Cybersecurity and Legal Due Diligence Considerations in M&A Transactions
When prospective buyers conduct legal due diligence in merger and acquisition transactions the main focus is typically on the traditional items, such as financials, debt instruments, major contracts and other key metrics customarily analyzed. These items, among others, remain critical to evaluating a business. However, with technology continuing to advance at an exponential rate and hackers successfully breaching company information systems more frequently, as seen with Target, Equifax and many others, it is critical that prospective buyers thoroughly consider the risks associated with the target’s cybersecurity practices or lack thereof.
In fact, players in the M&A deal market have started to pay extra attention to cybersecurity. On July 9, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriot International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, under the General Data Protection Regulation (GDPR) in connection with Marriot’s Starwood Customer loyalty program acquisition. The ICO explained in its press release that the fine derived in part from a lack of “proper due diligence when making a corporation acquisition.” Moreover, a recent study of IT professionals and business executives from around the world has shown that:
- 81% have a greater concern now about the potential seller’s cybersecurity program than ever before;
- 73% said that if the potential seller did not disclose a cybersecurity breach during the diligence process then that would be a deal breaker; and
- 65% said that unanticipated cybersecurity-related issues left them regretting their decision to go through with the deal.
These statistics show that assessing a target’s cybersecurity program is among, or should be among, the factors potential buyers use when deciding whether to accept certain risks and move forward with a particular transaction. Failing to study these issues may result in “buyer’s remorse.”
Potential sellers, on the other hand, need to fully disclose their cybersecurity programs, or lack thereof, and any known cybersecurity incidents or risks to potential buyers early in the diligence process, so that there are no surprises after spending significant time and money exploring and negotiating a transaction such as a significant adjustment to the proposed purchase price or post-closing indemnity claims. A recent example is Verizon’s acquisition of Yahoo. After signing a purchase agreement, but prior to announcing the transaction, Verizon learned about data breaches at Yahoo, affecting over 1 billion user accounts. Verizon and Yahoo had originally agreed to an approximately $4.8 billion purchase price. However, as a result of discovery and investigation of these cybersecurity incidents, Verizon reduced the purchase price to $4.48 billion and entered into a liability sharing arrangement with Yahoo; Yahoo lost approximately $350 million. This is a prime example of why both deal parties need to prioritize cybersecurity, especially in the diligence stage.
When representing a prospective buyer, it is important that the diligence process include a comprehensive set of cybersecurity-related questions and information requests. Set forth below is just a sampling of the types of questions and requests that should be included in any legal due diligence request list:
- Does the company have a comprehensive cybersecurity program in place? If so, is such program in compliance with the standards outlined by industry-recognized frameworks like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, or legislation like the Health Insurance Portability and Accountability Act (HIPAA)?
- If applicable, please provide a description of any company products or services that involve the collection or dissemination of data, including personally identifiable information (PII) and confidential information?
- Does the company collect and store PII, such as names, email addresses, telephone numbers, mailing addresses, social security numbers, state identification numbers, account passwords, medical conditions and/or credit card numbers?
- Does the company collect and store personal health information (PHI)?
- Has the company experienced a breach of security involving its information systems and resulting in the unauthorized access to, or compromise of, the confidentiality, integrity or availability of PII or PHI? If so, what actions have been taken to address or remediate such situations? What other cybersecurity incidents has the company sustained and what actions were taken to mitigate their reoccurrence?
- If applicable, please describe any measures being taken to comply with the European Union’s GDPR?
- Does the company have policies and procedures in place to regularly monitor and assess implementation and compliance with its privacy and cybersecurity programs? If so, are such policies and procedures being followed (e.g. periodic reports to, and oversight by, management and the board of directors)?
- Does the company do regular reviews of compliance with all applicable legal requirements, including regulations applicable to its specific industry (e.g. financial services, healthcare, etc.)?
- Does the company have insurance in place to cover privacy and cybersecurity incidents that have occurred or may occur? What are the limits?
- How does the company manage its third-party vendor risk for data privacy and security?
- Relatedly, does the company share information with third-party vendors and, if so, does it audit or otherwise review the privacy and cybersecurity policies and procedures followed by such vendors?
It is important to note that prospective buyers should be asking additional questions and making supplementary requests—the suggested questions and requests above are simply the starting point and are not intended as a comprehensive list. Potential buyers may also want to hire their own independent experts to analyze the target’s cybersecurity measures rather than just relying on the due diligence produced and the representations made by the target. All of these considerations are fact-specific and depend on the type of deal and the business of the target being evaluated.
As provided above, prospective buyers should take seriously the risks associated with the target’s data privacy and cybersecurity program and include these issues in any due diligence assessment of a target to identify and address (or at least take measures to mitigate) any risks associated with the transaction. Likewise, sellers should understand that privacy and cybersecurity issues for the foreseeable future will be a major focus of potential acquirers and therefore should maintain adequate data security protections in the normal course of their business operations so that such issues do not derail a deal or result in significant reduction in the value of the company, such as the reduction in purchase price that arose in the Yahoo/Verizon deal. These issues are especially important in evaluating businesses that collect, use and store large amounts of personal data. Cybersecurity is at the forefront and there will be no shortage of cybersecurity-related issues to address as the market approaches the next decade of deal making.
If you have questions or need more information, contact Joshua Mooney (215.864.6345; firstname.lastname@example.org), Lori Smith (212.714.3075; email@example.com) or another member of the Cyber Law and Data Protection or Corporate and Securities Groups.