Ignore IT security at your peril

Cyber risks in M&A

Cyber security assessments are now accepted as a staple part of M&A due diligence. In this article we explore how buyers can maximise their chances of a successful deal by taking a robust approach to analysing and considering cyber security risks.

Risk exposure

The need for a buyer to assess a target’s cyber security risk exposure is generally well understood in the context of technology M&A transactions. But the truth is that every business, in every sector, is potentially vulnerable to data breaches and cyber attacks. These sorts of issues are the tech equivalent of an oil spill - where the incident can have severe consequences, be it through significant operational interruption, hefty financial penalties or reputational damage (or any combination of these). 

With more than 40% of buyers reportedly discovering a cyber security-related issue post-acquisition, it is no longer a risk that buyers can afford to ignore in their diligence or when developing mitigation plans.

More than 40% of buyers discover cyber security-related issues post-acquisition.

To take one high-profile example: in 2014 Starwood Hotels was subject to a hack which exposed nearly 400m guest records. This went undetected until 2018 – two years after Starwood was acquired by Marriott. 

Marriott was subsequently fined £18.4m by the UK Information Commissioner’s Office, largely because of its failure to perform adequate due diligence on the relevant systems and its inadequate data loss prevention strategy and de-identification methods.

Every business, in every sector, is potentially vulnerable to data breaches and cyber attacks.

Risk mitigation

At the initial due diligence stage, a buyer should raise relevant inquiries to investigate any historical incidents and current threats, and to better understand any security gaps, risks and potential liabilities. This will typically entail:

• a technical review of the systems and software protections in place; 
• a detailed review of the target’s cyber and data protection practices, processes and policies to ascertain its cyber hygiene and approach to cyber risks; 
• a review of the target’s compliance with data protection and privacy legislation; and 
• on a case by case basis, commissioning a professional audit report (e.g. a Black Duck audit report) to get a sense of the target’s open source licence obligations and application security and code quality risks.

Due diligence findings may have to be translated to protective provisions in the transaction documents in the form of specific indemnities (and potentially conditions precedent) in relation to identied risks and liabilities.

In other respects, warranty coverage would extend to the contents of internal privacy policies and practices, compliance with applicable data protection and cyber security laws (and best practice / guidelines), and the absence of data breaches and cybersecurity incidents in order to provide baseline contractual safeguards.

• We have seen some buyers insist (despite premium costs being on the rise), that the target take out cyber insurance (if not already held), depending on the scope of the risk coverage. 
• A buyer could also negotiate an appropriate purchase price reduction, or for an agreed period, require an escrow fund be established, to cover any possible post-closing exposure.

Cyber security assessments are now accepted as a staple part of M&A due diligence.