The cyber resilience of companies and their history of data breaches is increasingly having a significant impact on the headline price, post-completion deal value and risk-allocation profile of M&A transactions. With the notifiable data-breach scheme and the GDPR taking effect earlier this year, there is increased pressure on M&A participants on both sides of the table to accurately assess data security risks in order to avoid significant value erosion. This article provides a practical guide to help buyers and sellers decrease risk and maximise value in relevant transactions.
- Data has become a key asset of most, if not all, companies, meaning the assessment of cybersecurity risks is now a fundamental aspect of overall risk-management strategy. These risks are not limited to consumer-facing businesses that handle large volumes of personal information – they are equally applicable to organisations with trade secrets and confidential information, or that are heavily reliant on critical IT systems. An assessment of cybersecurity risks should, therefore, form an integral part of due diligence for parties to an M&A transaction.
- As cybersecurity risks become a growing concern for companies, buyers are becoming better equipped to scrutinise the cybersecurity vulnerabilities and failings of a target company. Sellers therefore have a vested interest in ensuring there are adequate systems in place to manage those risks to maximise deal value and minimise post-completion complications.
- It is also essential that buyers fully understand the cyber resilience of a target, including both its history of data breaches, as well as cyber-security governance arrangements and management. The significant, ongoing risks that buyers may become exposed to from cyber incidents and data breaches range from cost-related effects to reputational damage.
- Tips for sellers. To make a target more attractive to potential buyers, to reduce time and costs and to maximise sale price, sellers should ensure they have a mature cybersecurity posture, as well as robust systems in place to manage cybersecurity risks. Sellers should demonstrate a sophisticated understanding of the risks facing the target, and be prepared to discuss the occurrence of any previous and ongoing cybersecurity incidents and data breaches and how they were handled.
- Tips for buyers. Buyers should adequately review how a target uses data, its approach to cybersecurity (both internally and within its supply chain), and the occurrence and management of any cybersecurity incidents and data breaches.
Why is it important?
Despite the forensic examination of a target that usually accompanies a transformative M&A transaction, M&A participants remain prone to being caught out by the costly effects of cybersecurity failings.
According to a NYSE Governance Services/Veracode Survey Report, 85% of public company directors and officers surveyed said that the discovery of major vulnerabilities during the audit of an acquisition target's software assets would 'likely' or 'very likely' affect their final decision to acquire a business and one out of five directors surveyed said the occurrence of a high-profile data breach at an acquisition target would deter them from completing the transaction altogether. More than half claimed that while they might not be completely deterred, it would significantly lower the valuation.1
The impacts of a data breach on headline price and deal value even after deal terms have been agreed, were highlighted after Yahoo revealed in October 2017 that it had been successfully breached on a number of occasions between 2013 and 2016, affecting all 3 billion of its user accounts. This disclosure led to a US$350 million reduction in the proposed consideration paid by Verizon for Yahoo's internet business – this reduction coming some seven months after deal terms were initially struck.2 For more information on the Yahoo data breach, please see Spotlight: Cyber breach at Yahoo and Yahoo continues to pay the price for its 2014 data breach.
In addition to leakage of value through a reduction in sale price, there is also a risk of post-execution value being stripped through expensive warranty claims being made by buyers if sellers don't make adequate disclosures regarding their cybersecurity practices and systems.
Tips for Sellers
- Know your crown jewels – Sellers should be able to identify critical systems, data sets (including particularly sensitive or confidential data) and how they are protected (in transit and at rest) and exploited.
- Your risks and risk tolerance – Demonstrate a sophisticated understanding of cybersecurity risks and their potential impact on the business. This should not only cover information-security risk but also the risk of business interruption in the event that critical systems are unable to function as usual.
- Costs – Be prepared to account for your cybersecurity budget and the financial resources that are applied to data and systems security in the context of your overall risk appetite, your approach to risk containment and your industry.
- Evidence your cybersecurity governance arrangements – Demonstrate that you have implemented a mature and comprehensive cybersecurity risk-management program by documenting both your data breach and/or cyber incident response and recovery plans, as well as your testing of and compliance with those plans.
- Demonstrate a culture of cyber awareness across your business – Demonstrate a robust approach to cybersecurity by showing that your cybersecurity program is well integrated into senior management (with oversight from, and a process for escalation to, the board where appropriate) and by involving key personnel from all departments in your approach to cybersecurity risk management. Be prepared to explain your cyber-awareness training program for employees, contractors and vendors. For more on creating a culture of cyber awareness, see The walking dread – fostering cyber awareness in the age of killer viruses.
- Third party arrangements – Ensure that your third-party agreements involving data exchange or access to data or critical infrastructure contemplate breach notification procedures, information sharing, and allocate incident assessment and notification responsibilities. For more on protecting your perimeter, see How to create a cyber resilient supply chain.
- Your past – Be prepared to discuss any previous or ongoing cybersecurity incidents, and be willing to divulge information, such as the impact on the business, how long it took to discover the incident, how it was managed, what data was affected, any information known about the attacker/s and engagement with law enforcement and regulators.
Why is it important?
Beyond the deal, buyers need to be cognisant of their ongoing responsibility for breaches suffered by targets, even if the breach occurred prior to completion. Ongoing liability for past breaches can have a significant and lasting impact on acquiring entities. Losses may include the costs of remedial action, penalties and reputational damage. Taking some recent examples:
- Verizon & Yahoo – Again, the Verizon/Yahoo deal highlighted the potential for massive ongoing remediation costs, a reality that was not lost on Verizon. The renegotiated sale terms included an agreement from Yahoo that it would stomach a joint share of any future legal costs, as well as the cost of reparations arising from the breach.3 Verizon will remain responsible for 50% of these costs.
- Telstra & Pacnet – Headaches were also caused for Telstra in 2015 after it acquired Pacnet Limited for $US697 million. A month after deal completion,4 Telstra was informed that its new subsidiary had fallen victim to a data breach two weeks prior to completion. In this instance, hackers gained access to Pacnet's corporate network (including emails) affecting thousands of customers including the Australian Federal Police, Department of Foreign Affairs and Trade and other government agencies. Swift remedial action had to be taken by Telstra to contain the breach. Breaches like this highlight the potential for a perceived reduction in confidence in a buyer's own IT security systems, and serve as a reminder of the need to document a robust warranty package and appropriate indemnities where risks are able to be identified.
Given the potentially significant ramifications a data breach can have in an acquisition or merger context, buyers need to become accustomed to assessing data security risk in the same way that they analyse other business risks. If a buyer was looking to acquire an asset in the manufacturing sector, it would be remiss not to conduct a thorough environmental impact assessment and to diligence licensing arrangements at manufacturing sites. In the same way, data security risks should be treated as a risk category in their own right and diligenced accordingly.
In order for this to happen, there needs to be a cultural shift towards the recognition of data security as a significant threat to transaction value and deliverability. It is also important for buyers to be conscious of these risks in sectors that are not traditionally considered to be technology or data driven – data management and security issues can be just as significant in the retail, healthcare, finance and defence sectors as they are in the technology and telecommunications sectors.
Tips for Buyers
- Review historic breaches and cyber-risk management processes. Evaluate assurances around historical data breaches and query whether they reflect operational reality.
- Consider whether the overall approach to cybersecurity is appropriate according to the industry the seller operates in, as this will impact the kinds of risks the seller and the target are exposed to.
- Understand how valuable data is to the business and how the target exploits and secures it. Consider how the information is shared, who has access to it and whether the target obtained valid consents for the data it currently exploits. Additional consents may be required for the buyer to continue to exploit the information post-completion.
- Understand where data is stored and whether that location is viable for the buyer. This is particularly significant in a GDPR context, as consent to transfer personal data outside the EU requires explicit consent.
- Undertake privacy and security reviews. In addition to a review of the target's privacy policies and data breach/cyber incident response and recovery plans, buyers should undertake:
- technical risk assessments, perhaps conducted by external IT service providers, to verify security of systems;
- historical compliance checks to evidence how any breaches were detected and managed previously and what incident response procedures were in place. A strong warranty package should assist in weeding out any prior indiscretions, but buyers should not rely solely on the disclosure exercise to highlight all relevant incidents;
- supply chain risk assessments and review of supply agreements (including, in particular, agreements with cloud service providers) to ensure they adequately protect a target's data; and
- assessments to identify risks the target might not even realise that it has (eg unpatched vulnerabilities in old or forgotten applications).
- Examine the results of formal industry audits (eg a PCI audit, ISO 27001 assessment or some other security compliance process) and other cybersecurity audits / reports to evaluate any issues or gaps that have been identified, and investigate whether an how the business responded to any recommendations made.
- Evaluate the extent to which cyber risks might be mitigated by insurance coverage. For more information on cyber insurance, see Backing up the backups – a practical guide to cyber insurance.
- Consider whether former employees have access to information, and whether there are any agreements in place to ensure confidential information remains protected.
- Assess what procedures and policies are in place to mitigate the risk of insider threats. These procedures should exist at a pre-employment stage (eg background checks), in addition to ongoing internal measures, such as education programs and website monitoring.
- Interrogate the target's third-party arrangements, including its process for undertaking due diligence on third-party suppliers, their exercise of rights to audit and conduct testing of its vendors and its approach to imposing security obligations on (and enforcing compliance by) organisations in its supply chain.
- Address cybersecurity risks in the valuation and/or in the representations and warranties and indemnities set out in the transaction documents.
- Cybersecurity and the M&A Due Diligence Process: A 2016 NYSE Governance Services/Veracode Survey Report (2016).
- Vindu Goel, 'Verizon will pay $350 million less for Yahoo', New York Times (21 February 2017).
- Verizon Press Release, Verizon and Yahoo amend terms of definitive agreement, 21 February 2017.
- David Ramli, 'Telstra-owned Pacnet hit by major data breach', Australian Financial Review (21 May 2015).