In a previous blog entry, we canvassed Canadian privacy legislation and offered businesses a cursory review of the issues that arise in the due diligence phase of a business transaction. Expanding on that, this entry is the first in a series of three blog entries concerning specific cybersecurity considerations in the M&A context. This entry will focus on cybersecurity due diligence considerations, while the entries that follow will respectively discuss cybersecurity considerations in definitive transaction agreements and cybersecurity insurance.
Cybersecurity Analysis: A Key Aspect of the Due Diligence Process
When one organization acquires another, it is also acquiring that other organization's liabilities and risks. In a data-driven economy, neglecting cybersecurity risks can prove to be costly. Security attacks can have an immediate adverse impact on the value of a target company.1 There are also costs associated with regulatory compliance following a data breach. For example, the new Digital Privacy Act ("DPA"), or Bill S-4, creates mandatory breach reporting to the Privacy Commissioner of Canada and affected individuals. The DPA implemented associated fines of up to $100,000 for failure to report or adequately document a breach. Finally, organizations risk being named as defendants in privacy breach lawsuits, such as class actions. In the recent case of Doe v Her Majesty The Queen, the Federal Court affirmed that class actions may be a potential venue for litigants to seek compensation for privacy breaches.2
Consider this nightmare scenario: shortly after closing, the valuation of an acquired company plummets as a result of a cybersecurity breach. Perhaps confidential client or employee information was compromised as a result of unauthorized access. Post-breach forensic analysis reveals that the harm could have been mitigated if the acquirer was aware of the vulnerabilities in the target's data access and protection policies and had taken appropriate steps in response at the outset of the deal.
A prospective acquirer can hedge against undiscovered vulnerabilities by conducting a thorough due diligence analysis of the target. The result of this analysis should reveal, among other things, the extent to which expenditures will be needed for the target company to meet industry cybersecurity standards and to implement other safeguards to mitigate risks. If such expenditures will be significant, this can affect the target's value in the context of the deal.
The following are some of the considerations a prospective acquirer should make in assessing the strengths and weaknesses of a target from a cybersecurity perspective.
Governance and Risk Assessment
The acquirer should assess whether the target has cybersecurity governance and risk assessment procedures that are up to par with industry standards. The acquirer should test and assess the target's cybersecurity network and review the cybersecurity governance policies of the target. It may be important to determine whether the target is periodically evaluating its own cybersecurity risks and whether its security system is tailored to the risks in its business and industry. For example, in acquiring a target, the acquirer would want to evaluate the target's cybersecurity governance policies with respect to employee technology usage to ensure that security breaches do not arise in the course of a business transaction as a result of the mismanagement of data by the target's employees.
The acquirer should strive to understand the extent to which the target has established incident response policies to address cybersecurity attacks and potential breaches. Targets may be particularly susceptible to the risk of a privacy breach from the failure to implement basic security controls to prevent unauthorized access to systems or information. The acquirer should review how the target controls access, manages data for security and authorization purposes, and monitors the movement of information that is being transferred outside of the organization. Additionally, the acquirer should understand the data, assets, and services from the target's organization that warrant the most protection to help mitigate the harm caused by cyberattacks.
Data breaches may result from vulnerabilities in the target's third party vendor platforms. To mitigate the risks of third party system vulnerabilities, the acquirer should extend its cybersecurity analysis to key third party partners, suppliers, and vendors. Additionally, the acquirer should evaluate how the target reviews vendor relationships in its risk assessment process. Indeed, the acquirer should ensure the target has an established plan which outlines the ongoing risk assessment processes of the target for third party vendors.
An acquirer should pay careful attention to the cybersecurity policies and practices of a target, particularly where that target has obtained and stores personal information from customers or subscribers. A proactive approach in conducting cybersecurity due diligence will assist the acquirer in spotting issues before they can become problems and can ensure that a target's policies and practices be brought up-to-date before completion of the acquisition.
In the next entry, we discuss some of the contractual provisions an acquirer can request in the definitive transaction agreement to hedge against any cybersecurity risks it assumes.
1. A pertinent example would be TripAdvisor, a company whose shares dropped 4% in September 2014 after news broke that Viator, a company it recently acquired, announced a major data breach. See Eduard Kovacs, "TripAdvisor's Viator Suffers Payment Card Data Breach, 1.4 Million Affected" Security Week (24 September 2014) online: Securityweek.com http://www.securityweek.com/tripadvisors-viator-suffers-payment-card-data-breach-14-million-affected.
2. Doe v Her Majesty The Queen, 2015 FC 916.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.