Cybersecurity Due Diligence In Mergers & Acquisitions Transactions By Reuben Okafor

Abstract

Cybersecurity is a major issue in today’s business world, and as such, requires business owners and intending business owners to accord it a priority attention. In this piece, I take a critical look at cases within the cybersecurity landscape, especially as they relate to mergers & acquisitions. I also give few examples of cases of cybersecurity breaches and their effects on companies that neglected to ask key cybersecurity questions whilst acquiring target companies. However, I also provide a step-by-step guideline on key cybersecurity due diligence questions that must be asked during mergers & acquisitions and I believe that if they are fully adapted by companies, they would be saved from the woes of the companies that neglected to do same in times past.

Introduction

Hitherto, companies engaging in Mergers & Acquisitions (M&A) or any other form of business combination, usually would not contemplate cybersecurity due diligence as an important subject in the scheme. But the realities in the present times make it inevitably necessary for businesses to, not only consider cybersecurity due diligence an important subject, but also give it a priority attention, and where the company on the other side declines such request, it should be seen as a red flag to be careful about.

It is not in doubt that technological innovations have helped businesses to scale, have wider reach/customers and optimise profit. Companies now integrate their business with technology or entirely migrate their products/services to increase their customer base, improve service delivery, reduce cost, and at the same pace, optimise profit. But it does not stop there; the ease that technology has brought to businesses has also made them more vulnerable to cyber-attacks from vicious cybercriminals. Cyberattacks have crippling effects on businesses. Usually, a single cyberattack costs millions of dollars to resolve, and corporate/industrial outfits are the prime targets. The objects of the attacks range from Personal Identifiable Information like name, date of birth, home address, credit card information and many other valuable personal information of customers. One of such cyberattacks was the recent Capital One data breach perpetrated between 22^nd and 23^rd March, 2019, but was discovered on 17 July, 2019. Over 100 million personal data of the bank’s United States (US) and Canadian customers were exposed; about 140,000 Social Security Numbers and 80,000 linked Bank Account numbers were also obtained in the breach. This is just one of the numerous cyberattacks that occur almost everyday globally. In 2017, 147 million Equifax customers’ data were stolen by cyber criminals, and the company was fined $700 million by the U.S Federal Trade Commission (FTC) as penalty. This is exclusive of what the company will expend as remediation cost and litigation settlement and on cybersecurity infrastructure to avoid future occurrences.

In most cases, it is not every company that knows that cybercriminals have gained access into its cybersecurity infrastructure. In the case of Capital One, for instance, it took approximately four (4) months before the company found out that its cybersecurity infrastructure had been compromised. For Starwood Hotels & Resorts, cybercriminals were on its system for over two (2) years without their knowledge (up till the time the company was acquired by Marriott International). There is a common saying that “there are two types of companies: those that have been breached, and those that do not know that they have been breached.” That is what we see these days of sophisticated cyberattacks. In Nigeria, while there seems to be no case of cyberattacks that have received wide media coverage, the Deliotte “Nigeria Cybersecurity Outlook 2019,” reveals that there were mix cases originating from phishing attacks, malicious software being embedded at payment interfaces and ransomeware resulting into loss of billions of Naira. This is makes it more for companies to prioritise cybersecurity due diligence.

Due Diligence

Due diligence is a process of verification, investigation, or audit of a potential deal or investment opportunity to confirm all facts, financial information, and to verify anything else that was brought up during an M&A deal or investment process.  It is usually completed before a deal closes so as to provide the buyer with an assurance of what it is getting. The reason for due diligence, among other things are to confirm and verify information that was brought to knowledge in the course of the deal negotiation or investment process.

There are several reasons why a company may contemplate mergers or acquisition. It could be for risk diversification, to achieve corporate growth, to enjoy tax relief & asset benefits, acquisition of technical staff or economic factors etc., and one would hardly see that these companies engaging in M&A carried out cybersecurity checks, especially on the target company. Early in 2019, we saw what could be considered a recent major M&A in the Nigerian banking industry between Access Bank Plc. and the now defunct Diamond Bank Plc. However, one doubts if these companies engendered cybersecurity due diligence in their scheme of merger.

Cybersecurity Due Diligence

Conventional M&A due diligence entailed questions with respect to the target company’s financials, technology/patent, customers, strategy, material contracts, employment/management issues, litigation and regulatory issues. However, questions around technology should now be more in-depth to include the target company’s cybersecurity infrastructure check-up. As at 2015, A Freshfields Bruckhaus Deringer report revealed that 78% (seventy-eight percent) of deals still didn’t specifically quantify cybersecurity as part of the M&A due diligence process. However, a recent survey shows that 93% of information technology professionals views cybersecurity evaluations as very important in company’s M&A decision-making.

Buying a company translates to buying its data. And buying its data means the company is buying past, present and future data security problems. The economic impact of a transaction can shift dramatically if, after the deal is consummated, past or on-going data breaches come to light. This also throws open the floodgate for litigations by affected customers. This exemplified in the Yahoo-Verizon and the Marriott-Starwood M&A quagmire.

Cases of Failure to Carry Out Cybersecurity Due Diligence

In July 2016, Verizon Communications (Verizon) entered into a merger deal with Yahoo! (Yahoo) to purchase a portion of Yahoo’s properties for $4.8billion, being unaware of the data breaches which Yahoo had suffered prior to the deal. Not long after entering into the deal, a purported information broker, by the name, Peace (or Peace_of_Mind) was discovered to have been marketing the personal data of about 200 million Yahoo account obtained sometimes in 2014. Yahoo went in to investigation of same, and discovered the truth. Their investigation revealed that in 2014, it suffered a breach which affected, at least, 500 million user accounts. This was not made known to Verizon until two months later- i.e. after the Purchase Agreement had been executed by the parties. In December, 2016, Yahoo further announced that a data breach that occurred in 2013 affected about 1 billion Yahoo user accounts. In the process, Verizon had to assess the impact of the data breaches so as to decide whether to continue with the transaction (at a reduced price) or simply walk away. Later on, Verizon and Yahoo negotiated a $350 million reduction in the purchase price.

The underlying effect is that buying company automatically translates to buying the company’s data, which may work to favour or be to the disadvantage of the buyer. This is the reason why it is sacrosanct that there must be full disclosure of all relevant information at the disposal of the parties in the transaction, no matter how insignificant that might seem. The Marriott-Starwood M&A saga makes M&A cybersecurity due diligence a-must do for intending companies. Marriott International, Inc. (Marriott) acquired Starwood Hotels & Resorts Worldwide (Starwood) in 2016, unknown to it, that Starwood had suffered data breach in 2014. Unfortunately, the breach exposed the personal data of about 500 million Starwood’s customers. About two years after the acquisition, the data breach became common knowledge. In reaction to that, the United Kingdom (UK) Information Commissioner’s Office (ICO) fined Marriott £99 million (Ninety-Nine Million Pounds) for the breach. The ICO’s contention was that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” These are also compelling reasons why companies going into M&A must prioritise Cybersecurity Due Diligence.

Reasons for Concealment of Information about Data Breaches

There are some reasons why target companies default to disclose information in respect of a cybersecurity breach which it suffered before an M&A deal. Although none of such reasons is justifiable. The following are a few of such reasons:

1. The Lack of Knowledge of the Existence of A Breach

This tops the reasons why companies that have suffered data breaches do not disclose such information during an M&A transaction. Most companies do not know that their cybersecurity infrastructure had been breached before or that cybercriminals are on their infrastructure at the time negotiations are on-going for an M&A deal with a potential buyer. Although knowing the existence of a breach could be a deal-breaker. A case in point is the Yahoo-Verizon 2016 merger deal. For over two years, Yahoo was unaware of the existence of a data breach in its cyber infrastructure which had affected over 500 million account users’ data, until the perpetrator granted a confidential interview to Vice and Wired when he commenced selling the data he had harvested from the breaches. One may argue that that shows lack of adequate security arrangement on the part of Yahoo, but the truth is that most companies do not know when their cyber infrastructure is compromised. Most times, it takes up to months, or even years, before the company becomes aware of such development (as in the cases of Yahoo, Starwood and Capital One data breaches cited above). Data breaches are executed by sophisticated, high-powered cybercriminals who specialise in executing their dastardly acts stealthily. So, in such a situation, where the company whose cyber infrastructure has been breached enters into an M&A deal, and eventually the target company is acquired, the buyer automatically buys whatever the target company may have suffered prior to the transaction. This is the reason why acquiring companies must be wary and exercise absolute discretion when it comes to M&A due diligence. Whatever is not revealed during the negotiation phase may pose great harm to the acquiring company upon merger with the target company.

2. The Dread for Penalties

Most companies would prefer not to disclose any data breach they suffer, since it will attract some fines/penalties from regulators. What follows a breach is not just the loss of customers’ personal data, reputational damage and the remediation cost, but also the fines/penalties it attracts. Companies that have suffered data breaches have been fined a somewhat “outrageous” sum for failure to protect consumers’ personal data. For instance, in July, 2019 Equifax was fined the sum of $700 Million for a breach that affected the financial and personal information of almost 150 million customers in 2017. Similarly, on 24 July, 2019 the US FTC fined Facebook the sum of $5 Billion for violating consumers’ privacy. The list goes on.

However, it is an offence to conceal information about a data breach. In Nigeria, for instance, under Section 21(3) of the Cybercrimes (Prohibition, Prevention etc.) Act, 2015, a company that defaults in disclosing an attack on its cyber infrastructure within seven (7) days of the incident is liable to a fine to the tune of ₦2 Million (Two Million Naira).

3. To Avoid Litigation from Affected Customers

On the 26^th September, 2019 I received a mail from Yahoo informing me of a pending class action against it and one Aabaco Small Business, LLC. The suit comes as a result of the data breaches of 2012-2016 affecting approximately 3.5 billion Yahoo account holders.

Law suits against companies whose customers’ personal data are exposed during a breach usually run into millions of dollars in settlement. In the Yahoo data breach, Yahoo accepted to pay $117,500,000 (One Hundred and Seventeen Million, Five Hundred Thousand Dollars) as settlement fund for the breach which the hearing of the suit will be coming up 2^nd April, 2020 at a Court in San Jose, USA. The law suits are usually predicated on the failure by the company to protect its customers’ personal information. In 2017, Anthem Inc. (one of America’s largest insurance companies) agreed to a $115 Million settlement after a breach that affected about 80 million customers’ personal information. We can see that disclosing the existence of a data breach usually results in the company being inundated with an array of law suits from perceived sufferers of the breach and this usually leads to the company parting away with a lot of money in settlement of the dispute. So, to avoid this burden, most companies choose to keep mute about it, except where they cannot help it.

4. To Avoid Reputational Damage and Loss of Customer/Revenue

A recent survey by PCI Pal in the USA, UK, Canada and Australia reveals the attitudes of customers after a company in possession of their personal data had suffered a data breach. In Australia, 43% stated that they would never return to the company post-breach. In the UK, 41% said they would never return to the company post-breach, and 21% of the US customers said they would never return to the company post-breach. In Canada, 58% said they would stop dealing with the company for several months post-breach whilst 5% said they would never return to the company. The negative consequences of a cyberattack on a company are, sometimes, unprecedented. So, to avoid this, most companies would rather not disclose such breach until a later time or never disclose such. A cyber breach impacts negatively on the company’s goodwill, which it had built for years, and as such, most companies would elect to keep the incident to themselves.

Be that as it may, the above provide more compelling reasons why companies contemplating (or have already engaged) in an M&A transaction must not wish away the need for cybersecurity due diligence, as there are telling consequences for failure to do so on either of the parties.

Components of M&A Cybersecurity Due Diligence

Cybersecurity experts advise that acquiring companies to engage the services a cybersecurity auditor so as to ensure that the following measures are taken whilst conducting due diligence on the target.

1. Identify all data that currently exists within the target’s systems and where it is stored;
2. Understand any previous data breaches reported by the company;
3. Assess the target’s network to identify any existing or past vulnerabilities;
4. Implement an active detection and response solution within the target company to find hidden threats;
5. Understand the target company’s security policy;
6. Understand the kind of training which the employees are engaged, whether they rely on cloud or physical security;
7. Identify all third party risks and data management; and
8. Identify the target company’s privacy polies in place.

More thorough due diligence must be conducted at the post-merger phase which is the integration phase. Some latent facts which were unnoticed during the pre-merger and merger phases can be discovered during the post-merger phase. The point here, is that thorough scrutiny should be carried out on the target company, as most target companies usually do not disclose some key information during the pre-merger and merger phases, so as not to lose out in the transaction or suffer a reduction in its value by reason of disclosing any breach it had suffered prior to the M&A transaction. The cases of Marriott-Starwood and Pacnet-Telstra reveal how far target companies can go in concealing vital information about breaches they have suffered until the deal is concluded before the secret will be made known. Pacnet, with headquarters in Singapore and the Hong Kong provided data centre services to carriers, governments and multinationals prior to its acquisition by Telstra, an Australian telecoms services provider. Barely a month of acquiring Pacnet, Telstra announced that Pacnet was hacked before its acquisition, but this was not made known during the transaction.

Conclusion

Mergers & Acquisitions are topical issues in business growth and expansion. However, several companies have gone from expanding their businesses to acquiring liabilities, law suits and fines simply because cybersecurity due diligence was not considered a relevant factor worthy of consideration in the scheme. It is advised that, going forward, business entities engaging in M&A should give cybersecurity due diligence a priority attention, as it will save them from numerous unexpected challenges, losses and setbacks.

Written By Reuben Okafor reubencokafor@gmail.com