The prospect of a cyber-attack is scary business. So scary in fact, that the government ranks it as a Tier 1 threat; alongside terrorism, war and natural disasters.
The constant flow of headline news about cyber-attacks, if nothing else, serves as a stark reminder that the value of any business is fragile and can be significantly compromised by data infringement. It has recently emerged that TalkTalk’s pre-tax profits more than halved in the 12 months to 31 March 2016 due to exceptional items of £83m resulting from the well-publicised cyber-attack it suffered in October 2015. Along with financial losses, a breach of cyber-security can also significantly damage a business’ reputation (TalkTalk lost 101,000 customers in the third quarter of last year) and can put businesses in the firing line for regulatory sanctions.
But in M&A due diligence (DD), are buyers being diligent enough about this fast-evolving “super-risk”?
Cyber-threats come from a wide variety of sources and for buyers, undertaking a comprehensive due diligence process, tailored to this specific high-risk category is key.
Due diligence is key
The aim of DD is to really get to know the business; unearthing issues which could give rise to potential liabilities or otherwise undermine the value of the target. While legal DD questionnaires typically contain specific enquiries relating to data protection and computer systems, these questions are not specifically designed around cyber-security and are unlikely to elicit the targeted responses and information required to properly evaluate such a unique and multi-faceted category of risk.
Buyers must bring cyber-security to the table early on in the M&A process. They should appoint the right team (internal and/or external depending on the nature of the target and the types of information it holds) to ask and respond to a bespoke set of well-thought-out cyber-security DD enquiries. These might include questions such as though included in the box-out.
Sellers should be well prepared to respond to enquiries like these and be able to present a sophisticated response, giving cyber-security issues more than just ideological lip-service, highlighting the operational reality of a (hopefully) mature risk management strategy.
Go beyond technology
Buyers’ further DD enquiries should probe deeper around the key types of information held and used in the target business and (drawing also on the wider set of replies to commercial enquiries) around contracts and business relationships. Only then will it be possible to start quantifying the cyber-risks. It can help to profile the risk into the following categories and to remember that cyber-governance is not just about technology:
- Technical – does the business protect its data through the use of technologies and software? Does it use malware protection/ data encryption/ firewalls/ third-party security providers/ advanced technologies such as biometric profiling (? Does, or should, the incident response procedure provide for complete data lockdown internally in response to significant threats?
- Commercial – what commercial contracts does the business have in place with third parties? What level of control, privacy and cyber-security is applied to data shared? Are the contractual responsibilities for preventing and dealing with cyber-attacks clear and sufficient? Are data security risks in the target’s commercial contracts mitigated through the use of indemnities, breach notification and cooperation procedures and/or insurance coverage? Would the disruption caused by a cyber-infringement prevent the target from fulfilling its express or implied contractual obligations to any third party (such as an obligation to maintain adequate and functioning IT services)? Do the contracts include force majeure clauses which specifically contemplate a failure to perform as a consequence of a cyber-security infringement?
- Internal – Does the business protect data through employment contracts and training (from top down)? Are the policies and procedures implemented effectively and consistently across departments and regions? Is data security heightened at ‘pinch-points’ such as during employee notice periods and is proprietary data adequately protected when employees leave? What internal network security measures are in place (for example, website monitoring and blocking, restriction of external data devices such as USB sticks which could introduce viruses / malware)?
- Advisers – what standards of security are applied to data shared between the business and its lawyers, financial advisers, accountants, financial PR etc.? Do they have adequate systems and policies in place?
Buyers can gauge a lot from the standard of the responses received from the sellers. Whilst the inability of a management team to accurately and effectively summarise their cyber-security processes and procedures will not necessarily mean that there are inadequate procedures in place, it will be an indication to buyers that management are not ‘on board’ with the concept of cyber-security as a significant risk. This issue must be a board-room focus, and if it is not, buyers are likely, at the very least, to require specific warranties and/or indemnities in the sale and purchase agreement to help mitigate the risk of any future cyber-infringement costs.
Sellers are under no obligation to reveal details of past, current or likely future cyber-infringements, however, if they fail to fully disclose such information against any relevant warranty statements in the sale and purchase agreement, they run the risk of a potentially extortionate claim post completion should details of such infringements emerge.
Short-cuts can be costly
Formulating a comprehensive cyber-risk profile is by no means an easy task, but full and careful analysis of the cyber-security systems, processes and past-history of a target business at the DD stage can, and more often than not will, significantly influence deal terms and negotiations and might conceivably go to price. Given a deal may even be abandoned if cyber-security breaches are identified during deal DD or mid-transaction stages, light-touch DD is no longer an option.
12 KEY CYBER-SECURITY QUSTIONS TO ASK IN DD
- What types of data does the business hold? Particular attention should be paid to cardholder data (retail businesses), intellectual property, financial data, personal data (including sensitive personal data), regulated information, and commercially sensitive information.
- Who / where does the data come from?
- What are the critical data sets for the business?
- How does the company store, protect and exploit the data?
- What are the biggest threat(s) to the business’ data, systems and/or networks?
- Does the business have a breach management plan in place and an incident response and disaster recovery capability? Has this been correlated to business need, taking into account critical recovery points and time-scales?
- What budget is assigned to cyber-governance?
- What past cyber-security breaches has the business suffered and what were the lessons learned?
- How can vulnerabilities or irregularities be reported by consumers / customers / employees / members of the public?
- Does the business use cloud-based or software-as-a-service solutions (whereby software is licensed on a subscription basis and is centrally hosted)? If so, how are security and compliance risks managed in relation to these in particular?
- Does the business issue mobile devices and permit remote access to data? If so, does the business have specific policies and procedures in place to protect sensitive data in this environment?
- Does the business process, handle or store cardholder payment data? If so how is it secured?
By Claire Miller, PSL first published in Gamechangers Magazine (p107-109), August 2016: https://issuu.com/smartwave/docs/gamechangers_five_sixteen/106