In today's technology-driven business world, organizations are more vulnerable than ever to cybersecurity threats such as data and privacy breaches. As a result, in the context of M&A transactions, assessing the cybersecurity posture of a target entity has become a key due diligence consideration for buyers. Depending on the target's operations and the industry in which it operates, the level of cybersecurity due diligence may vary. As a starting point, we outline below five key cybersecurity considerations when it comes to evaluating a target entity's overall cybersecurity posture.
1. COMPLIANCE WITH PRIVACY AND DATA PROTECTION LAWS
In recent years, not only has there been a proliferation of privacy and data protection laws (domestically and globally), but we have seen regulators engaging in greater enforcement. With this backdrop, a due diligence exercise should first determine which laws apply to the target and, where necessary, challenge why the target has determined that a specific law does or does not apply to it. It is not uncommon that given the number and complexity of privacy and data protection laws, a target may not know that it is subject to certain laws that have extraterritorial reach (e.g., the EU's General Data Protection Regulation applying to certain Canadian businesses that do not have a brick and mortar location in the EU).
Having established a baseline of what laws apply to the target, the buyer can then undertake a compliance assessment. This may include, for example, ascertaining whether the target's breach notification protocols meet Canadian, U.S. or EU requirements or whether it maintains a breach of security safeguards registry, as required under the Personal Information Protection and Electronic Documents Act. Deficiencies at this stage are often indicators of potential broader compliance issues not just limited to privacy or data protection.
Another key item at the due diligence level is determining whether there are any threatened or active regulatory investigations (or litigation) and their scope. With increased enforcement action, regulatory investigations are not only highly disruptive but can be costly both in terms of defence and potential fines and penalties.
2. TECHNICAL SAFEGUARDS
Understanding the target's IT infrastructure, how it is built and maintained is one of the most critical yet difficult items to assess during the due diligence process. This assessment should include a clear understanding of how the target manages its cybersecurity. For example, does it have dedicated staff responsible for security or is it outsourced to a service provider? Does the target conduct regular vulnerability assessments or penetration testing of key applications? Does the target maintain any security-related certifications, such as ISO 27001? Where possible, it is important to obtain and review the underlying documents such as reports, certification certificates, etc.
Buyers should ask about the target's security policies, such as application patching policies, cyber incident response plans, etc. Additionally, they should ask whether the target has been victim of a material cybersecurity incident in the past 24 months and if so, attempt to understand what happened, the source of the incident and whether the core issue was subsequently appropriately addressed. In some instances, it may be worth having a third-party cybersecurity firm conduct a vulnerability assessment to ensure that there are no current technical concerns about the target's IT security.
3. CONTRACTUAL OBLIGATIONS
A review of the material commercial agreements between the target and third parties (both with vendors and customers) should be conducted in order to establish the contractual obligations related to cybersecurity to which it is bound. In the case of vendors, special attention should be given to sections dealing with access to, or transfer of, proprietary data to the vendor. Similarly, agreements with key customers should be reviewed with the goal of understanding the target's obligations for notification of a cybersecurity incident and potential indemnification rights of the customer. Careful review of any provisions granting a right to claim damages or terminate the agreement in the event of a cybersecurity incident should also be reviewed, which are all very relevant considerations for an acquiring entity.
A review of these upstream and downstream obligations will give the buyer a better understanding of how cybersecurity is not only approached by the target when it comes to suppliers, but what types of obligations it has agreed to with customers.
4. EMPLOYEE CYBER HYGIENE
While cybersecurity incidents are often technical in nature, "hackers" will often use methods, such as phishing attacks and social engineering – each designed to trick employees into doing something (e.g., clicking on a link or changing banking information). Therefore, it's prudent for the starting point to be a review of the target's approach to employee cyber hygiene training. For example, does the target regularly train staff on best practices? Does the target conduct internal phishing campaigns to identify employees who are not following protocols?
Employee policies, such as acceptable use of mobile phones and laptops as well as employee training programs relating to data handling practices and cybersecurity awareness, are also relevant indicators of an organization's cybersecurity posture in that many cybersecurity incidents are the result of employees who mistakenly install malicious software as a result of increasingly sophisticated attacks (e.g., phishing campaigns and social engineering). Employees who have undergone robust employee cybersecurity training and awareness may be less likely to fall victim to certain type of attacks.
Additionally, it is important to review the target's standard employment agreements for any provisions relating to how employees are required to handle confidential and proprietary information.
5. CYBER INSURANCE
While cyber insurance should only be viewed as a risk allocation tool (not as cybersecurity in and of itself), it is often an indicator that the target has, prior to obtaining insurance, implemented a minimum level of best practices. Obtaining insurance typically requires completing a questionnaire that outlines the organization's technical, administrative and physical safeguards.
Additionally, the type of insurance policy obtained by the target entity may illustrate what the target has identified as likely cyber risks and the potential impact they can have on its business operations.
Increasingly, cybersecurity due diligence is becoming an important part of M&A transactions. Given the potential financial repercussions, loss of productivity, as well as reputational harm that can come with a large-scale cybersecurity incident, it is important for any potential acquirer to understand the target's cybersecurity posture as part of the overall transaction risk. The scale and depth of the cybersecurity due diligence review will depend on several factors, such as the nature of the target's operations, the legislative and regulatory requirements to which it is subject, and the size of the transaction. Ultimately, a comprehensive cybersecurity due diligence review will mitigate deal risk in an important way.
This article is the third instalment in a series examining how businesses can stay vigilant, resilient and secure, as part of Cybersecurity Awareness Month. The next article in the series will explore trends in cybersecurity litigation.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2019 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.