The Need for Cybersecurity and Privacy Due Diligence in M&A Transaction

Clark Hill PLC

The Need for Cyber Due Diligence in M&A Transactions

As technology continues to advance, allowing more companies to collect, share, and use data, privacy and cybersecurity due diligence in the M&A context becomes even more important. Unfortunately, companies often ask boilerplate questions about cybersecurity, privacy and data without understanding the particular risks associated with the target company.

A lack of due diligence in evaluating a company’s cybersecurity controls and privacy requirements during the M&A process can result in a host of short-term and long-term problems. This may include subsequent data breaches or privacy complaints, loss of business revenues, higher cybersecurity premiums, underperforming stock value, and loss of consumer confidence.

Marriott, for instance, inherited a massive breach crisis in its 2016 acquisition of Starwood that went undetected at the time of the merger. In contrast, gaps in due diligence may provide an acquiring company a competitive advantage as in the example of Verizon’s reduction of its purchase price of Yahoo by $350 million dollars after a significant data breach came to light before the acquisition was finalized.

With security and data incidents so widespread and potentially damaging to acquiring companies’ valuation and reputational health, a target’s cybersecurity vulnerabilities and privacy risks should be as closely investigated as financial documents within the M&A due diligence process.

Adequate due diligence requires consideration of a mix of legal and technical questions, some of which include:

  • Scrutinize internal and external vulnerability assessments, penetration testing, and other security reports and confirm vulnerabilities were remediated appropriately
  • Consider whether the company has an information security and privacy program, whether such a program has been implemented, and employees trained on the programs
  • Depending on the risk, consider hiring an independent computer security firm to investigate the information security program and possible security gaps
  • Search the dark web for evidence that the target company’s data exists for sale
  • Investigate whether the company has received regulatory inquiries or complaints regarding its data privacy practices
  • Assess whether the company is subject to sector-specific data privacy and security laws or requirements, and review the applicable policies and compliance programs
  • Analyze whether the company’s internal and external privacy policies are compliant with regulatory requirements and whether the company complies with the representations in these policies
  • Ask what cyber risk mitigation and data retention policies are currently in place and whether these policies are audited
  • Review any contractual privacy or security requirements or obligations, and consider whether the company meets these obligations
  • Review contracts and SLAs for any vendors used by the company examine their access to systems, and access and use of company data
  • Consider any legal restrictions on the use, sale, or transfer of data
  • Ensure the company has adequate cyber insurance
  • Investigate the company’s process for identifying, investigating, and responding to data or security incidents. An organization that claims never to have suffered a security incident in any capacity most likely lacks a mature cyber program.

Failing to conduct adequate due diligence for cybersecurity and privacy risks during the M&A process can negatively impact the organization after the deal is closed. After all, no entity wants to have malware injected into its system that causes the purchasing entity to suffer a breach or system failure because of a failure to recognize a security risk prior to integrating the new company with its current systems.

Written by:

Clark Hill PLC

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.