Guest Op-ed: Addressing Cyber Risks Inherent in M&A Transactions

Data privacy and security law has impacted (or, depending on your perspective, infected) almost every area of traditional practice. As a result, lawyers in different practice areas are finding that they need a working knowledge of data issues, just like they need a working knowledge of torts, administrative law, labor and employment, insurance, etc. This is particularly true in the world of mergers and acquisitions. Every corporate seller is conveying, among other things, data and IT infrastructure; every corporate buyer is purchasing data and, potentially, a security vulnerability or unknown data breach.

Today’s guest writer discusses the need to mature data security due diligence so the parties have a better understanding of the data risks and assets in the transaction. Although many companies still rely primarily on contractual representations and warranties of sound security practices, lack of a thorough assessment on both sides can lead to litigation if the parties find out post-closing that the world was not as one, or both of them, believed. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.  

– David Zetoony

Addressing Cyber Risks Inherent in M&A Transactions
By Shawn Henry, CrowdStrike Services, Inc.

The year 2015 marked the highest ever value of mergers & acquisitions with an astounding $4.6 trillion. If 2016 follows this trajectory, we’re looking at over 18,000 M&A events to occur this year, many of which may be “megadeals” exceeding $50B. With figures this staggering, you can’t afford to take on a partner organization without exploring ALL areas of risk – financial calculations can no longer be the only factor considered. Cybersecurity risks must be thoroughly explored since they will directly impact the value of the company to be acquired, as well as potentially lead to significant costs to remediate gaps or defend litigation post merger.

I equate it to buying a home, which is usually the biggest personal investment one makes. Your realtor is there to protect you and, with the inspector, asks the important questions that likely won’t come up during your house hunting. Are there structural problems with the house? What about termites? Is this home in a flood plain? What’s the condition of the electrical and plumbing systems? Similarly, a substantial business investment often occurs with an M&A event. You wouldn’t make that home purchase without the inspection; why, then, would you accept less vigilance when it comes to your business?

It is essential that the acquirer thoroughly explores the critical security questions for companies, and avoid introducing unnecessary risk to an organization prior to a merger. By performing a comprehensive assessment, the acquirer should identify the gaps in the partner organization’s security posture and develop ways to solidify it before integration with your brand occurs. In addition to a comprehensive technical evaluation, the assessment should encompass an examination of security documentation, a review of IT processes, and interviews of key staff to understand where on their list of priorities cybersecurity falls.

Some questions to explore include:

  • Are there vulnerabilities in the partner organization that could be exploited to access your systems?
  • How secure will the organizations’ data be during the integration process?
  • Has their network been compromised in advance of the merger?
  • What security risks are there in merging your environment with theirs?
  • Does their organization have the same level of security controls in place that meet the standards of yours, even if you’re not absorbing their technological resources?

I realize every organization, every M&A, and every security setup is unique; and therefore, assessment must be customized to meet specific needs. In order to provide the best protection for your most valuable assets, you should prioritize resources based on the actual risk, an implementation plan of effective detection measures, and a comprehensive security strategy to actually prevent damage.

Throughout my previous law enforcement career, I saw time and again that the nominal cost of being proactive and predictive about security saved significant time and money in the long run…underscoring, bolding and italicizing the word ‘significant’. It’s ALWAYS harder and more expensive to react to something than preventing it from happening in the first place.

Shawn Henry is the President of CrowdStrike Services, Inc., a Google-backed cybersecurity company that provides pre- and post-breach services to mitigate the risks and damage associated with cyber compromises. Prior to joining CrowdStrike, Mr. Henry served as the executive assistant director of the FBI and is credited with boosting the FBI’s computer crime and cybersecurity investigative capabilities. He oversaw computer crime investigations spanning the globe, including denial-of-service attacks, bank and corporate breaches, and state-sponsored intrusions.

Data Privacy Due Diligence: Questions to Consider in a Merger or Acquisition

The FTC can hold an acquirer responsible for the bad data security and privacy practices of a company that they acquire.  Evaluating a potential target’s data privacy and security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed.  For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, and were discovered months after the transaction closed….