Cybersecurity easing its way into M&A due diligence

By Erin Ayers on August 22, 2014

A promising merger or acquisition could ultimately disappoint, if the parties involved do not take the proper care to evaluate all cybersecurity risks well in advance of the deal’s final closing date.

Concerns among executives have grown, but the business world has far to go in incorporating cyber risk fully into the due diligence process.

“If you don’t know what you’re acquiring, in terms of technology and cyber risk, then you don’t know the value of what you’re acquiring,” said Lisa Davis, founder of Vicinage, a firm that connects cyber risk experts and chief information security officers with businesses in need of outside counsel. “It’s a huge issue that’s not being addressed.”

Cyber risk should be considered right along with financial and legal due diligence considerations, Davis told Advisen.

A recent international survey from Freshfields Bruckhaus Deringer found 58 percent of respondents feel that the threat of cyber crime has altered the M&A landscape in the last year. Another 82 percent said the deal-making world will change even more in the next 18 months.

“Cybersecurity in the M&A process is about more than just keeping sensitive data safe,” the global firm noted. “Acquirers must assess whether their target carries an acceptable level of cyber risk in the same way they would analyze its financial position. A thorough knowledge of a business’s cybersecurity is equally important during the integration phase; as a former deputy assistant attorney general at the US Department of Justice who supervised cyber crime investigations has said: ‘when you buy a company, you’re buying its data – and you could be buying its data security problems.’”

Mark Schreiber, chair of Edwards Wildman’s Privacy and Data Protection Group Steering Committee and chair of the World Law Group’s privacy matters group, noted that more attention has been paid to the issue in the US than in Europe, likely due to “far less rigorous” provisions abroad and more publicity of data breaches in the US.

However, it may still not be a top-tier concern for many businesses. In any case where data is an important asset to a company, there tends to be greater due diligence on cyber risk, he said.

Pressure to include cybersecurity in transactions could come from the Securities and Exchange Commission (SEC) on boards of directors and their responsibilities. The SEC’s focus joins a new cyber risk handbook put together by the National Association of Corporate Directors (NACD) and AIG, as well as new third-party security guidelines from the PCI Security Standards Council.

“If you start to look at all three of those, there is certainly a push at a senior level to have a more concrete oversight of cybersecurity,” said Schreiber. He predicted a flow-through to entities dealing with M&A transactions.

“The process is still so new, that it’s just beginning to percolate up and we’re just beginning to formulate good tools to handle it,” he told Advisen.

Freshfields found that a cyber incident during the dealmaking could have the power to halt the process for 64 percent of the survey respondent, either changing the terms or reducing that value of the deal.

“That respondents say more acquirers than sellers are likely to be concerned about cybersecurity issues derailing a transaction could be explained by what they have to lose,” the firm stated.

From an insurance perspective, acquiring companies could find they do not have insurance coverage for pre-acquiring incidents, according to attorney Roberta D. Anderson, partner at K&L Gates in Pittsburgh.

“Companies should be doing a full cyber risk assessment of a target, so they know the risk profile and where the holes are,” said Anderson. “The lesson is, companies need to think about the security of the other party’s systems. Cybersecurity’s not adequately addressed as part of the due diligence.”

The problem goes well beyond M&A, but the situation does appear to be changing slowly, as the C-suite and boards become more aware.

“It would be crazy if you’re not fully vetting the company you’re acquiring,” she said. A company buying another in any critical infrastructure industry – manufacturing, energy, chemicals, for example – would not go through a deal without analyzing all environmental exposures.

Experts say that outside technical expertise becomes necessary for adequately including cybersecurity in M&A.

“They just need to expand the due diligence team, get that technical expertise,” said Davis. “This is a perfect example of something where the time has come.”'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].