15 min read
Our Take: Mergers and acquisitions happen all the time and for many reasons. In the course of the process, one thing that tends to be overlooked by the acquiring company is the issue of cybersecurity of the organisation they are taking over. As they buy the company, they also buy its data, technology, and all associated risks. There have been several high profile cases involving data breaches in mergers and acquisitions in recent years. From these cases, we have learnt that organisations must perform proper cybersecurity due diligence and cyber risk assessments while going through the acquisition process.
This Article is a reviewed version of the original Article which was published on Thenigerialawyer. It contains more relevant information and is updated with recent developments in the cybersecurity space.
Cybersecurity is a major issue in today’s business world. It requires business owners and intending business owners to accord it priority attention, as failing to do so will work against the business. In this piece, I will take a critical look at cases within the cybersecurity landscape, especially as they relate to Mergers & Acquisitions(M&A). I also gave few examples of cases of cybersecurity breaches and their effects on companies that neglected to ask key (cybersecurity) questions whilst engaging in an M&A. However, I will also provide a step-by-step guideline on key cybersecurity due diligence questions that must be raised at the ensuing phase of an M&A, and I believe that if they are fully adapted by companies, they will save companies from millions of dollars’ loss.
Hitherto, companies engaging in M&A or others form of business combination, usually would not consider cybersecurity due diligence an important part of a merger or acquisition process. However, the realities of the present times bring to the fore the inevitableness of cybersecurity due diligence for businesses to, not only consider cybersecurity due diligence an important subject, but also give it priority attention. And where the company on the other side of the transaction declines a request for cybersecurity due diligence, such should be treated as a red flag.
M&A is an act of acquiring effective control by one corporation over the assets or management of another corporation without any combination of both of them. Also, M&A are transactions intended to transfer or consolidate control in a firm and/or acquire new assets and liabilities. The driving forces for an M&A include seeking economies of scale, meeting new regulatory challenges, expanded capability in providing services, gaining from shared services, opportunism, acquire new technologies, value creation, expanding their market geographically etc. M&A has yielded tremendous profits to companies since its conceptualization. However, recent developments, given the emergence of innovative technologies, show that lack of M&A due diligence is one of the contributing factors for losses suffered by companies in the sums of millions of dollars.
It is not in doubt that technological innovations have helped businesses to scale, extend to a wider customer base, and optimize profit. With innovative technologies, companies can now easily integrate their businesses with technology or entirely migrate their products/services to the cyberspace to increase their customer base, improve service delivery, reduce cost, and at the same pace, increase profit on a very wide scale. But it does not stop there; the ease brought by technology to businesses also comes with attendant challenges – companies are now more vulnerable to cyberattacks from vicious cybercriminals more than ever before.
Cyberattacks have crippling effects on businesses. Cyberattacks are unwelcome attempts to steal, expose, alter, disable, or destroy information through unauthorized access to computer systems. Usually, a single attack costs millions of dollars to resolve, and corporate/industrial outfits are the prime targets. The motivation for an attack can range from information theft for personal (or corporate profit), political activism, espionage, spamming, gaining control, vulnerability testing or just for fun.
For the purpose of this Article, attention is given to information theft. The objects of the attacks range from company’s intellectual property, trade secrets, personally identifiable information (PII) such as name, date of birth, home address, credit card information and many other valuable personal information. One of such cyberattacks was the Capital One data breach perpetrated between 22nd and 23rd March 2019, which was however discovered on 17 July, 2019. Over 100 million personal data of the company’s U.S. and Canadian customers were exposed; about 140,000 Social Security Numbers and 80,000 linked bank account numbers were also obtained through the breach. This is just one of the numerous cyberattacks that occur almost everyday globally. In 2017, 147 million Equifax customers’ data were stolen by cyber criminals; the company was fined $700 million by the U.S. Federal Trade Commission (FTC) as a result of the breach. The fine is exclusive of what the company will expend as remediation costs and litigation settlement, and on its cybersecurity infrastructure to prevent future occurrences.
In most cases, it is not every company that knows that cybercriminals have gained access into its system(s). In the case of Capital One, for instance, it took approximately four (4) months before the company found out that its cybersecurity infrastructure had been compromised. For Starwood Hotels & Resorts, cybercriminals were on its system for over two (2) years without its knowledge (up till the time when the company was acquired by Marriott International Inc.).
There is a common saying in the cybersecurity space that “there are two types of companies: those that have been breached, and those that do not know that they have been breached.” That is what we see these days. Cases of sophisticated cyberattacks occur on a daily basis. On the average, cyberattack occurs every 11 seconds on a daily basis.
In Nigeria, while there seems to be lower cases of cyberattacks that have received wide media coverage, a Deliotte report: “Nigeria Cybersecurity Outlook 2019,” revealed that there were mix cases originating from phishing attacks, malicious software being embedded at payment interfaces and ransomware resulting into loss of billions of Naira. The threat landscape in Nigeria is on the rise. As of 2017, $649 million has already been lost to cyberattacks ranging from phishing and malware attacks, “yahoo- yahoo” internet crime, fictitious relationships, and attacks on companies. Global losses to cybercrime are expected to grow by 15% per year in the next five years, reaching $10.5 trillion USD annually by 2025.
This highlights the importance of cybersecurity due diligence in the scheme of business combinations in the coming years.
1. DUE DILIGENCE
Due diligence is a process of verification, investigation, or audit of a potential deal or investment opportunity to confirm all facts, financial information, and to verify anything else that was brought up during an M&A deal or investment process. It comprehends inspection and investigation, where prudent, to determine the existence of deficiencies before they become critical, and the failure to discover defects which examination would necessarily have disclosed. Due diligence is often used in connection with preparation of information for a client who is about to embark on a large real estate transaction, or a business merger, on in other situations of a like nature. In the context of this Article due diligence connotes all precautionary measures and investigative questions undertaken by parties in an M&A transaction to ensure that parties on either side are in good standing and without any defects, whether latent or patent which is capable of negatively affecting the transaction.
Due diligence is usually completed before the close of a deal so as to provide the buyer with an assurance of what it is getting. The reasons for due diligence, among other things, are to confirm and verify all information that was brought to the parties’ knowledge in the course of the deal negotiation or investment process and to ensure that the buyer is not buying a defective company. The obligation for due diligence is more on the acquirer since it is the party who will be making huge financial commitments in the transaction and any defect on the target company would be at the loss of the acquirer.
There are several reasons why a company may contemplate a merger or acquisition. Merger and acquisition are often conflated words without proper explanation. It is apposite to note that a merger occurs when individual organizations resolve to come together to form one corporate entity. On the other hand, an acquisition occurs when a larger company/organization, which is more financially proficient takes over a smaller company. The reason for an M&A could be for risk diversification, to achieve corporate growth, to enjoy tax relief & asset benefits, acquisition of technical staff or economic factors etc, and one would hardly see that these companies engaging in an M&A carried out cybersecurity checks, especially on the target company.
2. CYBERSECURITY DUE DILIGENCE
Conventionally, in most industries, there are two common types of due diligence: financial and legal due diligence. Financial due diligence involves an independent accounting firm focused on reviewing and evaluating the balance sheets, income statements, audit reports, and cash flow statements and projections. This includes examination of property (real and personal), as well as any other tangible and intangible assets. Along with this is valuation of debts. There are several competent public accounting firms that specialize in this type of work. On the other hand, legal due diligence involves an extensive examination of the entity’s structure; business permits and/or approvals; employment and labor law compliance; environmental law approvals, permits, and compliance; contractual rights and obligations; intellectual property rights and obligations; real property law compliance; securities and financing regulatory compliance; tax exposure risks; consumer protection law and exposure risks; international trade and export permits and/or licenses; previous and/or current litigation; media reports; and external consultants and/or advisors.
M&A due diligence ordinarily entailed asking questions and carrying out thorough investigations with respect to the target’s financials, technology, patent, customers, strategy, material contracts, employment and management issues, litigation, and regulatory issues. However, due diligence around technology prior to now do not engender issues bordering on the health of the target’s cybersecurity defense systems, or a history of penetrations into the target’s security systems. I argue that there should be a more in-depth due diligence on the target to include the target’s cybersecurity infrastructure check-up. A Freshfields Bruckhaus Deringer report in 2015 revealed that 78% of deals still did not specifically quantify cybersecurity as part of the M&A due diligence process. However, a recent survey showed that 93% of information technology professionals view cybersecurity evaluations as very important in company’s M&A decision- making.
Buying a company is tantamount to buying its data-past, present, and future. It means buying the company’s past, present and future data security problems or benefits. The economic impact of a transaction on the acquirer can shift dramatically if, after the deal is consummated, past or on-going data breaches come to light. This also throws open a floodgate of litigations by victims of a breach. This is exemplified by the Yahoo- Verizon, and Marriott-Starwood’s M&A quagmire.
3. IMPACTS OF FAILURE TO CARRY OUT CYBERSECURITY DUE DILIGENCE IN M&A
In July 2016, Verizon Communications (Verizon) entered into a merger deal with Yahoo! (Yahoo) to purchase a portion of Yahoo’s core internet business for $4.8billion, unaware of the data breaches which Yahoo had suffered prior to the deal. Not long after entering into the deal, a purported information broker, by the name, Peace (or Peace_of_Mind) was discovered to have been marketing personal data of about 200 million Yahoo accounts obtained sometimes in 2014. Yahoo investigated the incident and discovered the truth. The investigation revealed that in 2014, Yahoo suffered a breach that affected, at least, 500 million Yahoo accounts users. This was not made known to Verizon until two months later (after the Purchase Agreement had been executed by Yahoo and Verizon). In December 2016, Yahoo further announced that a breach that occurred in 2013 affected about 1 billion Yahoo accounts user. Given the developments, Verizon had to assess the impact of the data breaches so as to decide whether to continue with the transaction (at a reduced rate) or simply walk away. Later on, Verizon and Yahoo negotiated a $350 million reduction in the purchase price.
The underlying effect in M&A, is that buying a company confers on the buyer the implied obligation of buying the target’s data – which may work to favor or be to the disadvantage of the buyer. This is the reason why it is imperative that there must be full disclosure of all relevant information at the disposal of the parties at the early stage of the transaction, no matter how insignificant such information might appear to either party.
The Marriott-Starwood M&A saga further highlights the importance of cybersecurity due diligence in an M&A transaction for intending companies. Marriott International, Inc. (Marriott) acquired Starwood Hotels & Resorts Worldwide (Starwood) in 2015, unbeknownst to Marriot, Starwood had suffered a data breach in 2014. Unfortunately, the breach exposed personal data of about 399 million Starwood customers. Although, the precise number of persons affected were unknown as there may have been multiple records of an individual guest. About two years after the acquisition, the data breach became common knowledge. In reaction to that, the United Kingdom (UK) Information Commissioner’s Office (ICO) fined Marriott £18.4 million for failing to secure the personal data of its customers. The Information Commissioner remarked that:
Personal data is precious, and businesses have to look after it. Millions of people’s personal data was affected by Mariott’s failure; thousands contacted the helpline and others may have had to take action to protect their personal data because the company they trusted it had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The data breach occurred in 2014, however, the fine by the ICO was premised on a new breach that occurred after the European General Data Protection Regulation (GDPR) came into force in 2018. This further highlights a compelling reason why companies going into M&A should prioritize cybersecurity due diligence.
4. REASONS FOR CONCEALMENT OF BREACHES
There are several reasons why target companies default or deliberately ignore their obligations to disclose information of data breaches it suffered during an M&A deal. Although none of such reasons is justifiable, as the consequential effect of the concealment is very detrimental to the company’s future prospects. The following are a few of such reasons:
i) Lack of Knowledge of the Existence of a Breach
This tops the reasons why companies that have suffered data breaches do not disclose such information during an M&A transaction. Most companies do not know that their cybersecurity systems had been breached prior to the deal or that cybercriminals are on their system at the time negotiations are on-going for an M&A deal with a potential acquirer. Although knowing the existence of a breach could be a deal-breaker. A case in point is the Yahoo-Verizon 2016 merger deal. For over two years, Yahoo was unaware of the existence of a breach in its cyber infrastructure, which had affected over 500 million account users’ data, until the mastermind granted a confidential interview to Vice and Wired when he commenced selling the data he had harvested during the breaches on dark web. One may argue that that shows lack of adequate security arrangements on the part of Yahoo. However, the truth is that most companies do not know when their cyber infrastructure is compromised. Most times, it takes up to months, or even years, before the company becomes aware of such a development (as in the cases of Yahoo, Starwood and Capital One data breaches cited above).
Data breaches of companies’ systems are executed by sophisticated, and highly technical cybercriminals that specialize in executing their dastardly acts stealthily. So, in such a situation, where the company whose cyber infrastructure has been compromised enters into an M&A deal, and eventually the target company is acquired, the buyer automatically buys whatever the target company may have suffered prior to the transaction. This is the reason why acquiring companies must be wary and exercise absolute discretion when it comes to M&A due diligence. Whatever is not revealed during the negotiation phase may pose a great harm to the acquiring company upon the merger or acquisition.
ii) Dread for Penalties
Most companies would prefer not to disclose any data breach they suffered, since divulging the incident it will attract some fines/penalties from regulatory authorities. What follows a breach is not just the loss of customers’ personal data, reputational damage, and the remediation cost. The company also suffers a loss in the form of fines/penalties from the regulatory authority.
Companies that have suffered data breaches have been fined a somewhat “outrageous” sums for failure to protect consumers’ personal data. For instance, in July 2019 Equifax was fined the sum of $700 Million for a breach that affected the financial and personal information of almost 150 million of its customers in 2017. Similarly, on 24 July 2019 the FTC fined Facebook the sum of $5 Billion for violating consumers’ privacy. The list goes on.
However, it is an offence to conceal information about a data breach under several laws. In Nigeria, for instance, under Section 21(3) of the Cybercrimes (Prohibition, Prevention etc.) Act, 2015, a company that defaults in disclosing an attack on its cyber infrastructure within 7 days of the incident is liable to a fine to the tune of ₦2 Million Naira. In the United States, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislations requiring private or governmental entities to notify individuals (and the relevant regulatory body) of security breaches of information involving personally identifiable information.
iii) To Avoid Litigation from Affected Customers
On September 26, 2019, I received a mass email from Yahoo about a pending class action against it and one Aabaco Small Business, LLC. The suit came as a result of the data breaches of 2012-2016 affecting approximately 3.5 billion Yahoo account holders. Lawsuits against companies whose customers’ personal data are disclosed during a breach usually run into millions of dollars in settlement. In the Yahoo data breach, Yahoo accepted to pay $117,500,000 USD as settlement fund for the breach which the hearing of the suit came up on April 2nd, 2020, at the United States District Court, Northern District of California, San Jose Division, USA. The lawsuits are usually predicated on the failure by the company to protect its customers’ personal information. In 2017, Anthem Inc. (one of America’s largest insurance companies) agreed to a $115 million USD settlement after a breach that affected about 80 million customers’ personal information. We can see that disclosing the existence of a data breach usually results in the company being inundated with an array of lawsuits from perceived sufferers of these breaches, and this usually leads to the company parting away with a lot of money in settlement of the dispute. So, to avoid this burden, most companies choose to keep mute about it, except where they cannot help it.
iv) To Avoid Reputational Damage and Loss of Customers/Revenue
A recent survey by PCI Pal46 in the USA, UK, Canada, and Australia revealed the attitudes of customers after a company in possession of their personal data had suffered a data breach. In Australia, 43% claim that they will stop spending with a business for several months in the immediate aftermath of a security breach, whilst 43% stated that they would never return to the company post-breach. In the UK, 44% claim that they will stop spending with a business for several months in the immediate aftermath of a security breach, and 41% said they would never return to the company post-breach. In the US, 83% claim that they will stop spending with a business for several months in the immediate aftermath of a security breach, and 21% of the US customers said they would never return to the company post-breach. For Canadians, 58% said they would stop dealing with the company for several months post-breach, whilst about 21% said they would never return to the company. The negative consequences of a cyberattack on a
company are, sometimes, unprecedented. So, to avoid this, most companies would rather not disclose such breach until a later time or never disclose such. A cyber breach impacts negatively on the company’s goodwill which it had built for years, and as such, most companies would elect to keep the incident to themselves.
Be that as it may, the above provide more compelling reasons why companies contemplating (or have already engaged) in an M&A transaction must not wish away the need for cybersecurity due diligence, as there are telling consequences for failure to do so on either of the parties.
5. COMPONENTS OF CYBERSECURITY DUE DILIGENCE IN M&A
Acquiring companies in M&A should ensure that the following measures are taken whilst conducting due diligence on target companies:
- Identify all data that currently exists within the target’s systems and where it
- Consider and evaluate any previous data breaches reported by the company;
- Assess the target’s network to identify any existing or past vulnerabilities;
- Implement an active detection and response solution within the target company to find hidden threats;
- Understand the target company’s security policy;
- Understand the kind of training which the employees are engaged in, whether they rely on cloud or physical security;
- Evaluate the status of the target’s cybersecurity regulatory compliance, i.e., identify applicable compliance requirements, determine whether the target is in compliance with its cybersecurity legal obligations, and evaluate the risks posed by any failure of such compliance;
- Identify all third-party risks and data management efforts in respect of all outsourced services; and
- Identify the target company’s privacy polies in place.
More thorough due diligence should be conducted at the post-merger phase which is the integration phase. Some latent facts which were unnoticed during the pre-merger and merger phases may be discovered during the post-merger phase. The point here is that thorough scrutiny should be carried out on the target company, as most target companies usually do not disclose some key information during the pre-merger and merger phases, so as not to lose out in the transaction or suffer a reduction in its value by reason of disclosing any breach(s) it had suffered prior to the M&A transaction. The cases of Marriott-Starwood and Pacnet-Telstra reveal how far target companies can go in concealing vital information about breaches they have suffered until the deal is concluded before the secret will be made known.
Pacnet, with headquarters in Singapore and the Hong Kong provided data center services to carriers, governments, and multinationals prior to its acquisition by Telstra, an Australian telecommunications services provider. Barely a month of acquiring Pacnet, Telstra announced that Pacnet was hacked before its acquisition, but this was not made known during the transaction. Cybersecurity due diligence might not yield a precise and exact picture, but it has the capability to provide an acquirer with a far closer approximation of the actual condition of the target’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets.
No enterprise is immune from cyberattacks and none appears to be impregnable. Virtually all enterprises have been breached and have had, at least, some of their sensitive information compromised, and the threat landscape is increasing by the day. It is not out of place to propound that more breaches are going to happen in the future. However, it is advised that, going forward, business entities engaging in M&A should give cybersecurity due diligence a priority attention, as it can save them from numerous unexpected challenges, losses, and setbacks.
In addition, it is not out of place to also plan ahead by taking up cybersecurity insurance in the event of a breach. This will save the company a lot of financial burdens. The Yahoo-Verizon case makes this suggestion more exigent. Yahoo solely bore the burden of paying all settlement costs that followed the claims by affected account holders. One can only imagine the impact of such expenses on the company’s bottom line.
• Organisations must evaluate and consider any past or existing breaches or vulnerabilities the target company has suffered or encountered. This will help them decide what measures or solutions they can mitigate or remediate some of these issues.
• Organisations must learn about the technology their target company uses; everything from the network and data infrastructure to hardware and software, intrusion detection systems and other cybersecurity controls. Doing this will ensure they have proper visibility over every possible attack surface.
• Organisations must learn about their target company’s cybersecurity policies, privacy policies, and compliance with relevant cybersecurity regulations.
• Organisations should consider getting cybersecurity insurance so they will not have to bear the brunt of the costs of a data breach.
• Organisations must find out about all the third-party services their target company employs. With the rise in supply chain cyberattacks, organisations must assess the risks associated with third parties so they can prevent such attacks.
About the Author: Reuben Okafor – University of Illinois College of Law
Keywords: Cybersecurity, Mergers and Acquisitions, Due Diligence, Breaches