government, and academia. Here, we offer a few insights from the buyer’s perspective that, in our experience, have helped to get at the heart of the issue:
- Nonpublic Cyber Incidents
Because most cyber-attacks and data breaches do not trigger mandatory notification rules, as with the vendor discussion above, it is important to understand whether the target has experienced broadly defined data “incidents” (e.g., ransomware, DDOS, data corruption/loss, theft of proprietary information or trade secrets) and the associated remediation strategy and results. Equally important is assessing any history of noncompliance fines or penalties that are not public, such as those involving the card brands and PCI. - Validating Publicly Made Representations
As discussed further below, what a company publicly says about cybersecurity in its privacy policy, terms of use, or even marketing materials is classic fodder for regulator and class action complaints. Opposing parties point to allegedly “deceptive” statements that customers and consumers relied on to their detriment. These are low-hanging fruit for enforcement cases and can be challenging to defend. - Reverse Vendor Management
Where the target is a service provider/vendor, the buyer should assess whether and how the target anticipates and addresses (including through contractual protections) its own customers’ compliance requirements. This is particularly important where the target’s customer base or data-types are highly regulated—e.g., financial services, healthcare, defense contracting, PCI/payment card data, children’s data, data subject to prescriptive rules such as the EU’s General Data Protection Regulation (GDPR).4
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
Sources
1 Cybersecurity and the M&A Due Diligence Process: A 2016 NYSE Governance Services/Veracode Survey Report (2016), www.nyse.com/publicdocs/Cybersecurity_ and_the_M_and_A_Due_Diligence_Process.pdf.
2 Brunswick Insight, Brunswick Data Valuation rel="noopener noreferrer" Survey (Oct. 2016), www.brunswickgroup. com/media/2365/2016-brunswick-data-valuation-survey.pdf.
3 West Monroe Partners, Cybersecurity Issues in M&A Continue to Grow (White Paper 2018).
4 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119), 1.