M&A Due Diligence: The Devil in Their Data
*Article first appeared in Corporate Board Member on November 7, 2017
At a time when a major cybersecurity incident can cost a company millions, it’s crucial that acquiring companies give cybersecurity the same level of scrutiny as they do more traditional risks and opportunities in the M&A due diligence process. Yet too many deals suffer from superficial consideration of these issues.
Why the disconnect? Unlike other areas where companies face legal and regulatory implications, in-house and outside legal teams often lack well-developed methods to analyze cybersecurity risks, too often considering them technical issues beneath the notice of the bankers and lawyers. In many cases, deal teams lack the skill sets to analyze the issues effectively and cannot even speak the language of the CIOs and CISOs well enough to spot “alternative facts.” Boards need to ensure that they or their advisers—preferably both—have sufficient skills to assess cybersecurity risks and ask the right questions.
Data Factor Drivers
Fifteen years ago, the risk of material business or legal exposure from state data breach notification and data protection laws in the US, EU and elsewhere was profoundly different than it is today. Corporate deals often covered the risk with a general compliance with law representation, and companies provided notice of data breaches 30, 45 or more days after the fact. Cybersecurity insurance was a relatively new—and far from prevalent—concept. Even when data breaches resulted in class actions, the suits were routinely dismissed because courts found no compensable injury.
To say that’s changed is an understatement. From customer lists to pricing models, data assets are increasingly invaluable to modern businesses. It follows that when buying a company to get its innovative technologies or data, it is helpful to know if rogue actors have already stolen or compromised that information. The failure to protect those assets can cost an acquiring company time, customers and profits, as well as put the business’s reputation with investors, commercial counterparties, customers and regulators at risk, potentially leading to regulatory inquiries and lawsuits. Indeed, entire deals have been thrown into disarray after the announcement of previously undisclosed data breaches.
Federal regulatory inquiries about cybersecurity are now commonplace, with inquiries coming from a growing roster of federal and state agencies, including the Securities and Exchange Commission, Federal Trade Commission, Consumer Financial Protection Bureau, Office for Civil Rights and state attorney general offices. For example, an FTC complaint recently filed in federal court (Federal Trade Commission v. D-Link Systems Corp) focused on one company’s failure to “take reasonable steps” to secure sensitive consumer information against “reasonably foreseeable risks of unauthorized access.” The FTC routinely settles such cases on the condition that companies remain “under order” for 20 years.
Moreover, every advanced industrial country (except the US) has a separate regulatory agency devoted solely to data protection. These data protection authorities (DPAs) have developed robust regulatory requirements for the security of data. Moreover, their powers are growing. Under the EU’s new General Data Protection Regulation, effective May 2018, potential fines can range up to 4 percent of global revenue and companies must provide notice of a data breach no later than 72 hours after having become aware of it.
Cybersecurity Risk in the Boardroom
Cybersecurity issues can hit home for board members most directly in derivative suits. While cybersecurity risks are generally seen as business risks, governed by the business judgment rule, more recently shareholder plaintiffs have alleged cybersecurity-related liability as a failure of compliance oversight. For example, Wyndham Hotels suffered three separate data breaches in which hackers allegedly stole more than 600,000 payment card numbers and racked up more than $10 million in fraud between 2008 and 2010. The breaches led to an FTC investigation into whether the company had failed to maintain reasonable and appropriate data security.
Shareholders then filed a related lawsuit, alleging that the board breached its fiduciary duties by failing to implement a system of internal controls to protect customers’ personal and financial information and causing or allowing the company to conceal data breaches from investors. The court ultimately dismissed the case, but plaintiffs’ firms are likely to continue to make such claims in future incidents. While this line of attack would be a tough set of claims for plaintiffs to establish against individual directors, it would still be wise to ensure the diligence process includes a reporting system designed to provide management and the board with timely, accurate information to make informed judgments about cybersecurity risk.
Even after diligence is completed, boards should continue to protect their companies during the merger and acquisition process by ensuring that the representations and warranties in the agreement are robust, their company is indemnified where possible, and any clauses in the agreement that add “material adverse effect” and “knowledge” limitations are limited. Sophisticated attackers can often hide in systems for months before being detected. If an attack comes to light that was previously undiscovered, the consequences of unknown intrusion should be pre-apportioned between the buyer and the seller in the deal documents.
The bottom line? Boards contemplating mergers and acquisitions can no longer afford to overlook cybersecurity concerns. Cybersecurity threats pose significant risks for the board, including potential action against the board for oversight failure and reduced value or profits for the company. Before signing off on major deals, boards should ensure that there has been a diligent investigation of the target company’s cybersecurity people, policies and practices and should confirm that management appreciates the risks raised.