Cybersecurity Due Diligence in M&A Transactions

Introduction

Each year the financial consequence of data breaches creeps higher and higher. On average in 2021, a data breach cost a company $4.24 million, which is a 10% increase in the average cost compared to 2019. Of course, for companies in specific industries such as finance and healthcare, the damages can be even higher. In addition to the scary headlines and publicity nightmares, security—including cybersecurity—brings with it a moral aspect. It comes as no surprise then that cybersecurity due diligence is playing a larger role in the M&A process and garnering more attention from potential acquirers. 

What is Cybersecurity Due Diligence in M&A?

Cybersecurity due diligence is the process of researching and identifying cyber risks in a target company, as well as understanding the current levels of cybersecurity within the organization. M&A experts at Deloitte recommend this due diligence process extend to any subsidiaries and third party vendors associated with the target.

The best approach to cybersecurity due diligence in a M&A transaction begins with a complete understanding of where the data is stored and how it is shared. This is often called a data map, and it is essential to cybersecurity due diligence. Next, the acquirer must review the target’s cybersecurity, including past security assessments and how data is currently protected and monitored. 

Moreover, from the buy-side, the security organizations and functions should be involved in the due diligence process. Specifically, security should provide M&A support to the business in two specific ways: 1) make sure integration is done securely, and 2) integrate all security functions (supply chain security, physical security, travel security, fraud security…); this planning obviously starts during the diligence phase and an understanding of where the data is and who has access to it. 

The Importance of Cybersecurity in M&A Transactions

Cybersecurity in M&A transactions provides value on two levels: to the business itself and to the security team.

Value to customer

1. Customer value – Customers of the target organization, customers of the acquirer, and all other customers involved should benefit from all the new resources; customer security should go up due to new and shared resources.
2. Shareholder value – Just as customers receive value from cybersecurity due diligence and M&A security, so do the shareholders.
3. Reduced vulnerabilities and risks before ownership takes place – On Day 1 vulnerabilities and risks are now yours/the acquirer’s; reduce them ahead of time with due diligence and a focus on security.
4. Potential for improved integration schedule – Can you accelerate some aspects of integration by involving security? According to Jim McConnell, Corporate Security Leader at Verizon, security can often help accelerate integration.
5. Avoidance of negative or embarrassing front page news – Focusing on security and being prepared allows you to avoid the news truck pulling up in front of your office.

Value to security team

1. A seat at the decision-makers’ table – Security needs a seat at the table with other leaders and workstreams. Today, for the most part security has “made it” to the table.
2. Powerful partnerships and networking opportunities – The security team can cultivate powerful relationships and benefit from networking opportunities once it has a seat at the table. 
3. ROI for security team – Financially and otherwise, there is ROI for the security team; security professionals have to invest time and resources, but the ROI can be powerful. 
4. Technology insights – Security professionals will be exposed to new technology (and new threats) with each deal.
5. New best practices – Every situation yields new best practices and ideas to bring to the next deal. 

Cybersecurity Considerations in M&A Transactions

Data Privacy

According to Bloomberg Law, C-Suite executives and their M&A legal counterparts are increasingly concerned with data privacy and data privacy laws; therefore, a full investigation of all the types of data and applicable laws will be required. 

While the United States does not have one umbrella data privacy law, all regions have data breach laws. The CCPA, California Consumer Privacy Act, is held as the most stringent law in the U.S. (Virginia and Colorado also have fairly stringent data privacy laws). However, the EU holds the most robust data privacy protection laws and security in the world: the GDPR (General Data Protection Regulation). 

Data Flows 

At a minimum, part of the M&A team’s cybersecurity due diligence checklist should include the following questions/considerations regarding data flows:

• What type of data is collected and held?
• How is the data held?
• What protections are in place?
• Who has access to the data?
• Does data get exported overseas? Is it sold to third parties? 
• What jurisdictions does the data fall under? Who ensures the data practices are compliant? 
• How is data disposed of?

Disaster Recovery Measures

Not only do data privacy laws put pressure on M&A practitioners to focus on data protection throughout the lifecycle of the deal, but they also encourage the creation of data breach recovery plans. Data disasters are financially costly to companies, and especially costly in the areas of public perception and reputation—all of which culminates in the significant loss of predicted deal value. 

It is paramount for acquirers to have a disaster recovery plan put in place in case a breach does take place. Timeliness is critical here—the longer it takes to identify and react to the breach, the more costly its consequences. 

When developing a data breach recovery plan consider:

1. Who is on the team? Having a team dedicated to this issue and putting the team through different training and mock data breaches to build practice and expertise is essential to preparedness. Consider having IT experts, legal experts, and communication/media relations experts as team members.
2. How will you work to contain the breach? How will you take action to eliminate additional data losses? 
3. Assess the risk. What data was read? What data could have been copied? What data might have been changed? 
4. Develop a breach notification and report. 
5. Limit access to data; review current allowances. 
6. Work to protect and help those affected by the breach. 
7. Conduct a post mortem.

How to Evaluate an M&A Platform for Cybersecurity Best Practices

Technology plays an increasingly pivotal role in all aspects of the M&A lifecycle to store and analyze data and support collaboration; when leveraging technology, cybersecurity must be at the forefront of a practitioner’s mind. Considerations and best practices include:

1. Analyze access control – Who should own the principle of least privilege when it comes to email, chat/collaboration tools, virtual data rooms, and project drives; think small (5 vs. 500) – and this must begin at ideation. 
2. Understand the difference between compliant and certified– Compliant means “I believe all the right things have been done,” but certified means a third party is brought in to validate compliance. 
3. Look for the tool/provider’s commitment to security – Does the provider have dedicated security employees and coverage – what is its security scope? What is its certification? Is it transparent about security? 

Conclusion/Final Thoughts

In M&A, the acquirer conducts due diligence in a wide variety of categories, such as finance, employees, sales and marketing, and HR; it is important for cybersecurity to be added to this list. Before beginning a M&A transaction, be sure to ask if security truly has a seat at the table and if the members of the security team are trained in the M&A process. 

As the due diligence process begins, compile the necessary information of key contacts who will be needed if a breach or worst case scenario does take place. Plan and prepare for these things to avoid catastrophic M&A outcomes. 

Begin improving your due diligence process by using our free best practices guide—download it here to get started.