Best practices for M&A cyber-security due diligence in a virtual world

According to a recent M&A trends survey conducted by Deloitte, 51 percent of 1,000 M&A executives at U.S. companies and private-equity investor firms listed cyber-security threats as their top concern in executing deals virtually, followed by “ability to forge relationships with management teams” (41 percent) and “extended regulatory approvals” (39 percent). Sixty-one percent of respondents further indicated they expect M&A activity to return to pre-coronavirus levels within the next 12 months.

A separate poll, conducted by Travelers Insurance, highlights the variety of cyber-security concerns companies have, including:

• Suffering a security breach;
• Suffering a cyber-event due to employees working remotely;
• Unauthorized access to financial systems;
• Theft of the company’s customer or client records;
• Employees putting company information at risk; and
• Becoming an extortion/ransomware victim.

These concerns are driven, in part, by the pandemic. According to the 2020 Travelers Risk Index, a majority of more than 1,200 business leaders said at least 40 percent of their employees currently work outside the office. “With more employees relying on their ability to connect with company systems from remote locations, and many consumers preferring online transactions in an age of social distancing, it’s more important than ever for companies to do all they can to mitigate exposure to cyber-threats,” said Tim Francis, enterprise cyber lead at Travelers.

Companies looking for a real-world example of a data breach impacting valuation in an M&A deal don’t need to look any further than Verizon Communications’ 2017 acquisition of Yahoo!.

That said, many companies still aren’t taking appropriate measures to mitigate cyber-risks. Notable groups of Travelers survey respondents said their organization hasn’t utilized hacker-intrusion detection software (48 percent); undergone a cyber-risk assessment on their company (47 percent) or their vendors (37 percent); or written a business continuity plan that could help them respond to a cyber-attack (42 percent).

From an M&A perspective, the findings demonstrate the importance of conducting robust cyber-security due diligence prior to, and after, executing a deal. Especially now, after many organizations had to transition to a virtual work environment overnight, cyber-risk assessments play an even greater role in M&A deals. “It’s not that the pandemic has shifted cyber-risk—it has made it more clearly visible,” says Stacy Scott, managing director of the Cyber Risk practice at consulting firm Kroll.

A team effort

To be clear, cyber-security is not just a technology issue; it’s an enterprise-wide risk management and compliance issue. Each business function plays a critical role as it relates to cyber-security in an M&A deal.

Chief information security officers (CISOs), for example, “help the organization to develop cyber-threat profiles of prospective targets and portfolio companies to determine the risks each present,” says Deborah Golden, U.S. cyber and strategic risk leader for Deloitte Risk & Financial Advisory. “CISOs understand how a data breach can negatively impact the valuation and the underlying deal structure itself. Leaving cyber out of that risk picture may lead to not only brand and reputational risk, but also significant and unaccounted remediation costs.”

In collaboration with the CISO and the IT security team, the chief risk officer also has a role to play in identifying cyber-risks across the target company and prioritizing which ones need to be remediated. Chief compliance officers must ensure the target company complies with all relevant data privacy and data security laws, considering the industry and region, while general counsel should assess the legal risk of any violations or data breaches that were discovered.

Pre-deal due diligence

Companies doing due diligence for an M&A deal should “make sure to evaluate the company based on the changes that have happened in the last five to seven months, because for some organizations those changes have been drastic,” Golden says. Consider the many brick-and-mortar companies, for example, that suddenly had to transition to online e-commerce, “which dramatically changes the infrastructure, the control environment, [and] the cyber-risks,” she says.

In the pre-deal due diligence stage of M&A, focus on the target company’s most critical data—the “crown jewels”—usually varies by industry. Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute, explains hackers generally are motivated by four factors:

• Financial gain;
• Personally identifiable information (PII);
• Intellectual property; or
• Ideological motivations—so-called “hacktivist” groups who target companies or industries they feel don’t align with their social or political views.

“There is hardly an industry that doesn’t have some aspect of that risk profile,” Nocera says. Part of due diligence, thus, involves first understanding what critical data of the seller is most valuable in the eyes of a hacker and most likely to be targeted.

Specific examples include patient data in the healthcare industry, financial information in the financial services industry, and credit card data in the retail and restaurant industries. From an IP standpoint, pharmaceutical companies can be targeted for their drug formulas, or manufacturers for their product designs, to cite just two examples.

Once you have a grasp on the seller’s most critical data, you want to next do a deeper due diligence dive into the seller’s key security controls, Scott says. Where does that critical data reside? How does the company manage risk and third parties? What security controls does the company have in place to protect that data? Where do vulnerabilities lie? And, most critically, what detection and response capabilities does the seller have in place in the event of a data breach?

Scott also recommends conducting deep and dark web searches for potential leaked data. There are a variety of solutions that offer this service. For example, through its “CyberDetectER DarkWeb” solution, Kroll can conduct a deep and dark web assessment to identify any exposed data or to uncover previously unknown breaches.

Also, it’s important not to forget about the target company’s suppliers, contractors, subsidiaries, or third parties. What measures have they taken to strengthen their cyber-defenses? What measures do they have in place to effectively respond in the event of a data breach, especially remotely?

Buying a company that has been exposed to a data breach doesn’t necessarily make it a risky deal, Golden says, but you’d want to know what cyber-security remediation measures were taken and the maturity of the security program, or whether certain vulnerabilities still need to be addressed.

A data breach can impact the valuation of a deal and be used as leverage for the buyer. To the extent that you’ve done a cyber-security maturity assessment, you can assess what the likely spend will be to build out the seller’s security capabilities and include that as part of the cost, Nocera says.

Also, if any intellectual property was stolen by a competitor or a nation state in the event of a data breach, that could hinder the expected value of the IP in the long-term, Nocera says. “You’d want to decrease the value of that IP by some factor in proportion to the overall value of the company,” he says.

Companies looking for a real-world example of a data breach impacting valuation in an M&A deal don’t need to look any further than Verizon Communications’ 2017 acquisition of Yahoo!. In that case, Verizon was able to slash $350 million off the original $4.8 billion purchase price following Yahoo’s disclosure of two massive data breaches that collectively compromised more than one billion user accounts.

The deal also illustrates the high cost of a breach from a seller’s side. For its part, Yahoo! agreed to pay half of all costs related to government investigations and third-party litigation. Additionally, Yahoo! was left to foot the bill for all liabilities from shareholder lawsuits and Securities and Exchange Commission investigations—a particularly hard pill to swallow, considering it did not carry cyber-security insurance.

That brings about another point: Consider whether the target company has cyber-liability insurance in the event of a data breach. “If they don’t, that could be a red flag that it’s less mature and robust in its cyber-program,” Scott says. “In any size business transaction, the target company should have protections in place, and that includes insurance for cyber-liability and a cyber-event.”

Post-deal follow up

When it’s time to close the deal, “the No. 1 thing is to prioritize and remediate critical security gaps that were found during due diligence,” Scott says. Keep a checklist: What needs to be remediated, and at what level of urgency—within one month, two months, six months, or a year?

Also, once a deal closes, start looking deeply into system and process vulnerabilities by conducting penetration testing or purple teaming exercises, Scott recommends. Some cyber-vendors, like Kroll, will carry out simulated attacks or practical scenarios that include examining those systems for exploitable vulnerabilities and working with internal organization teams to develop stronger protection, detection, and response controls and processes.

In the event of a cyber-attack, do they have a formal response plan in place or is it ad-hoc? Scott recommends practicing that fire drill: “Who are we going to call? How will we know when to pick up the phone and get help? What logs do we pull?”

The post-deal stage is also when you want to start to synergize. At a minimum, there may be redundancy in technologies that offer the same capabilities, Nocera says. “Particularly during this economic slowdown, cyber-budgets are under pressure,” he says, and so it’s a good idea to focus on the technology spend side and where to capture cost savings.

The good news is that today’s virtual work environment doesn’t appear to be negatively affecting deal management and execution. According to Deloitte’s M&A trends survey, 87 percent of respondents reported their organizations “effectively managed a deal in a purely virtual environment.”

Anecdotally, Nocera says companies are doing a pretty good job in a virtual work environment managing cyber-risks as part of the due diligence process. “Our client teams have really adapted and adjusted and managed through it,” Nocera says, “and so from an M&A perspective they’re still able to do diligence virtually.”