Mergers and Acquisitions (M&A) happen to businesses of every size and span all industry sectors globally. Financial data firm Pitchbook reported 4,754 deals closing worth $849.7 billion in Q1 of 2019. We expect to read about newsworthy brand-name deals like Abbvie/Allergan, as drug companies look for the next world-changing drug, or UTX/Raytheon and Oxy Petroleum/Anadarko, where economies of scale will improve financial performance or give better access to in-demand technologies or resources.
But M&A more often involve mid-market companies that rely almost entirely on suppliers and partners, usually with a large consumer client base, that have developed valuable intellectual property that they hope will propel them into more competitive environments.
And for these transactions, what cybersecurity due diligence is conducted prior, during and post-close of the M&A transaction? You only have to consider the Verizon/ Yahoo and Marriott/ SPG mergers to wonder what surprises await the buyer of a seemingly well-run enterprise.
As many companies have recently completed a merger or may be contemplating an M&A transaction, how can you filter out the risky acquisitions from seemingly positive disclosure?
I interviewed three leading practitioners to better understand the most important components of a cyber M&A due diligence. I spoke with:
What follows is not an exhaustive list of steps, but some interesting insights and pointers to potential issues. Our discussion flowed from the early stages of a transaction through to completion and then to ‘post deal,’ and includes general guidance as well as pointed replies to questions.
BARNABY: How do you go about initiating M&A cyber due diligence?
LUKE: We are most commonly asked to be involved where the target holds a large store of valuable data, or if the crown jewel is a particular item of intellectual property (IP) that, if it were exposed by hackers or others, would significantly devalue the target. There is a growing realization that you can’t just cover yourself with representations and warranties, and that the data for many targets is the primary asset – so much so that the whole purpose of the acquisition is in jeopardy if that has been breached or exposed in any significant way.
The liability that the purchaser made/ incurs/ inherits that flows from that is added insult to injury. Not only do you lose the value of what you are buying, but you find yourself defending privacy lawsuits and regulatory enforcement proceedings in the United States and abroad, and you bought yourself a very big mess that was not your creation, and that that you failed to detect with your diligence efforts.
JIM: Both Sellers and Buyers are beginning to realize the importance of cybersecurity and how it effects the valuation of a transaction. Sellers are completing Cyber Maturity Assessments and related activities prior to starting the sales process to help ensure no cybersecurity issues arise during the sales process. Buyers are realizing that when they make an acquisition, they are not only acquiring the financial benefits of the business, but they are taking on the financial and reputational liability of the targets cybersecurity, data management and data privacy programs.
What is your initial guidance on insurance actions?
CHRIS: M&A participants are increasingly seeking to protect their interests by transferring cyber risk to the insurance markets. There are three types of insurance policies that participants in M&A transactions should focus upon to protect their interests to offset losses, if a cyber event diminishes the value of a transaction. They are:
All provide critical elements of protection. The value of these insurance policies all depends upon the risks that the particular transaction represents, the parties to the transaction and the terms of the contract.
Whether the Purchase and Sale agreement has provisions that contemplate liabilities or loss from a cyber event, will impact what can be insured and how an insurance program can be structured. The focus on cyber risk has been on companies that hold large amounts of private personal information (PII) or have a large credit card exposure. That view should be changing as we see large income losses and direct costs as a result of ransomware, wiper viruses and new types of malicious code. These types of losses can occur at any company that relies on computer technology.
As more examples of malicious access of systems occurring before the purchase but coming to light after the transaction, we should see more contracts specifically dealing with the issue.
Can you point to divergent outcomes from recent M&A transactions?
JIM: While Buyers are starting to realize the importance of Cyber Due Diligence, they don’t always know what to do with the information. At KPMG, we recently assisted a PE Firm client with its acquisition of a manufacturing target and a healthcare client with its strategic acquisition of several regional hospitals.
KPMG’s Cyber Due Diligence of the manufacturing target uncovered a number of cybersecurity issues. We provided our client with a Recommendations Report identifying high priority items to be fixed immediately and a roadmap of items for the Buyer to undertake to improve the overall cybersecurity of the newly acquired company.
Unfortunately, our client did not implement even the simplest and most critical recommendations, like initiating Multi Factor Authentication (MFA) and patching known vulnerabilities. Subsequently the company was hit with ransomware and their manufacturing was interrupted for nearly a week. Other functions were adversely affected for months. While this client realized the importance of performing Cyber Due Diligence to value the transaction, their failure to follow through and address the identified cybersecurity weaknesses likely cost them well over $10 million.
The story of our healthcare client has a much happier ending. While it the midst of the transaction to purchase the regional hospitals, the CISO insisted that KPMG be retained to perform Cyber Due Diligence. While performing the Cyber Due Diligence, KPMG uncovered significant weaknesses in the target’s cybersecurity program. With KPMG’s findings in hand, our client negotiated a reduction in the purchase price and escrow funds to be set aside in case any other cybersecurity weaknesses were uncovered after closing. The CISO also secured budget from the board to allow his organization to address the identified cybersecurity weaknesses.
These two examples show the importance of not only going through the motions of performing Cyber Due Diligence, but acting upon the findings to properly value the transaction and protect the value of the newly acquired company going forward.
LUKE: Increasingly, our clients are investing more in cyber and privacy diligence to try to surface these issues. There are several things they are worried about. For example, is there an historical or ongoing breach? Has valuable data been already exposed even unbeknownst to the Seller? We will increasingly be asked to start to evaluate a potential acquisition before there is even a term sheet or any signing. This can include dark web searches to identify hacker chatter about the target or stolen credentials purporting to belong to the target or one of its key vendors.
Do you take steps like conducting a dark web search, without telling the target company or before you enter into a due diligence phase?
LUKE: Yes, we can look at public source information on the dark web. We can take other publicly available steps like reviewing the target’s website and glean something about the level of sophistication of the Seller, including through the way that they set up or configured the site. We also take advantage of threat intelligence, including the type of threat intelligence provided by BlackBerry Cylance, to be able to come in on an informed basis, looking for any yellow flags or red flags that we may see on the outside.
JIM: A recent KPMG client Buyer engaged us to perform dark net investigation of a target company. During our investigation, KPMG uncovered significant information about the company which indicated they had been compromised for some time and that their confidential information and intellectual property was available for sale on the dark net. KPMG’s findings led our client to cancel the proposed transaction. Most dark net investigations do not uncover this level of negative information, but oftentimes does help inform both the Seller and Buyer as to what steps need to be taken to improve cybersecurity at the target company.
The privilege issue that you have during an incident response (IR), is there a similar phase here? Do you run the risk of collecting or exposing or learning something that will then become part of your client’s company which then wasn’t shielded from privilege?
LUKE: We are careful to keep our legal advice regarding the risks under privilege, but the underlying facts are never privileged. You may learn facts that do create some potential future exposure, but the idea is it is better to know sooner rather than later and ideally to know before you sign on the dotted line.
Can you think of any disclosure or lack of disclosure that might have resulted in a problem for a transaction?
LUKE: We have had people present a rosy picture to us of their cybersecurity program. We have seen targets with the right industry certifications and we have looked under the hood and found a different picture. So, you can’t take these things at face value unless you are confident the worst-case cybersecurity outcome is still not enough to derail the deal. That’s rare these days.
If you are buying a brick and mortar company and you know whether or not there is a cyber or data privacy issue, maybe limited to their HR data, and you know there are only X number of employees, then you might conclude you could manage that. But if you are buying someone whose crown jewel is their IP, and that’s the value of the transaction and that has been exposed by outsiders, it’s generally not going to be worth it. Similarly, if someone’s holding large stores of personal data of individuals and diligence reveals a likely breach, then liability risks now are through the roof and it very well may not be worth it to proceed with the transaction.
Are there any other things you want to highlight in the early stages of a transaction?
LUKE: Sometimes our clients acquire startups, and, with some exceptions, they tend to present more risk in terms of legal and compliance issues because they are usually thin in that area and, compliance-wise, may not realize they are subject to the full range of applicable legal regimes. They may be learning for the first time through the diligence process about legal regimes that they should have been complying with all along.
So, some of the early questions have to do with, not only “what are you doing to protect systems and data”, but “what legal regimes do you believe you are subject to, and what have you done to comply with them?” As well as others that you have not mentioned.
JIM: Both targets and acquirers need to continue to focus more on cybersecurity. Targets/ Sellers need to ensure they have their cyber house in order before they begin the sales process. Recent surveys have shown Buyers are willing to pay more for a target that can prove it has a strong cybersecurity program.
Buyers need to demand more information from Sellers during the pre-deal process – data rooms should include information about the target’s cybersecurity program – budgets, Incident Response Plans, Playbooks, employee awareness/ training materials, cybersecurity tools, results of any recent pen-testing and org chart for the cybersecurity team.
In addition, information about any prior cyber incidents, including cyber insurance claims, investigation reports and remediation steps taken to strengthen cybersecurity. Buyers can also initiate dark net and other threat intelligence searches at this stage which do not require access to the target’s environment. Valuable information can be obtained from these dark net and threat intelligence investigations.
CHRIS: Cyber risk is broader than most companies think. Buyer companies should not only focus on credit card information, but on the broader sphere of confidential and other information that is highlighted in newly minted statues such as CCPA and GDPR. Recent fines have been well over $100 million, enough to change the dynamics of any transaction.
There is a broader set of information that can be subject to these types of laws, and the exposures are not necessarily triggered by breach, but can be triggered by the way in which such information is handled or shared. Theft of money and diversions of payments by hackers are becoming increasingly common and large enough to impact a company’s bottom line. Companies should be focusing their attention as much on these types of events and direct damage from ransomware and other types of destructive code and vandalism. Many experts think the worst of cyber events are in the future with effects that we are not currently anticipating.
The insurance market has increasingly been asking Buyers to do cyber due diligence, especially if they are planning on transferring the cyber risk to the insurance market. Confidentiality provisions and time considerations in the run up to a closing can limit the due diligence but companies expecting to be able to transfer risk should be aware that audit of the purchased company may be required if they expect to have affordable insurance options.
Companies may not be forthcoming on the initial data request. Have you found that to be the case?
LUKE: It’s a mix. We see some companies that are very well papered from a compliance standpoint, but they can be more of a paper tiger where the cybersecurity controls are weak. We see others that are the opposite. They are quite savvy on cybersecurity issues, but not so great on the legal and compliance aspects. I would rather have a paper compliance issue than an underlying cybersecurity breach issue. I’d rather have tires on my car, so to speak, and I can worry about the color of the paint and other details as I go. Not that that is insignificant, but relatively speaking that is a more manageable situation than one where you made the right presentations to regulators and industry certifiers, but you don’t actually have the goods to uphold that.
Do you bring in third parties for technical or systems audit?
LUKE: Of course. We would retain KPMG or BlackBerry Cylance or other leading forensic experts or threat intelligence source vendors, to be able to help us with that, and this usually occurs pre-signing and often before there has been any approach to the target.
Is it possible to determine if IP has been altered in any way?
LUKE: You can certainly look for what purport to be copies of the IP or people offering to sell it, and then you make a determination about whether you can legally buy that to review. You might instead bring it to the attention of the Seller and let them consider buying what purports to be their own IP. Customer data, business strategic plans - those are all the kinds of things that we look for from public sources. There are vast underground markets now and have been there for quite some time with valuable company data, even beyond the personal data of individuals, and so there’s a whole market for that type of info and people buying and selling it.
You will also see people advertise access to a system, plug-ins to a particular company network where they allow you to install your malware or other scheme. We look for any of those signs pre-signing. Once a contract is signed with the Seller and there’s substantial commitment on both sides, then you start doing the path towards more formal diligence efforts.
A lot of that is a function of your leverage and the time that you have. If the Seller has told you that they have other bidders and you have good reason to believe that it’s true, you may not have much leverage. If they will permit access to systems, even in a limited way - a third party vendor runs a penetration test or a vulnerability scan - that obviously is ideal to identify any historical issues.
Continue reading here, with Part Two of this interview series.
About our Experts
Luke Dembosky is a cybersecurity and litigation partner at Debevoise & Plimpton, based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Cybersecurity & Data Privacy practice and a member of the White Collar & Regulatory Defense Group. Read Luke’s full bio here.
Jim is a principal in KPMG LLP’s Cyber Services group and helps lead KPMG’s Cyber Response practice and the Cyber Insurance Channel. Jim has over 30 years of practical business and legal experience, including over 20 years of private practice, in-house legal, forensic, and cyber consulting experience. Read Jim’s full bio here.
Chris Keegan is the Senior Managing Director at Beecher Carlson. Jim is skilled in Privacy Law, Enterprise Risk Management, Insurance Law, and Financial Risk. He is an experienced business development professional with a JD focused in Law from Saint John's University School of Law. Read Chris’s full bio here.