Cybersecurity due diligence in M&A

Over the past years, security breaches and malware attacks have become increasingly common. Traditionally, strategic investors and PE firms mainly focused on financials, employment and strategy when carrying out their M&A due diligence. According to a report of NYSE Governance Services/Veracode, less than 50% of the acquiring companies carried out a cybersecurity and IT due diligence. In 2015, another report revealed that nearly 80% of the deal makers still did not specifically quantify cybersecurity as a part of their due diligence process. However, it is clear that in view of the increasing number of security breaches and malware attacks , cybersecurity should become an integral part of the due diligence process in an M&A transaction.
 
Indeed, the apparent ease with which some of these cyber-attacks have occurred has emphasized the importance of cybersecurity, and thus carrying out due diligence in this respect. Nevertheless, according to the report of NYSE Governance Services/Veracode, 52% of the respondents would consider to acquire a company that recently suffered from a high-profile data breach, although be it at a significantly lower value. Hence, although data breaches until now do not seem to be real deal breakers, they do have a considerable impact on the value of the deal.
 
Why do we need cybersecurity due diligence?
 
Nowadays, acquiring (IT-) companies without carrying out a due diligence can be considered a risky operation. The Verizon/Yahoo! case and the Telstra/Pacnet case clearly demonstrate the risks that are associated when no proper cybersecurity due diligence has been carried out, and are classic examples of cybersecurity breaches that were unrevealed during the due diligence process.
 
In the Verizon/Yahoo! case, Yahoo! only disclosed a security breach two months after Verizon announced that it would acquire Yahoo!. In the other case, it only came to the attention of Telstra weeks after the deal had been closed that Pacnet had become the victim of a hacking incident before the transaction was closed. As a result, Telstra considered taking legal action against the sellers of Pacnet, based on the assumption that the sellers allegedly knew about the hacking attack before the deal was closed, but omitted to disclose this matter to Telstra.
 
Both incidents demonstrate the potential litigation risks that are associated with data breaches in M&A and the considerable impact on the value of the deal taken into account the damage that the breach can cause to the system and the loss of data, and thus reveal the need of appropriate cybersecurity due diligence before closing the deal.
 
Step-plan to conduct a cybersecurity due diligence
 
Prior to conducting an in-depth cybersecurity and compliance audit, the acquirer needs to assure that the target has taken the necessary steps to protectits data and to comply with the required regulations. A well-developed cyber questionnaire, tailored to the industry in which the target company operates, might help in a comprehensive overview of the target’s operations, and the related cyber-documentation it disposes of.
 
The due diligence review should be carried out both from a judicial perspective as from a technical perspective, thereby involving the necessary cyber experts, in order to assess from a technical point of view whether the appropriate measures are provided to protect the personal data and to escalate the procedure should a data breach occur (for instance, in accordance with the ISO27001 standard, or measures similar to the “Cyber Essentials”, a good practice scheme adopted in the UK), and, if any, to identify the vulnerabilities of the system, and the costs associated therewith.
 
Hence, a review of the target’s cyber-documentation and any other potential important information should be carried out in parallel by both legal advisers as technical experts, and should include:

• The privacy and data protection policy, and the appropriateness of the measures contained therein;
• The insurance policies (and more in particular, the cybersecurity insurance policy) in order to assess which risks are covered and which are excluded;
• The incident policy and the Disaster, Recovery & Business Continuity Plan, in order to assess whether the appropriate measures are included to escalate the notification procedure in case a data security breach occurs and to ensure the continuity of the target company;
• Information about any data security breaches and other incidents, including information on all notifications and reports that were issued to the respective supervisory authority, as well as their response in this respect;
• An analysis relating to social media presence, by which a list should be provided of all social media platforms on which the target company is present, as well as how social media is used in the target company (which can be demonstrated by means of employee manuals, handbooks and policies).

In addition, it should be pointed out that, as a result of the new EU Data Protection Regulation, national regulators in the EU will start to pay more attention to cybersecurity breaches. As of mid-2018, when the EU Data Protection Regulation enters into force, the national regulators throughout the EU will have more powerful sanctions (i.e., levying of fines up to 10,000,000 EUR, or in case of an undertaking, up to 2% of the total worldwide annual turnover, and other threats and sanctions) at their disposal if companies do not comply with the rules set forth in the EU Data Protection Regulation, which includes the implementation of appropriate technical and organisational measures to ensure an appropriate level of security (Section 32 of the Data Protection Regulation), and the notification of security breaches and incidents to the supervisory authority (Section 33 of the Data Protection Regulation).
 
Afterwards, and more precisely if the aforementioned review has identified certain vulnerabilities, a more in-depth analysis could take place by which the cybersecurity experts could conduct, for instance, an active to hack the system from the outside (i.e., “White Hat Hacker Attack”). In addition, a cybersecurity audit could be performed, as well as an audit of the software applications, in order to assess how secure they are.
 
Conclusion
 
With the expansion of personal data and sensitive information being stored virtually, the importance of cybersecurity will only increase. As a result, cybersecurity should be considered throughout the entire M&A process, and proper due diligence should be carried out in order to reveal any insecurities and incidents, as these might have a considerable impact on the value of the deal. In this respect, the support of cybersecurity experts should not be underestimated, as they also provide valuable input in determining the consequences and possible costs associated with the identified vulnerabilities, which is important for the acquirer in order to assess whether vulnerability should be considered material, and thus can have an impact on the determined value. Finally, also after the deal has been closed, all cybersecurity policies and plans should be constantly re-evaluated in order to ensure their smooth post M&A integration, and thus their effectiveness.
 
Steven De Schrijver – Partner    
Louizalaan 235
1050 Brussels
Belgium
+32 2 215 97 58
Email: sds@astrealaw.be
 
Steven De Schrijver is a partner in the Brussels office of Astrea. He has 20 years of experience advising Belgian and multinational companies on mergers and acquisitions, joint ventures, corporate restructurings, acquisition financing, private equity and venture capital, debt structuring and secured loans. He has been involved in several national and cross-border transactions, mostly in technology-oriented sectors.
 
Steven is also recognised as one of the leading commercial IT lawyers in Belgium, specialising in new technologies (such as data protection, e-commerce, software licensing, website development and hosting, technology transfer, digital signature, IT-outsourcing, cloud computing, cybersecurity, artificial intelligence, drones, robots, driverless cars, augmented and virtual reality, etc.).
 
Steven holds a law degree from the University of Antwerp (magna cum laude, 1992) and an LL.M. degree from University of Virginia School of Law (1993). He received the ILO Client Choice Award 2012 in the General Corporate Category for Belgium.
 
Prior to joining Astrea, Steven worked for 15 years at Van Bael & Bellis, where he became a partner in 2002. He was also a partner at law firm Lorenz, where he headed the Corporate/M&A and IT and New Media departments between 2009 and 2012.
 
Fauve Vander Schelden – Associate
Roderveldlaan 3
2600 Antwerp
Belgium
+32 3 287 11 01
Email: fav@astrealaw.be
 
Fauve Vander Schelden is an associate in the Antwerp office of Astrea, working in the Corporate/M&A department.
 
She holds a law degree from the University of Ghent (cum laude, 2014) and an LL.M. degree in corporate and commercial law from the London School of Economics and Political Science (LSE) (2015). During her studies, she also spent six months in Paris where she studied at the University Paris I (Pantheon-Sorbonne).
 
Fauve regularly advices and assists companies with their corporate day-to-day management, and with respect to (national and cross-border) mergers and acquisitions, joint ventures, private equity and corporate restructurings.