The importance of cybersecurity in M&A
As with IT development during recent years, most companies tend to store their data in an electronic form. This provides them with many benefits, namely a more productive business conduct as well as reduced costs. However, this allows for data to be more vulnerable to cyberattacks. Cyberattacks have recently become more and more common and their actual number is not known having in mind the difficulty of their discovery. The awareness of their existence must find its place in a due diligence process in order to give them an appropriate weight in the negotiations of a deal.
Cyberattacks in M&A deals
Cyberattacks have made the spotlights in 2013 when Neiman Marcus, a department store, experienced a cyberattack involving injection of malware into the customer payment-processing system. This resulted in compromising data of about 350,000 customer payment cards.
The company’s knowledge of the malware was non-existent for a period during which the company entered an M&A to be acquired by another group. During this period, neither Neiman Marcus nor its acquirers were aware of their data being compromised. Shortly after the acquisition was completed, several fraudulent uses of credit cards were discovered which subsequently resulted in massive class-action claims against Neiman Marcus.
Not being the sole such incident (Yahoo as another example), Neiman Marcus cyberattack illustrates that there is a growing need to assess a target company’s cyber vulnerabilities and the potential repercussions from incidents not just to protect the target company but to protect the acquirer itself. Cybersecurity due diligence must become an integral part of M&A and to be done properly, must begin at the earliest practicable time in the transaction.
Cybersecurity due diligence
The scope of this area of due diligence will be different for each specific case. Nevertheless, certain guidelines should be followed in order to execute cybersecurity due diligence as more qualitative as possible. This would provide the acquirer with the approximation of the actual condition of the target company’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets and putting acquirer into a position which would allow him to fully protect his interests.
1. Initial assessment
The acquirers should firstly assess which data is important for the business of the target company and how the company processes them.
2. Internal protection
The target company should have internal rules and regulations on how to protect its digital assets. Acquirers should assess (i) whether such internal rules and regulations are appropriate whether the target company has effectively implemented such rules and regulations (i.e. do they regularly train their employees? Are security measures implemented? Are they aware of any non-compliances?). It is very important to assess whether the target company is properly prepared to identify cyberattacks and to respond within the relevant timeframes.
3. External regulations
When applicable, acquirers should assess the target company’s compliance with any external regulations governing cybersecurity issues.
4. Assessment of third-party relationships
Acquirers should investigate all (relevant/material) third-party relationships of the target company and assess whether the agreements with any vendors and other suppliers and contractors have appropriate contractual protection in place that ensure that the third party properly deals with the target company’s data and has appropriate IT security systems in place. Third-party contracts should also provide for contractual notification obligations and emergency response mechanisms, as well as audit rights for the target company to verify compliance with the foregoing.
5. Assessment of past security breaches
Most importantly, acquirers should confirm with the target company whether there have been any past security breaches and if yes, assess their scope and impact. In this regard, they should specifically assess:
- what data might the attackers have gained access to (did they read files, change permissions, made copies of customer lists);
- what data might the attackers have viewed and exfiltrated copies of;
- what data might the attackers have changed? Did they modify data contained in certain files and, if so, what changes did they make;
- what defences of the target did the attackers force the target’s system to reveal (not knowing what the attackers have learned may cause a target to be far more vulnerable to future cyberattacks than the target (or an acquirer) may realize;
- did the attackers gain entry by breaching a layer of the target’s system that did not have the same defences as other layers? At some of a target’s computer-network system layers there may be fewer or different protections than at others. The cyber attackers can breach a system by going through a layer that lacks protections at a higher or lower layer.
Finally, to protect the acquirer, cybersecurity risks should eventually be dealt with in the final and binding transaction documents. Acquirers should consider requesting representations and warranties, including on the absence of current and past security incidents, implementation of appropriate internal rules and regulations and compliance therewith, compliance with applicable data protection and data / IT security laws, and absence of disputes and investigations relating to cybersecurity and data breaches.
Additionally, they should request indemnities for specific identified risks, such as pending litigation, or risks of a general nature, for which acquirers expect that issues will likely arise in the future, such as pre-closing taxes or, in some jurisdictions, environmental matters (concerning leaks that occurred prior to closing).
Cybersecurity Draft Act
In order to achieve high level of cybersecurity and protect service providers, Croatian Cybersecurity Draft Act provides for the key service operators (service such as banking, rail transport sector, air traffic) and digital service providers (services such as marketplace, online search engines, cloud services) to take technical and organizational measures for risk management, measures to prevent and mitigate the effects of the incidents on the security of the network and information systems and measures for determining the risk of incidents, prevention, detection and resolution of incidents and alleviating the impact of the incident. The providers should also inform competent bodies of any such cybersecurity incident. The implementation of such measures should mitigate the possible risks for cybersecurity as well as be a source of information for the acquirer when a company was the target of cyberattack.