Buyer beware: If you underestimate the importance of cybersecurity during due diligence, you will pay the consequences
Article originally published in May 2016 edition of Private Capital Magazine
By Imran Ahmad
Partner, Cybersecurity Practice, Miller Thomson LLP
Imagine the following scenario: A Waterloo-based company is developing an innovative technology that integrates artificial intelligence into the aerospace manufacturing process. A private equity firm, seeing a great opportunity to invest in a technology that is both cutting edge and focused on a high-growth industry, decides to acquire the company and invests significant funds to further develop the technology and to bring it to market.
Several million dollars of investment later, the private equity firm learns that a Chinese company is offering an almost identical product — at half the price! Suspecting that its technology has been stolen, the Canadian company conducts a full cyber diagnostic and learns that its defences have been compromised for years. Critical intellectual property has been regularly exfiltrated and hackers continue to have access to the network. The private equity firm must now face the prospect of not only losing the “first mover advantage” it was counting on, but also that the value of its investment will be significantly diminished. Is there anything they could have done differently to protect their investment? The short answer is yes, and it should have happened at the due diligence phase.
Why Adequate Cybersecurity Matters
With most organizations digitizing many of their key assets (e.g., intellectual property, customer information, details about internal investigations, etc.), the importance of an adequate cybersecurity assessment cannot be overstated. In fact, for most transactions, cybersecurity should be a risk category in its own right.
Buyers should not only review historic breaches but also the target organization’s vulnerability at the time of the transaction. This is particularly true given that on average, it can take up to 200 days for organizations to discover that they have been breached. Accordingly, while the target may be representing in good faith that it is not aware of any breach, the organization’s key data may have already been compromised unbeknownst to the seller.
While cyber risks are hard to quantify, a thorough analysis of the target’s cybersecurity will inform deal terms, deal value and post-deal indemnity claims.
There are several types of cyber risks to consider. The table below summarizes some of the most common types of cyber risks and their potential impact on post-transaction.
While cyber risks vary from one organization to another, an adequate cybersecurity due diligence will help the buyer determine deal terms, deal value, and post-deal indemnity claims. Below are a few key areas that buyers should consider:
- Preliminary assessment: Buyers should attempt to quickly determine the target’s most important information assets, systems and business processes. At a minimum, the target should be able to quickly identify which information technology (IT) systems and data sets are most valuable to the business and explain at a high level the security measures it has in place to protect them.
- Customize the diligence: The buyer should determine whether the target’s management has a clear understanding of the types of cyber threats the organization faces, as well as the potential cyber-related liabilities (including an understanding of regulatory requirements in the case of a breach).
- Target’s cyber readiness: Diligence questionnaires and interviews should seek to understand the target’s administrative, technical and physical information-security controls currently in place to safeguard the most critical business data sets. The buyer should look for signs to determine whether cyber readiness is embedded in the target’s corporate culture (e.g., Does the target conduct regular cyber assessments? Does it provide cyber training to employees on a regular basis? Does the cyber-monitoring team meet and report its findings to management on a regular basis?).
- Enlist cybersecurity experts: Buyers should retain cybersecurity experts to conduct an assessment of the target’s cyber defences. The ensuing expert report will serve as a basis for negotiating deal terms — where the target’s cyber-risk profile is negative, the report can serve to negotiate deal terms, including deal value.
- Target’s employees: More often than not, employees represent the weakest link when it comes to cyber attacks and major data breaches. The buyer will want to ensure that the target’s employees are adequately trained and able to identify and take proper steps when faced with cyber threats such as social engineering campaigns, spear phishing, etc.
Historically, the due diligence process focused on identifying the target’s existing obligations and liabilities and allocating risk accordingly. With organizations digitizing their key assets and cyber threats growing at an exponential rate, buyers now need to use the due diligence process to determine the target’s existing vulnerabilities and anticipate what impact — if any — they will have in the future on the organization. That said, we anticipate that going forward prudent buyers will incorporate cybersecurity as a standalone due diligence item for most transactions.
*Imran Ahmad is a lawyer specializing in cybersecurity law at Miller Thomson LLP. Imran works closely with clients to develop and implement practical and informed strategies related to managing cyber risks, dealing with data breaches and cyberattacks.