Cyber Security Due Diligence in M&A Transactions

Tips for conducting a robust and meaningful process

January 4, 2016

Cybersecurity risks are not limited to consumer-facing businesses, whose recent losses of cardholder or patient data grab news headlines. Indeed, few businesses today have assets and liabilities that are not in some sense data driven. For most business combinations, cybersecurity should be a risk category in its own right. Buyers should review not just historic breaches but also cybersecurity risk management. Even though these risks are hard to quantify, the analysis will inform deal terms, deal value and post-deal indemnity claims.

1. Get an early read on cyber readiness at the engagement stage.

Buyers should begin conducting cybersecurity risk assessments early in the engagement process, with the goal of clearly articulating as early as possible the target company’s most important information assets, systems and business processes. Every target business should be able to readily identify which information technology (IT) systems and data sets are most valuable to the business and explain at a high level how the company protects and exploits them.

2. Tailor diligence to what types of information are handled and how important information security is to the bottom line.

Based on the information gleaned during the initial risk assessments, the buyer should tailor its diligence based on the type of information being handled, the industry and how important information security is to the target’s bottom line. The buyer should directly probe whether the target management has a sophisticated understanding of potential cyber-related liabilities and the regulatory environment. Unlike environmental or traditional fire or natural disaster scenarios, cyberattack-related liabilities are multi-faceted and unique.

3. Check for integrated cyber risk awareness and mitigation and a comprehensive security management program.

Does the target’s management team have cross-functional awareness about cyber risk and their security program? If so, this is a sign of a mature security program. A security program will not be effective if it exists in a silo inside the information technology department. All substantial stakeholder departments should be involved in cybersecurity risk management.

4. Use subject matter experts to assess cyber readiness and liabilities.

In order to accurately assess cyber readiness and potential liabilities, buyers should assemble deal teams that include subject matter experts. The deal team should be nimble and focus on the specific industry, as cybersecurity risks are highly variable across sectors.

5. Ensure payment card industry compliance.

If the target accepts, processes, stores or handles cardholder payment data streams, buyers should pay special attention to compliance with the payment card industry data security standards (PCI DSS). When done correctly, PCI DSS compliance is costly and requires constant adaptation and optimization to new threats and standards.

6. Consider other risks.

Payment and card security are not the only risks to be concerned about. Theft of trade secrets, state-sponsored espionage and cyber attacks that cripple corporate networks can be just as damaging to a target business. Buyers should ask questions about any historical incidents in these areas and assess the target’s measures for preventing similar future breaches or attacks.

7. Consider cyber insurance.

Buyers should evaluate the extent to which cyber risks are mitigated by insurance coverage, including whether enhancements to the cyber program may be available post-closing. Most cyber insurance policies today cover the data breach and privacy crisis management expenses associated with complying with data breach notification laws. Those costs include the costs of expert legal, communications, and forensic advisors, benefits such as credit repair or monitoring to affected individuals, and even costs of responding to government investigations or paying fines.

“Most cyber insurance policies today cover the data breach and privacy crisis management expenses associated with complying with data breach notification laws.”

In Conclusion

If there was ever an era when minimizing or commoditizing assessment of cybersecurity risks in the M&A space was sensible, that time has surely passed. Expertise in assessing data-driven risks should be embedded on the front end of every transaction and tracked throughout the deal, so that deal terms, deal value, and post-closing opportunities to strengthen security can be considered against a fully developed factual picture of the target company’s cyber readiness and exposure.

Want to get ahead with exclusive updates from CSQ? Join today.