March 27, 2017 | Inside Counsel

Cyber Diligence and Practical Advice for Managing Cyber Risk in the Deal Context

9 min

Not a day goes by without news of a new cyberattack or data loss, across all industries and all sizes of organizations. The consequences of those attacks for the company can be dire—reputational harm, C-Suite turnover, and material diminution of shareholder equity. Although cyber issues are omnipresent for most companies, the period in and around an acquisition/divestiture transaction can be an especially sensitive moment for both purchasers and sellers. As neither data breaches nor deals are going anywhere, both purchasers and sellers need to develop a strategy to address this issue in the context of acquisitions. To maximize value, sellers should reexamine their cyber policies, programs, and controls and make sure they are as robust as is practical before embarking on a sales process. Purchasers should develop a cyber due diligence strategy to ensure that the target meets or exceeds the purchaser's standards and to ensure the appropriate price is paid for the target.

As a seller prepares itself for a sale, it must make a hard-headed determination of what policies, procedures, and controls it has in place to protect its data as well as the data of its customers. A well-constructed cybersecurity program will reassure potential buyers that the company is not a potential reputational and liability trap and help the target to maximize its sale price. Making sure that management has thought through how it will respond to a purchaser's requests on cybersecurity can help a seller maximize its value and shorten the sales process.

Purchasers should, similarly, focus on cybersecurity audits of targets to ensure that both the technology being purchased and the customer and employee data have been well protected. The extent of the due diligence will depend on a number of factors, including (i) the type of sensitive customer data the company uses and stores; (ii) whether the IP used by the company is a likely data breach target, and, if so, whether competitors could use such IP to undermine the company's business plans, including through misappropriation; and (iii) the types of cybersecurity policies, procedures, and controls the company has used historically and whether those were reasonable and risk-based. Each of these factors should be viewed on a continuum—the more emphatic the response is to any of these factors, the more a deep dive into the target's cyber program is warranted.

A purchaser should not rely only on standard contractual protections, as they relate only to a narrow definition of "losses," and then only if a specific representation can be shown to have been breached. Quantifying losses for enormous reputational harm, C-suite turnover, and competitive disadvantage or misappropriation of proprietary IP may far exceed the actual legal liabilities suffered by a target post-closing that are recoverable under the transaction agreement through indemnification.

In this resource-constrained world, however, organizations need to be able to make determinations of how much cybersecurity due diligence they should conduct and when. The scale of cybersecurity due diligence ranges from simple to extensive. How a company should determine the amount of cyber diligence depends on several factors. A company should estimate the extent of the reputational harm that would come from the revelation of a data breach at the company, the financial harm that may arise from a data breach (whether because of litigation or because of loss of valuable information), and any liability to which the company would be exposed from regulators or others. For example, a healthcare company subject to the data security rules in HIPAA may weigh the regulatory risk higher than a non-regulated company, such as a non-consumer-facing company; but that company may still face enormous losses from a due loss of reputation.

Purchasers will also want to consider the implications of a latent breach or security vulnerabilities on issues specifically related to the target company. While it is clear that if the target company is being acquired for the data itself, the confidentiality, integrity, and availability of that data are of paramount importance, other types of targets may have other considerations. For example, a target company with specific intellectual property may not be worth purchasing if the IP has been compromised by a hacker (either because of the misappropriation of that IP or because of the competitive disadvantage of others with that IP). Similarly, the purchaser needs to understand the classes of information held by the target that are different from the classes of information that the acquiring company possesses and assess whether the purchaser's policies will need to be altered to integrate the new business. Sometimes purchasers fail to realize that the target might be subject to a different regulatory framework than the purchaser, which can lead the purchaser to underappreciate the risks and expense attendant with an acquisition.

Once a purchaser has considered the potential impact of a breach and the cyber vulnerabilities of a target, the purchaser should use that knowledge to begin the due diligence process on the target. The first phase consists of a preliminary risk assessment. In this phase, the purchaser polls the target on its cybersecurity practices. The target's responses help to identify any major issues the target may have on security practices. Ending due diligence at this stage may be appropriate if, for example, the target does not maintain personal data on customers or patients and has a limited number of employees.

In most circumstances, this first phase review will be insufficient to address adequately the risk. The second phase in the due diligence process will be to have a call or meeting with the management at the target, asking detailed questions concerning the company's security posture and policies. This is a relatively cost-effective way to conduct diligence and have access to additional information that may raise or allay significant concern. This information then needs to be analyzed to decide whether more significant due diligence is prudent. If any yellow flags appear because of the target's existing policies and procedures, types of data, historical experience with hacking, or sensitive IP, more due diligence is likely warranted in order to make an informed decision of whether the purchaser should move forward with the transaction, request a price reduction, or simply walk away from the transaction.

If any yellow flags exist after the first and second phases of the cyber due diligence, a third phase should be initiated. A full cybersecurity assessment includes a thorough review of the policies, procedures, and controls of the company, interviews of employees and management, technical vulnerability testing, and an assessment of the company's compliance practices with the industry's best standards and any relevant regulatory requirements. These cybersecurity assessments are best conducted by a combined legal and technical team that can discuss with the purchaser the extent of the vulnerabilities in the cyber program and how those vulnerabilities mesh with the risk tolerance of the acquiring company. The assessment should provide a verification of the responses received during the first two phases.

This phase should explore such issues as whether and how often a target has been attacked, the adequacy of written policies and programs, how personnel are trained in such policies and programs and compliance with same, whether the cybersecurity program at the target is appropriately resourced and accountable, access controls, encryption practices, data location, data use and transfer issues, change control management, physical security, back-up practices, vendor due diligence programs, software acquisition practices, efforts to stay informed of the latest threats, and the target's auditing scheme. This type of assessment would attempt to uncover latent breaches and provide insight into other vulnerabilities and risks. If the target operates in multiple jurisdictions globally, the purchaser and its advisors will need to conduct a risk-benefit analysis of the level of diligence that should be conducted in foreign jurisdictions where standards and penalties may differ substantively from those in the United States.

After a review of the target's cybersecurity practices, a written due diligence report would normally be prepared. The report would summarize the security practices of the target, attempt to discover whether a latent breach has occurred, assess overall strengths and weaknesses, and attempt to determine whether valuable IP has been hacked. Based on the report, the purchaser can decide how to respond to what it has uncovered through the due diligence process, including whether to renegotiate the price, continue with the deal on the agreed-upon terms, or, in egregious situations, terminate negotiations. The report also serves another function of helping the purchaser better integrate the target company into the purchaser's overall cybersecurity program.

While purchasers will want to rely as much as possible on their own diligence to gain comfort around potential liability for cybersecurity matters, the use of thorough representations and warranties in transaction documents serves as a secondary means of confirming diligence and provides some protection through indemnification. While, as noted above, it is difficult to provide security to a purchaser for potential reputational losses through customary indemnification provisions for breaches of representations and warranties, purchasers that have particular sensitivities in this area may structure direct indemnities, that do not require a breach for recovery of a loss, to protect the purchaser from a consequential business loss due to a cybersecurity breach. These provisions can be specifically tailored to address the particular factors and concerns of a given transaction. However, they may also be constrained by both parties' desire to avoid creating a road map for any regulatory authority or other third-party claimant that may have a claim against the target. As an alternative, a purchaser may choose to rely simply on breach of representations and warranties, with an agreement that the customary deductibles and caps on recovery would not apply and that the survival period would be longer than standard representations and warranties. These representations and warranties are more likely to be drafted without "knowledge" or "materiality" qualifiers, as a standard of strict liability is an increasingly common framework for cybersecurity matters.

As more companies suffer economic and reputation losses related to cybersecurity lapses, the importance of cybersecurity due diligence becomes more apparent. A thorough risk assessment not only has a benefit in terms of better assessing the target's risk and appropriately pricing that risk; the assessment itself is a testament to the purchaser's own cybersecurity maturity. This factor may be extremely important if, after closing, the target or the purchaser suffers a security incident. Regulators (and shareholders) may assess whether a company was reasonable in its data security practices by reference to the amount of diligence that the company did on the target. It is often said that it is not a question of if you will be breached, but when. In this dangerous environment, making sure that processes are sound is the best way to protect the company and its reputation. Conducting cybersecurity due diligence decreases the likelihood of an attack in the future, decreases likelihood of liability in the event of an attack, and increases the ability of the purchaser to ensure the overall soundness of its cybersecurity practices.