Cyber security due diligence in M&A transactions
In M&A, due diligence on the target's cyber and other security issues is more important now than ever, for organisations in all sectors not just technology: security is a key business risk, not just a technical issue.
In M&A, due diligence on the target's cyber and other security issues is more important now than ever, for organisations in all sectors not just technology: security is a key business risk, not just a technical issue.
While the final fine has not yet been issued at the date of writing, this point was brought home by the 9 July 2019 notice from the UK Information Commissioner's Office (ICO) of its intention to fine hotel group Marriott International £99,200,396 following a cyber-incident affecting the Starwood Hotel group (seemingly about 3% of Marriott's 2018 gross revenues). Starwood's systems were compromised in 2014. Marriott acquired Starwood in 2016. But it was not until November 2018 that Marriott discovered unauthorized access to Starwood's guest reservations database, exposing the personal data of some 500 million guests worldwide or fewer (30 million EEA, 7 million UK). The ICO found that "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its system". GDPR's requirements "…can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
No sector is immune. Four months before cybersecurity company Avast acquired Piriform, attackers accessed Piriform's network and, some two weeks after the acquisition, injected malware into the installation file for Piriform's CCleaner product, downloaded by 2.27m CCleaner users. In a blog about the incident, Avast stated, "…M&A due diligence has to go beyond just legal and financial matters. Companies need to strongly focus on cybersecurity, and for us this has now become one of the key areas that require attention during an acquisition process…"
It's not new that inadequate security can carries huge risks for both buyers and sellers. For example, in 2016, TalkTalk was fined what was then a much-publicised record £400,000, pre-GDPR (the EU General Data Protection Regulation). TalkTalk had acquired Tiscali UK in 2009, but didn't realise that Tiscali's infrastructure included badly-secured webpages, connected to an outdated Tiscali database containing 156,959 customers' personal data, that remained Internet-accessible. These vulnerabilities enabled a teenager to obtain that data in 2015. Also, consider the US$35 million reduction in sale price to US$4.48 billion when Verizon bought Yahoo! in 2017, after the discovery of previous data breaches following cyberattacks on Yahoo! (and the ICO fined Yahoo! UK £250,000 in 2018, pre-GDPR). Longer term, breached companies were found to underperform the market.
What is new is the massive fines that can now be levied for security and other GDPR breaches, e.g. integrity/confidentiality and data protection by design and by default (which includes security by design/default), with attendant reputational risks from the publicity. As is well known, GDPR fines can reach 4% of the group's gross annual revenues/turnover or €20m if higher. Don't forget the risk of lawsuits, as group litigation and quasi-class actions are increasingly common claiming compensation for security breaches. For example, lawsuits have been commenced against British Airways seeking compensation for its 2019 security breaches. Shareholders could well also take action in the acquisitions context. Furthermore, non-compliance with industry schemes such as PCI-DSS for payment cards raises risks of scheme fines. But appropriate insurance cover has an increasing role – reportedly, Marriott's $100m costs to date were cushioned by $102m of insurance payouts it received.
Targets should of course seek to get their security houses in order in advance of acquisition negotiations. And it would particularly behove prospective buyers to engage privacy/security expertise from the outset not only because security-related issues may affect valuation, but also to protect themselves from material security-related risks. Accordingly, buyers should:
While the final fine has not yet been issued at the date of writing, this point was brought home by the 9 July 2019 notice from the UK Information Commissioner's Office (ICO) of its intention to fine hotel group Marriott International £99,200,396 following a cyber-incident affecting the Starwood Hotel group (seemingly about 3% of Marriott's 2018 gross revenues). Starwood's systems were compromised in 2014. Marriott acquired Starwood in 2016. But it was not until November 2018 that Marriott discovered unauthorized access to Starwood's guest reservations database, exposing the personal data of some 500 million guests worldwide or fewer (30 million EEA, 7 million UK). The ICO found that "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its system". GDPR's requirements "…can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
No sector is immune. Four months before cybersecurity company Avast acquired Piriform, attackers accessed Piriform's network and, some two weeks after the acquisition, injected malware into the installation file for Piriform's CCleaner product, downloaded by 2.27m CCleaner users. In a blog about the incident, Avast stated, "…M&A due diligence has to go beyond just legal and financial matters. Companies need to strongly focus on cybersecurity, and for us this has now become one of the key areas that require attention during an acquisition process…"
It's not new that inadequate security can carries huge risks for both buyers and sellers. For example, in 2016, TalkTalk was fined what was then a much-publicised record £400,000, pre-GDPR (the EU General Data Protection Regulation). TalkTalk had acquired Tiscali UK in 2009, but didn't realise that Tiscali's infrastructure included badly-secured webpages, connected to an outdated Tiscali database containing 156,959 customers' personal data, that remained Internet-accessible. These vulnerabilities enabled a teenager to obtain that data in 2015. Also, consider the US$35 million reduction in sale price to US$4.48 billion when Verizon bought Yahoo! in 2017, after the discovery of previous data breaches following cyberattacks on Yahoo! (and the ICO fined Yahoo! UK £250,000 in 2018, pre-GDPR). Longer term, breached companies were found to underperform the market.
What is new is the massive fines that can now be levied for security and other GDPR breaches, e.g. integrity/confidentiality and data protection by design and by default (which includes security by design/default), with attendant reputational risks from the publicity. As is well known, GDPR fines can reach 4% of the group's gross annual revenues/turnover or €20m if higher. Don't forget the risk of lawsuits, as group litigation and quasi-class actions are increasingly common claiming compensation for security breaches. For example, lawsuits have been commenced against British Airways seeking compensation for its 2019 security breaches. Shareholders could well also take action in the acquisitions context. Furthermore, non-compliance with industry schemes such as PCI-DSS for payment cards raises risks of scheme fines. But appropriate insurance cover has an increasing role – reportedly, Marriott's $100m costs to date were cushioned by $102m of insurance payouts it received.
Targets should of course seek to get their security houses in order in advance of acquisition negotiations. And it would particularly behove prospective buyers to engage privacy/security expertise from the outset not only because security-related issues may affect valuation, but also to protect themselves from material security-related risks. Accordingly, buyers should:
- Conduct appropriate due diligence - legal and technical - regarding security and data issues, as relevant to the target's business/sector. This includes issuing enhanced legal due diligence checklists covering data protection, privacy and security. If initial responses raise any red flags, the due diligence may have to extend to reviewing security-related policies and possibly using security experts to scrutinise target systems/data.
- Ensure transaction documents include provisions appropriate to the specific risks, such as:
- Possible retentions from the sale price.
- Representations and warranties on the target's security policies and implementation, addressing in particular specific security risks uncovered by the due diligence exercise.
- Indemnities, enforceable post-completion, covering e.g. investigation, remediation, recovery and compensation costs, fines etc. for security incidents arising from pre-completion target acts/omissions,
- Extending "material adverse change" events entitling termination, or events/circumstances entitling price reductions, to include pre-completion target security incidents.
- Conduct an insurance review of the target as part of the due diligence review, particularly to check if any pre-existing insurance policies adequately cover cyber/security risks, and if necessary consider obtaining appropriate specific warranty and indemnity (W&I) policies to cover warranty claims under the purchase agreement, perhaps at the target's cost.
- Implement the secure integration and migration of the target's systems/data with the buyer's systems/data within a reasonable period after completion, aided by the due diligence report, with continual periodic monitoring and addressing of security risks thereafter.