The Need for Cyber Due Diligence in M&A Transactions

As technology continues to advance, allowing more companies to collect, share, and use data, privacy and cybersecurity due diligence in the M&A context becomes even more important. Unfortunately, companies often ask boilerplate questions about cybersecurity, privacy and data without understanding the particular risks associated with the target company.

A lack of due diligence in evaluating a company’s cybersecurity controls and privacy requirements during the M&A process can result in a host of short-term and long-term problems. This may include subsequent data breaches or privacy complaints, loss of business revenues, higher cybersecurity premiums, underperforming stock value, and loss of consumer confidence.

Marriott, for instance, inherited a massive breach crisis in its 2016 acquisition of Starwood that went undetected at the time of the merger. In contrast, gaps in due diligence may provide an acquiring company a competitive advantage as in the example of Verizon’s reduction of its purchase price of Yahoo by $350 million dollars after a significant data breach came to light before the acquisition was finalized.

With security and data incidents so widespread and potentially damaging to acquiring companies’ valuation and reputational health, a target’s cybersecurity vulnerabilities and privacy risks should be as closely investigated as financial documents within the M&A due diligence process.

Adequate due diligence requires consideration of a mix of legal and technical questions, some of which include:

• Scrutinize internal and external vulnerability assessments, penetration testing, and other security reports and confirm vulnerabilities were remediated appropriately
• Consider whether the company has an information security and privacy program, whether such a program has been implemented, and employees trained on the programs
• Depending on the risk, consider hiring an independent computer security firm to investigate the information security program and possible security gaps
• Search the dark web for evidence that the target company’s data exists for sale
• Investigate whether the company has received regulatory inquiries or complaints regarding its data privacy practices
• Assess whether the company is subject to sector-specific data privacy and security laws or requirements, and review the applicable policies and compliance programs
• Analyze whether the company’s internal and external privacy policies are compliant with regulatory requirements and whether the company complies with the representations in these policies
• Ask what cyber risk mitigation and data retention policies are currently in place and whether these policies are audited
• Review any contractual privacy or security requirements or obligations, and consider whether the company meets these obligations
• Review contracts and SLAs for any vendors used by the company examine their access to systems, and access and use of company data
• Consider any legal restrictions on the use, sale, or transfer of data
• Ensure the company has adequate cyber insurance
• Investigate the company’s process for identifying, investigating, and responding to data or security incidents. An organization that claims never to have suffered a security incident in any capacity most likely lacks a mature cyber program.

Failing to conduct adequate due diligence for cybersecurity and privacy risks during the M&A process can negatively impact the organization after the deal is closed. After all, no entity wants to have malware injected into its system that causes the purchasing entity to suffer a breach or system failure because of a failure to recognize a security risk prior to integrating the new company with its current systems.