The Importance of Cybersecurity Due Diligence
Cybersecurity due diligence is an important and common part of the M&A process and becoming even more important as cybersecurity threats to companies increase in frequency and sophistication. Cybersecurity risks can reduce a selling company's valuation in an M&A deal and even kill a deal. There are numerous examples of cybersecurity exposures negatively impacting an M&A deal. Perhaps the most prominent one involved Verizon's acquisition of Yahoo's core internet business in 2017. Verizon initially offered $4.83 billion in cash for the purchase in 2016. However, later that year, Yahoo disclosed that it had experienced two serious data breaches in 2013 and 2014. Following the disclosures, Verizon and Yahoo agreed to reduce the acquisition price by $350 million, resulting in a final price of $4.48 billion. The deal was closed at that lower price in 2017.
Corum Regional Managing Director, Martin Lowrie stresses that sellers need to understand that it's very important to get any cybersecurity skeletons in the closet out in front of the buyer. He says, "If you have had a security incident, you want to make sure that the buyer is aware of it while you still have negotiating power, that is, before you sign the Letter of Intent. If it comes out during due diligence, then it looks like you are trying to hide something from the buyer, and that's never a good thing to happen during due diligence. And when you do disclose a security incident, make sure that you can tell the buyer how you reacted to reduce any potential downstream impact of the breach."
The impact of an undisclosed cybersecurity incident can have more than financial impacts according to Lowrie. For instance, an undisclosed security breach that exposes the seller's intellectual property, such as unauthorized access to the seller's source code, could be considered a breach of a fundamental representation or warranty, something so critical that the buyer would likely not have entered the M&A transaction if it were previously disclosed. The seller might then be liable in perpetuity for any intellectual property issues related to the breach.
Buyers will do their cybersecurity due diligence
As part of the overall due diligence done during an M&A, the tech company buyer, usually through a contractor, assesses the selling company's cybersecurity status and vulnerabilities as a way to protect themselves from any post-acquisition security and intellectual property issues. Corum Vice President Mary Joyce notes, "From the buyer's point of view, a comprehensive cybersecurity assessment is essential for informed decision-making during M&A transactions. It helps the buyer understand the security risk profile of the target company, align security measures across both entities, and develop strategies to mitigate the identified risks."
Joyce says that the buyer’s team will typically review the seller's technology and assets (including legacy systems), as well as examine the seller's security policies and tools ‒ especially in the areas of data protection and identity and access management. They will also evaluate risks from third-party vendors, and perform a penetration test that simulates real-world cyberattacks to identify and address vulnerabilities in the seller's systems, networks, or applications.
Sellers need to do their cybersecurity due diligence
Tech company sellers need to do their own cybersecurity due diligence to protect themselves from security issues that can jeopardize a deal. Sellers should address the security exposures they uncover. However, Lowrie points out that what’s really important is that sellers be proactive. He points out, "Even if the seller hasn't resolved all of the issues ‒ the seller might have solved one or two of them ‒ as long as there is a plan to sort out the others, that's O.K. It's important that the seller appears proactive and appears to have a handle on their internal security situation."
Steps a seller should take
Here are important steps a tech company seller should take as part of cybersecurity due diligence.
Review security policies and procedures: Ensure that your company has comprehensive security policies and procedures in place, covering areas such as data access, data classification, data retention, data breaches, and incident response. Ensure that the incidence response plan is robust enough to cover all stages of an incident, from preparation and prevention, to detection, analysis, containment, eradication, recovery, and post-incident activities.
Identify vulnerabilities: Conduct internal vulnerability assessments to identify weaknesses in your systems and application software. Those assessments should include penetration tests that simulate real-world cyberattacks targeting various system infrastructure elements including the network and applications. Joyce says that if you have database applications, it's important to test for SQL injection, that is, test for the possibility that a user can inject malicious code in an entry to the applications that could enable attackers to gain unauthorized access to and manipulate sensitive data. If vulnerabilities are uncovered, document and implement actions to address them.
Review data privacy practices: Ensure compliance with relevant government and industry data privacy regulations and assess how you collect, store, and protect sensitive data. Good data privacy practices protect sensitive data through encryption, restrict access to sensitive data to only authorized individuals, have a clear policy about how long personal data is kept, require consent from users before collecting their data, include regular privacy audits, and have a clear plan for responding to data breaches or other privacy incidents.
Evaluate third-party risks: Assess the cybersecurity policies and practices of your key vendors, partners, and contractors. Determine the level of access that your vendors, partners, and contractors have to your data and systems. Assess their security policies, controls, and compliance with relevant regulations. Identify any potential risks related to those policies and practices. Remember breaches of your data and systems can result from third-party cybersecurity vulnerabilities.
Assess Open Source code: If your software includes open source code, it's important to assess any potential vulnerability in that code – especially source code that is under copyleft or permissive license. These licenses keep the source code open and freely available for use, modification, and distribution. In any case, Joyce stresses that it's important to show the buyer what open source licenses you have.
Train employees: Cybersecurity training for employees is crucial because human error is a leading cause of breaches. Training equips employees with the knowledge to recognize and mitigate various threats, fostering a stronger security culture and reducing the risk of successful cyberattacks. It also improves incident response capabilities and helps organizations meet regulatory compliance requirements. Cybersecurity training should cover security best practices and how to identify and address security threats such as phishing attacks. It should also cover acceptable use policies relative to company resources. Lowrie underscores the importance of security training. He says, “It's important to have documented security training that is part and parcel of your human capital management procedures."
What if a seller doesn't take these steps?
Not all tech company sellers do a thorough job of cybersecurity due diligence. Some smaller companies may not have the resources to examine and extensively assess their cybersecurity posture. Lowrie notes that some smaller companies may not have the sophistication to fully understand their own internal security situation. He puts it this way: "They might not have done a test. They might not have security policies and procedures in place from a human capital management perspective. In those situations, the buyer is going to have to make a decision. Do I want to go into this transaction taking those risks? But the buyer is going to push the liability back on the seller one way or another."
Final pieces of advice
Lowrie offers the following advice to sellers regarding cybersecurity due diligence: "Make sure that you've done a recent penetration test and you're addressing the results of it in one form or another. And if there are any security issues, bring them up before you sign the LOI. Otherwise it's going to result in a retrade or somebody walking away from the deal during due diligence after you've spent a lot of money."
Joyce also highlights the importance of doing your own due diligence early. She says, "Find a legitimate, good company that will evaluate your software for vulnerabilities ahead of time so that you and the buyer are not surprised during due diligence.”