The following post was drafted as an assignment between Danielle Chirdon, Anita Western, and I.
Executive summary: In order to conduct a proper assessment of the risks and liabilities in a merger or acquisition deal, the due diligence process must also include an assessment of the target corporation’s cybersecurity. An acquiring company must evaluate the strength of a target company’s cybersecurity processes and controls. In light of the increasing significance of cybersecurity threats, on February 2018, the SEC issued further guidance to its 2011 Guidelines on disclosure obligations relating to cybersecurity risks and cyber incidents. Companies operating in the European Union will also need to adhere to the new General Data Protection Regulations. The regulations require for certain data to be forgotten, designation of a data protection officer and reporting of data breaches within seventy-two hours.
Cybersecurity in M&A
Cybersecurity is one of the most overlooked issues in most M&A transactions.[1] An estimated “78% of global respondents believe cybersecurity is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”[2] Cybersecurity risk should be assessed by a corporation before it enters into a merger agreement with another company.[3] The acquirer needs to know the risk it is taking when taking over a target company.[4]
In 2017, Verizon, learning from the cyber-failures of TripAdvisor and Neiman Marcus, made cybersecurity a central part of its due diligence study.[5] During its due diligence review of Yahoo, Verizon found that the web company had suffered a large security breach.[6] This discovery allowed Verizon to discount its cost for Yahoo and develop a strategy for the potential risk.[7] It was later determined that several of Yahoo’s executives had known about the breach, but failed to comprehend or investigate the breaches properly.[8] Courts have found that an acquirer’s board of directors would be in breach of its fiduciary duty of care if it did not conduct a due diligence study on the target company before it merged or acquired it, or did not conduct an adequate due diligence study.[9]
What is Cybersecurity
Cyber Security is a set of principles and practices designed to safeguard your information systems and networks, company data, email messages, and information that are typically processed, communicated, and stored on the information systems.[10] The goal of cybersecurity is to protect against a wide range of threats. Doing so ensures business continuity, minimizes risk and maximizes business opportunities and returns for shareholders.[11]
A Corporation implements cybersecurity protocols to protect its data. A corporation holds data such as the personally identifiable information of its employees, customers, and other individuals; corporate financial information; trade secrets; intellectual property; and other sensitive and confidential information.[12] Hackers can access a company’s information through three primary methods: physical and environmental threats, technical threats, and people threats.[13] Physical and environmental threats involve the theft, damage, and destruction of the physical elements comprising the information system such as servers and laptops.[14] Technical threats are threats that are carried out through the use of computer code or other automated mechanisms.[15] People threats are those that come from individuals within the company, competing companies, or even foreign government entities.[16]
Cybersecurity Due Diligence
In 2016, cybercrime cost corporations on the average between $375 billion to $575 billion. [17] It has been projected that by 2019, cybercrime will cost corporations over two trillion dollars.[18] An example of a change in public reception would be the new found perception of Target and Equifax.[19] When acquiring a company, the target’s cybersecurity status and program are vital to an acquirer because a company with a poor cybersecurity program will require a large number resources to bring them into legal compliance.[20] An acquirer assumes the risk of the target company, and if it is found that the target company suffered numerous cyber instances and is sued, the acquirer may be on the hook.[21]
How can an acquiring corporation ensure that it is not one keystroke away from a major data breach or another cyber attack? Assessing a target’s cybersecurity risk requires an additional assessment in the traditional due diligence process.[22] An acquirer must must identify actual or potential cyber threats.[23] When conducting a cybersecurity assessment, an acquirer should begin by identifying and evaluating a company’s “high value digital assets.”[24] Hackers are targeting corporations’ intangible assets; for example, trade secrets, engineering designs, customer lists, personal identifying information, confidential bids on government programs, etc.[25] A key component of due diligence is to evaluate the data security plan of the company to determine if there are potential risks, and if so, develop a plan to address them.[26]
The acquiring company should investigate whether the target company has both processes and controls in place to address cyber-instances that may arise.[27] A data security process involves identifying, understanding, and monitoring critical information assets such personally identifiable information and IT systems.[28] A target company should be conducting cybersecurity risk assessments of their data security processes before the acquisition. Risk assessments are done by identifying vulnerabilities and threats that are aimed at the critical information and the potential impact if these threats were to occur. Documentation of risk assessments are often requested by the acquirers when conducting due diligence on the target company.
An acquirer should also request information on the security controls put in place by the target company. When investigating data security controls, an acquirer is seeking policies, processes, procedures, hardware, software, and teams put in place to help deter, monitor, and respond to threats that are aimed at the critical information of the company.[29] Security controls are made up of three types: preventive, detective, and reactive.[30] Preventive security controls are designed to defend against threats and prevent the occurrence of events that compromise security.[31] Detective security controls are designed to identify threats that have occurred such as security breaches.[32] Reactive security controls are designed to stop or contain threats, to determine the parties that are involved, and to recover information that has been damaged or loss.[33]
“Companies with poor security programs may be perilously close to a security breach that can have a major impact on its revenue and profitability.”[34] Conversely, target companies with robust cybersecurity programs may offer enhanced value to the acquirer, and give the acquirer more confidence in the value of the acquisition.”[35] During cyber due diligence, anything learned by the acquirer can be used for renegotiating the terms of the deal or alter the integration plan of the target into the acquirer’s company.[36] If the breach is found to be irreparable, it may lead to a termination of the merger or acquisition.[37]
Cyber Security Disclosure Requirements according to U.S. Securities & Exchange Commission
A cybersecurity due diligence analysis for a publicly traded company should also include disclosure statements registered with the U.S. Securities and Exchange Commission (SEC). The Securities Exchange Act of 1934 requires periodic reporting “as necessary or appropriate for the proper protection of investors and to insure fair dealing in the security.”[38] Regulation S-K requires that public companies provide “a discussion of the most significant factors that make the offering speculative or risky” are particularly relevant to cybersecurity threats.[39] In 2011, the Division of Corporate Finance issued guidelines for disclosure obligations of cybersecurity risks.[40] These guidelines are “neither a rule, regulation, nor a statement of the SEC.”[41] In light of the heightening awareness of cyber security risk, on February 21, 2018, the SEC announced that the Commission had voted to approve a statement and interpretive guidance to assist public companies in preparing disclosures of cybersecurity risks and incidents.[42] The statement emphasized the importance of “establishing and maintaining appropriate and effective disclosure controls and procedures,” as well as “the obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents” and how this applies to insider trading.[43]
Despite encouraging risk disclosure, the guidelines “indicate[] that materiality of the risk should be an overarching consideration affecting disclosure.”[44] The guidelines and statement discourage generic disclosure[45] or “providing a roadmap for those who seek to penetrate a company’s security protections.”[46] The new statement should have a stronger impact on disclosure of cybersecurity risks than the initial guidelines. In the Winter 2017-2018 edition of the Business law section of the ABA, the authors examined the impact of the guidelines on 10-K disclosures and found evidence that a relatively small portion of firms chose to modify their risk factor disclosures.[47] Also, those who did make disclosures experienced negative effects on their stock prices, rather than viewing disclosure as a positive signal of management attentiveness.[48] Currently, firms face the uncomfortable choice of needing to disclose risks for those buying securities to be informed and the fact that disclosing this vulnerability may encourage an attack.
Cybersecurity and the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, intended to standardize a set of expectations for how an organization must manage and protect PII for employees, clients and other applicable data subjects.[49] The GDPR applies to any organization that holds data that belongs to EU citizens or processes data of subjects within the EU, regardless of their domiciliary.[50] The GDPR represents a significant overhaul of Europe’s current data protection law. It will replace local data protection laws and standardize protection rights throughout the EU.[51] The GDPR compliance goes into effect May 28, 2018.[52]
The regulation increases the rights that individuals have to their data.[53] The right to data portability is one of the most significant examples of the new rights granted to individuals.[54] The GDPR allows an individual to have the right to transport their data from one organization to the next, leaving no data with the prior organization.[55] In order for an individual to transport their data, personal data must be provided to the individual in a structured, commonly used and machine-readable format.[56] The GDPR also stipulates that when technically feasible, organizations should facilitate the electronic transfer of personal data from one to another, if the individual makes that request.[57]
The GDPR also allows new rights for data subjects, such as the ‘right to be forgotten.’[58] Personal data must be erased “without undue delay” when: (1) retention is not required, (2) data is no longer needed, (3) consent is withdrawn.[59] Individuals can ask their organization to delete their data.[60] Organizations that do not yet have a process for accommodating such requests will have to put processes in place to conform to the GDPR.[61] The GDPR also requires personal data breaches, accidental or unlawful access, to be reported to the supervisory authority within seventy-two hours of becoming aware of the data breach.[62]
Lastly, the GDPR requires organizations to appoint a data protection officer (DPO). Organizations will have to designate a DPO if their core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.”[63] For firms who already have a ‘chief privacy officer’ (CPO), transitioning that person to a DPO satisfies the GDPR. If there is no CPO or similar position in the organization, then a DPO role will need to be created.[64]
If an organization makes the mistake of not complying with the GDPR, then hefty fines for non-compliance will ensue.[65] An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars.[66] One of the largest effects on M&A will be these enhanced penalties. When organizations commit a serious breach of the GDPR, they will face potential fines of up to $20 million in Euros or 4% of the worldwide profit.[67]
Citations can be provided.