The United States experienced a record number of mergers and acquisitions over the last two years, a trend that corporate executives expect to continue. When evaluating potential M&A targets, corporate boards have traditionally focused on financial, legal, and structural implications. There is a new consideration, however, that must be taken into account: cyber-security.
Case in point: In October, Wall Street investment firm Muddy Waters Capital shorted the stock of St. Jude Medical after receiving a research report of cyber-security vulnerabilities in their pacemakers. Outside extraordinary disclosures like St. Jude’s, cyber-security compliance problems are one of the most common types of issues uncovered during the due diligence process surrounding M&A. A recent report from management consultants West Monroe Partners found that 70 percent of senior M&A practitioners discovered a cyber-security problem after a deal went through, while only about a third of respondents identified cyber-security-related compliance issues during the due diligence process.
Ensuring compliance is no easy task, and cyber-related regulations are putting further pressure on companies. Earlier this year, Stephanie Avakian, deputy director for the Securities and Exchange Commission’s enforcement division, said that companies withholding information about data breaches could face civil and criminal enforcement actions if they didn’t come forward after being made aware of a breach. And in December 2015, U.S. Senators Jack Reed and Susan Collins proposed the Cybersecurity Disclosure Act of 2015, which would require publicly traded companies to include in their SEC disclosures whether they have a cyber-security expert on their board. Companies also have to deal with a patchwork of regulations and regulators, from the SEC and FTC to the CFPB, FINRA, and various state and international regulators.
Robust cyber-security starts at the top, and corporate boards need the knowledge and skills to identify and address issues before irreparable damage can occur.
Given the projected increase in M&A activity and regulations, boards increasingly need to think about cyber-security as the fiduciary duty of care they owe their companies. In order to accomplish this and prove the exercise of appropriate business judgment, boards must be educated on all the potential ways cyber-security can put those strategic efforts at risk. Whether evaluating their own company or a potential acquisition target, boards’ fiduciary responsibilities include ensuring their company has the right resources to manage cyber-security risks, such as having the right people, processes, and technologies in place. Board members need to treat cyber-security like a true enterprise risk but also appreciate how it uniquely influences all the categories of enterprise risk they routinely manage, including financial, operational, and strategic risk and identify how and where compliance can fit into the equation as a potential solution. For example, legal compliance sometimes bleeds into data privacy compliance, so boards need to understand how the data their business uses is collected and shared and whether it’s stored. In some cases, risks that boards identify in this process may actually be solved by implementing compliance controls.
A general program that meets the necessary regulations alone is insufficient; it must be measured against achievable goals. Baselining, documenting, and measuring, also referred to as scorecarding, are integral components to ensuring programs are, and remain, compliant. Board minutes, for example, which need to be shared with stakeholders, shareholders, and regulators, can be useful as a scorecarding document. Preparing and educating boards and executives to make their organizations cyber-security-resilient is also an important part of proving compliance, both in defense and anticipation of potential litigation.
Whether a board is currently pursuing M&A activity or not, it’s clear that cyber-security compliance can no longer be overlooked. Due diligence and good data governance are critical to maintaining a strong cyber-security program, as are boards and executives who are well-versed in the issues. Robust cyber-security starts at the top, and corporate boards need the knowledge and skills to identify and address issues before irreparable damage can occur.
Simone Petrella is the chief cyberstrategy officer of CyberVista.