Cyber Security During Mergers And Acquisitions (M & A)
On face value, one may question what company mergers, acquisitions, or takeovers have to do with cyber security. But for law firms charged with overseeing the safe completion of such transactions, cyber security should be a core consideration, for two key reasons. Firstly, there is a risk that during due diligence (the process during which the granular details of the organisation being acquired, merged with, or taken over are uncovered) sensitive information could be stolen. The theft of sensitive financial, tax, intellectual property, or any other due diligence information through a cyber breach could lead to crippling financial fines and compensation, reputational damage and potentially bring the transaction to a grinding halt.
Additionally, if the target business has a history of being on the receiving end of serious cyber breaches, whether known or not at the time of purchase, fines could later be levied on the acquiring entity. The risk may also be unwittingly inherited when vulnerable IT assets are transferred to the purchasing company. It is therefore incumbent on the acquiring business to ensure any vulnerabilities or previous cyber breaches are uncovered, as these may materially damage the value of the business, impact the viability of the purchase or merger and could later lead to new hacks.
Mega breaches discovered too late
Few cases illustrate the risks taken by acquiring organisations who do not delve into the cyber security history of their intended purchase more than the massive data breach involving the Marriott hotel chain which came to light in 2018. It is believed up to 500 million customer records were stolen during a sustained cyber-attack on Starwood since 2014; a business acquired by the Marriott International group in 2016, creating the world’s largest hotel chain. It is believed of the half a million stolen records, the personal data of 327 million guests was stolen, with “some combination” of name, address, phone number, email address, passport number, account information, date of birth, gender and arrival and departure information.
The effects for the Marriott Group have been and continue to be immense. Under the GDPR rules, Marriott may be forced to pay up to 4% of its turnover in fines, equating to £117m. They also suffered a one-day stock price fall of 5.6% and may yet face class-action lawsuits from victims. The possible costs in compensation awards and reputational damage could be considerable.
Similarly, the mega-acquisition of US internet firm Yahoo by Verizon in 2017 was impacted by the late disclosure of three vast historical data breaches to the purchasers after the deal price had been negotiated. While the acquisition did proceed, it is believed the sale price was discounted by £350m after the discovery that approximately one billion accounts had been breached.
Widening the scope of M & A due diligence
The aim of due diligence prior to a merger, takeover, or acquisition, according to global professional services firm PwC, is to “help maintain control over the sales process and the issuing of information. It identifies the positive and negative points of the business in an early stage and avoids surprises later in the process.” In practice, this requires every area of the target business to be reviewed and key information brought to the fore.
In the context of cyber security, law firms undertaking M & A due diligence must seek to unearth any past breaches and existing vulnerabilities on behalf of their purchasing client. Tellingly, an article on Forbes.com cites a report which states 40% of acquiring businesses find cyber security problems post-transaction; a statistic that suggests the due diligence required either is not happening or is not completed with sufficient depth.
The same Forbes article recommends that as a minimum, the following cyber security due diligence is undertaken:
- Assess the types of privacy and cyber security risks faced by the business being acquired
- Analyse and document the network and system architecture and data flows of the organisation – internally and externally
- Determine how the business gathers, processes and stores personal information of any type
- Review contractual obligations and commitments made regarding privacy and security
- Request information regarding any prior cyber security incidents and how these were managed
- Ask for copies of the organisation’s cyber security policies, processes and procedures and check whether these meet the necessary standards
- Assess the acquirer’s potential liability, compliance requirements and/or notification obligations which will exist post-acquisition.
But the danger does not end at identifying and documenting the cyber security risks within the target organisation; it is also essential that law firms handling M & A on behalf of their clients do not unwittingly allow sensitive client data or information to be breached. Sensitive corporate information is not only of interest to legitimate parties, but cyber criminals also actively seek to acquire such details from which they can profit. Foreign or domestic competitors may also wish to gain a competitive advantage by stealing this information. To this end, law firms must ensure their legal professionals are empowered with processes and procedures designed to protect all parties to the sale, merger, or takeover. And at the very centre of the approach must be a ‘security first’ culture, backed up by regular cyber security training for all staff.
Treat your client’s information as you would your own
Solicitor firms are often entrusted to manage mergers, acquisitions and takeovers in the belief that they will leave no stone unturned. Potential clients will look to engage law firms who practice what they preach when it comes to data protection and cyber security. By demonstrating your firm has robust cyber security protection, detection, and mitigation technology and procedures, and you conform to the highest standards such as ISO27001 (information security management system), they will trust you have the knowledge and understanding to find weaknesses in other businesses. And likewise, because you understand the critical importance of investing in this area, they will trust you with their closest guarded secrets.