Guide to Cybersecurity Due Diligence in M&A Transactions

Edited by Thomas J. Smedinghoff and Roland L. Trope

American Bar Association, 272 pages, $89.95

On the subject of business risk, Warren Buffett observed that the rearview mirror is always clearer than the windshield.  For an M&A acquirer, one prime risk is assessing the effectiveness of a target’s cybersecurity program. As data breach incidents involving Yahoo and Neiman Marcus have shown, such incidents can profoundly impact even the largest deals.

With billions of M&A dollars at stake, there is a need to clear the windshield.  Thomas Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients’ high-value digital assets.

Although the book is primarily written for M&A lawyers, it can also be useful to a wider audience that includes directors, officers, in-house counsel and data security professionals whose duties include the designing, implementing, updating, testing and monitoring of cybersecurity programs.

As noted by in the book’s forward, M&A is customarily driven by monetary considerations, with financial due diligence receiving the most attention.  Operational due diligence is often harder to conduct, with the target’s “cyber status” typically being “the most mysterious.”

Throughout the book’s thirteen chapters, it explains how an acquirer can properly assess a target’s cybersecurity posture. As such, the book is intended as an issue-spotting resource. It is not intended to prepare an M&A lawyer to be an expert in cyber crime, or to serve as a manual of M&A provisions that specifically address cybersecurity risks.

Although some of the material is repetitive, the editors have done an admirable job in organizing the topics, eliminating jargon, minimizing the use of acronyms, bullet-pointing key checklists, discouraging run-on sentences, reducing paragraph length and ensuring that the entire text appears as though it was written in plain English by a single author.

In his 2012 memoir, Donald Rumsfeld observed that decision-makers typically must contend with two types of unknowns: known unknowns and unknown unknowns.This observation also applies to cyber due diligence. The book assists M&A counsel to “capture both kinds of cybersecurity unknowns,” including: (1) “what the target knows and may be reluctant or slow to disclose” about “the quality of the target’s cybersecurity defenses and its experiences with cyber incidents”; and (2) “what the target does not know.”

Two main principles appear throughout the book. The first is that “acquirers should treat as a rebuttable presumption that a target’s high-value digital assets are increasingly at risk of becoming cyber-vulnerable assets.” The more renown a company’s brand and trove of digital assets, “the greater the probability that it will, or already has, become a victim of reconnaissance probes and damaging cyber attacks.”

The second principle is based on a National Institute of Standards & Technology (NIST) observation that there is no cybersecurity system “that can be engineered to be perfectly secure or absolutely trustworthy.” This is because sophisticated intruder technologies typically outpace the defenses, which often employ “trailing-edge technologies” in discovering vulnerabilities, closing defense gaps, detecting intrusions, identifying what has been accessed, realizing what has been done to it and understanding “what awful things may happen at a time and place of the cyber intruder’s choosing.”

One of the best parts of the book is a chapter entitled “Evaluation of Internal Cybersecurity Program,” written by Stuart Levi.  The author observes that the “strength of a cybersecurity program depends in large part on the ‘buy-in’ and role of senior management in overseeing the program.”

Citing the NIST Cybersecurity Framework, Levi explains that senior management does not need to master “the minutiae of how a firewall works or why one type of intrusion detection software was selected over another[,]” but “must understand each component of a company’s cyber-risk exposure and how it was addressed.”

Regarding the role of the board of directors, Levi writes that they do not need a “deep-level understanding of the company’s technology solution,” but members should receive “regular reports of the company’s cybersecurity profile, the steps the company is taking to address the issue, any issues that have arisen since the last report, and how decisions are made.”

Levi suggests that attorneys who conduct M&A due diligence should seek material that reveals how the target’s security program has actually performed. In addition to asking “for examples of key cybersecurity decisions that were made over the last two years,” M&A counsel should also ask to review “any cybersecurity reports that have been given to the board.”

Another strength of the Levi chapter is the author’s ability to articulate the manner in which M&A counsel can, with a “critical eye,” spot the pertinent issues and ask the probing questions about a target’s cyber exposures.

According to Levi, a good place to start a review is to ask whether “a written information security program exist[s] and, if so, when was it developed, and how (if at all) is it regularly updated?” The author notes that it is important for M&A counsel to understand “how the program was first developed[.]”  Effective security programs tend to be those “developed by a cross-disciplinary team” that includes stakeholders from the IT department, risk management department, and leaders from the relevant business units. Programs developed by the IT department in a vacuum tend to be less effective.

Other critical areas upon which Levi focuses include: (1) identifying the persons responsible for daily management of the target’s cybersecurity program; (2) analyzing how they make decisions; (3) reviewing program compliance with legal requirements and regulatory standards; (4) discerning whether the program is risk-based and tailored to the target’s business; (5) probing the program’s resilience; (6) understanding the program’s implementation and updates; (7) assessing the security capabilities with the target’s vendors and third-party providers; (8) researching the target’s public pronouncements about its cybersecurity program; and (9) evaluating the appropriateness of the insured’s incident response plan.

More than a hundred years ago, Theodore Roosevelt observed that risk is like fire: If controlled it can help you; uncontrolled it will rise up and destroy you. For M&A lawyers assessing a target’s cybersecurity risk, this book helps control the fire.

Jeffrey Winn is a management liability attorney with Chubb, a global insurer, and a member of the executive committee of the New York City Bar Association.