Large, highly publicized cybersecurity events have become so commonplace that it seems each month bring news of a major attack. No one seems to be immune. This observation of the new reality is supported by PwC’s survey of approximately 10,000 companies worldwide. Those companies reported an average of 4,782 cybersecurity incidents apiece in 2016, with more than 200 organizations reporting over 100,000 cybersecurity incidents. PwC, 2017 Global State of Information Survey. A security incident is defined as any adverse incident that threatens some aspect of computer security. So common are these attacks that they have become a regular part of board conversations and, where those conversations are not happening yet, regulators like New York’s Department of Financial Services and groups like the National Association of Insurance Commissioners, are crafting requirements for them to occur. See 23 NYCRR 500.04 (requiring annual board reporting by the Chief Information Security Officer); National Association of Insurance Commissioners, Preliminary Working and Discussion Draft, Insurance Data Security Model Law §4(E)(requiring board oversight of the Information Security Program).
Yet, despite the prevalence of cybersecurity attacks, their impact on business activity, shareholder value, and board and executive management, cybersecurity due diligence remains a relatively secondary consideration in deals transactions. This despite that fact that, in one survey, 82% of respondents said that over the course of 2016 they placed greater emphasis on the cybersecurity policies and practices at target companies. Morrison & Foerster, 2016 M&A Semi Annual Leaders Survey, at 4. And, of those who performed cyber due diligence, 70% reported uncovering compliance problems, while a full third found the target vulnerable to insider attacks—among the most common and pernicious types of cyber attacks. WestMonroe, Testing the Defenses: Cybersecurity Due Diligence in M&A, at 9 (July 12, 2016).
Given the number and significance of publicly disclosed cybersecurity events, which represent just a fraction of the events that occur each year, acquisitive companies simply cannot ignore the risk that a target’s cybersecurity exposure presents to the value of a deal. Similarly, companies looking to market themselves or divest a portion of their business need to understand their own cyber risk to mitigate the potential for a mid-, or even post-, deal breach. As cybersecurity practitioners, we regularly assist companies engaged in M&A and, through that work, have personally observed the impact of performing cyber due diligence on the decision to undertake a deal and the terms of the ultimate agreement.
The Importance of Cyber Due Diligence
Unlike many other aspects of a transaction, because cyber events tend to go unnoticed for months if not years, traditional protections like representations and warranties can prove illusory. The parties may hold a good faith belief during the course of a transaction that all is well when, in fact, a significant negative event lies just beneath the surface. As a result, a purchaser can easily overvalue the assets of the target, such as intellectual property or brand value, because an undiscovered attack has significantly compromised the target. At the same time, the liabilities of the target may be underestimated because—as happened just this year in a large technology transaction—an undiscovered event may create substantial litigation and regulatory costs. When an attack is discovered, prior warranties may prove cold comfort unless carefully crafted. And, even then, they may provide little protection from the costs of the litigation and reputational harm that follows a failed transaction.
Even on the sell side, performing cyber due diligence is important to ensuring deal value. An understanding of where your vulnerabilities lie is critical to deciding what warranties you can make and what work you need to do in advance of a spinoff or sale in order to make the company attractive and limit your post-deal exposure. If you don’t undertake cyber due diligence before a divestiture, you may find yourself having expended significant resources in a deal that ultimately falls through when a breach is uncovered.
Finally, even for those targets that have not suffered a major event, the disclosure that a deal is being considered significantly raises the company’s risk profile. Employees who fear losing their jobs may steal intellectual property to take to a competitor, and hackers looking for a way into the acquirer’s’ systems may attack the target with the hope of riding along during integration. Thus, vigilance during the transaction period is critical.
Assessing the Risk
While the need for cyber due diligence is clear, actually performing that examination can prove challenging. The M&A process does not provide a tremendous amount of time to assess a company’s cybersecurity posture and, in many cases, such as at auction, access to the target is limited. Nonetheless, a well-planned strategy or a risk-based playbook for cyber due diligence can help organizations gain an understanding of the risks involved and the impact of those risks.
- Start by understanding the drivers and inherent risks underlying the transaction. Not all deals are the same, nor do they all require the same level of diligence. The threat landscape can change based on, among others: the value sought from the transaction; the risk to the acquirers’ reputation; the size of the transaction; and the geographic location of the target. Understanding the deal and the bad actors that might target the transaction is essential to maximizing the value of the limited pre-deal time you have.
- Focus your resources pre-deal on what you can meaningfully evaluate. The easiest area to focus on is the target’s policies and procedures, prior assessment reports, and public reports of cyber events. But even where you do not have access to these records and there are no publicly reported attacks, there are other avenues of evaluating a target. For instance, the presence of employee credentials and communications or product design documents on the internet may provide evidence that a breach has occurred.
- Keep your eye on the value you seek to achieve. If you are acquiring intellectual property, examine, for instance, the target’s policies around protecting the R&D infrastructure (e.g., critical target information assets) and other areas in which trade secrets may reside, remembering that the insiders may be your biggest risk. If the customer base is important, understand what data the target collects and how it protects it. No organization can completely protect itself, so focus on the assets that you need and ensure they are protected.
- Higher risk transactions require greater diligence. Just as you would pay closer attention to corruption risk for transactions in certain countries, where there are factors such as geography, history, or size that suggest higher cyber risk, take a deeper dive. Third-parties, or even your own information security group, can, with the target’s consent, probe the target for undiscovered vulnerabilities through penetration testing or “red teaming” ethical hacking.
- Cyber due diligence does not end at closing. Your greatest access, and therefore greatest insight, comes after closing. Depending on the risks uncovered during pre-deal due diligence, you should consider conducting a compromise assessment of the target’s systems before integrating them into your environment.
Cyber Is an Essential Part of Your Deals Strategy
It is commonplace for organizations who engage in regular M&A to have a strategy and/or cyber M&A playbook that evaluates potential acquisitions not only for their value, but their risk to the company. This playbook concept can help define actions for the deals teams to consider across the deal life-cycle. In today’s world, where it is almost trite to say it is not a question of if but when a company will be attacked, cyber needs to be a part of that strategy. Think about not only what you hope to gain from the transaction, but how cyber attackers might exploit it (or worse yet, might have already compromised the target). And, as is becoming necessary in all areas of governance, bring cyber expertise to the table before you complete a purchase. Leverage your in house information security team and experienced third-parties to ensure that, whatever you set your sights on, you go into it with eyes wide open.
Mike Cunning is a managing director in PwC’s cybersecurity and privacy practice. Douglas B. Bloom, former Assistant U.S. Attorney for the Southern District of New York, is a director of the firm’s cybercrime and incident response practice and financial crimes unit.