Cyber risks are increasing, and as a result, due diligence inquiries and valuations are increasingly focusing on the cybersecurity and privacy risks inherent in a business’s collection, use, retention and disposal of data. Similarly, a business’s information security posture and vulnerability to cyberattacks has become a key concern in corporate due diligence. Liabilities and assets are no longer just limited to a company’s books but have more wide-reaching implications around possessing data and the ability to safeguard that data.
Why Is Cybersecurity Due Diligence Important?
Cybersecurity has become front and center for businesses and a top concern for company executives, boards of directors and investors. Ransomware attacks, loss of company data, business interruptions, data breaches, and damage to critical technical infrastructure—all consequences of a cyberattack—rank among the highest costs to businesses today.
Technology is used in almost every industry sector. Similarly, a business’s reliance on that technology, and use of data, has become a lodestar for the inherent risks the business may present during and after closing. Yet, according to some studies, less than 10% of deals globally contain cybersecurity due diligence. Traditionally, cyber has not been considered material enough to make the due diligence checklist pre-deal and was often left to post-deal review and remediation. Similarly, dealmakers mistakenly assume that intellectual property or IT reviews cover cybersecurity—but they do not.
One only has to look at the 2018 Marriott breach to understand the importance of cybersecurity due diligence. While the technical details are unclear, we do know that in 2016 Marriott purchased Starwood and that two years later Marriott suffered a data breach, uncovering that Starwood’s systems had been infiltrated by a threat actor at least two years pre-merger in 2014.
What Should Cybersecurity Due Diligence Look Like?
Every company is going to have specific risks and due diligence inquires that should be tailored to that particular business. However, in general, I typically see five main areas of due diligence that most mergers and acquisitions should focus on as it relates to data privacy and information security concerns.
Networks and Systems
[Note that this section may not be applicable if the underlying IT networks, systems, or databases are not part of the acquisition.]
Anytime the buyer is acquiring technology that will be integrated post-closing, there is a risk of unforeseen cyberattacks. Due diligence should focus on identifying dormant threats in the acquired infrastructure and implementing effective mechanisms for mitigating those threats. It is also important to note that during the M&A process, IT resources may be over-burdened as they try to integrate technology between entities, and this could potentially lead to extended periods of IT change gaps, and a failure to properly address threats, provide security patches, or monitor threat activity, which could subsequently create a significant attack vector.
It is important to identify IT assets, systems, software, websites and applications, whether proprietary or third party, and how company data or personal information (PI) is stored or processed. Additionally, for businesses that collect, store or process non-U.S. (workforce, customer, or consumer) data, it is important to understand if that data is exported to personnel or servers (including servers of the company’s service providers) located in other jurisdictions. Various legal regulations, such as GDPR, may be implicated and could affect whether and how data can be transferred post-merger.
Understanding the underlying technical infrastructure of the target company serves to provide a clearer picture of the risks involved in acquiring those networks, servers, and other technical systems and can make the difference in whether those become assets or liabilities post-merger. Several questions that should be part of any due diligence checklist relating to networks and systems include:
- Is there documentation or information that can be provided about the seller’s network and system architecture and data flows, including the use of cloud providers and third-party applications?
- Do any of the target company’s systems store any individual personal information (any information that can be identified with a particular person) or sensitive personal information (information such as SSN, DL#, credit card/debit card, health information, username/passwords)?
- If yes, what are the security controls in place to protect this type of information (MFA, access controls, etc.)?
- Does the seller have on-premise servers or use cloud storage for storage of sensitive personal information?
- Does the seller use any legacy applications or providers for critical functions that are subject to long-term contracts or that would be difficult to port to an alternative platform?
Similarly, specific cybersecurity questions should be posed to determine how mature the target’s cybersecurity program is. Some examples of relevant questions may include:
- What are the types of privacy/cybersecurity risks that the target company faces given its industry sector, geographic reach, and the nature of the products or services that it manufactures, develops, or provides?
- Has the target company conducted any privacy impact assessments, vulnerability scans, penetration tests, SOC audits, etc. in the last 24 months?
- Has the target company experienced any cybersecurity events, including data breaches or ransomware attacks, and how did it respond to such events?
- Does the target company have any internal reports or reports from external forensics or law firms relating to any cybersecurity events or any other evaluation, impact assessment or questionnaire?
- Does the target company have a written information security program/policy, business continuity plan, or incident response plan? If so, please provide a copy of the plan(s).
Legal Obligations—Information Security
Identifying applicable privacy and data security regulations and legal obligations is also an important part of the due diligence process. For example, does U.S. state privacy law apply (such as CCPA, which contains a private right of action for a data breach) or does international privacy law apply (such as GDPR, where a data breach could cost 4% of global revenue)? Similarly, does the target company use or process health data? Understanding the legal obligations that apply to the target company informs the buyer on the potential risks and financial fallout from failure to comply with data security obligations.
Data Collection and Processing Practices
Another area of inquiry during cybersecurity due diligence focuses on the types of data collected, how that data is processed, and whether sensitive personal data is stored by the target company. Not all data is created equal, and certain types of data pose a greater risk than others, if that data is compromised due to a security incident. For instance, biometric data or children’s data may pose additional risks. Additionally, how long the target company keeps this type of data may also inform the buyer about the potential risks involved. Here are a few typical questions you may see relating to data collection of the target company:
- What categories of any personally identifiable information are collected, used, stored, transferred or otherwise processed by or on behalf of the target company?
- Does the target company have a data retention and deletion program?
- Does the target company collect any biometric information from its customers or from its employees?
- Does the target company collect data of children under the age of 13 (or age 16 in some instances)?
- Will the buyer need to obtain any consents to use personal or private information of the seller post-closing?
Data Incidents and Complaints
Finally, understanding any previous data incidents, breaches, or regulatory inquires is critical in calculating risks pre-closing as it relates to the compromise of the target company’s systems and data. For example, the target company should be able to address:
- Any incidents of unauthorized access to, misuse, modification, exfiltration or disruption of the target company’s information systems or proprietary technology systems, including any data stored on such information systems or otherwise, including whether such matters have been remediated.
- Whether the target company has assessed its data breach notification obligations and whether the company has ever reported a data privacy incident to any regulator, governmental agency or other third party.
Cybersecurity is not going away, nor are the risks associated with the use of technology in today’s world. As companies begin to consider the value of acquiring or merging with other businesses, it will continue to be imperative to ensure that specific due diligence is conducted as it relates to those cyber risks.
Republished with permission. This article, "How Not to Make a Deal: 5 Key Cybersecurity Concerns in M&A," was published by Law.com in The Legal Intelligencer on July 12, 2022.