M&A Due Diligence Must Include Cybersecurity Analysis, Attorneys Say

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Michael Greene

May 20 — Buyer beware: Despite the lack of attention on the topic, cybersecurity issues can greatly impact M&A deals and should be considered a part of conducting due diligence, according to panelists at the “Cybersecurity Law Institute” May 20.

“The cybersecurity situation of the company you are acquiring affects the value of the company, it affects the liability you might be taking on, and it affect the costs you might have to incur,” Thomas J. Smedinghoff, of counsel at Locke Lord Edwards LLP, said during the conference hosted by Georgetown University Law Center and sponsored by Bloomberg BNA.

Acquirers should imagine trying to buy Target before its breach, Smedinghoff added. “That is the kind of scenario you really need to think about.”

During the session—“Top Cybersecurity Issues in Mergers and Acquisitions”—panelists discussed why cybersecurity issues are so important in the M&A context and what buyers should examine when conducting M&A transactions.

Important Issue, Lack of Discussion

According to a Freshfields Bruckhaus Deringer survey of 214 dealmakers, “78 percent of the respondents believe cybersecurity is not analyzed in great depth or specifically quantified during the M&A due diligence process, despite 83 percent saying that a deal could be abandoned if previous cybersecurity breaches were identified and 90 percent saying breaches could reduce the value of the deal”.

These statistics show that dealmakers believe cybersecurity risks are important, but they are not doing much about it, said moderator Christine Ricci, senior counsel for General Electric Co.

In the past this issue really hasn't been well recognized, and certainly not well discussed, “but that needs to change,” Smedinghoff said.

He added that he is starting to a see a recognition by boards of directors, when they are looking at an acquisition, that part of their fiduciary obligations in conducting due diligence is looking at cybersecurity issues.

Prior to LOI

When asked about the type of due diligence that should be done prior to the letter of intent, Mark Leary, vice president and chief information security officer for Xerox Corp., said that the CISO should be seen as an advisor and included in the process at the earliest stage.

He added that the CISO must understand the purpose and reason behind the acquisition because this allows he or she to give the business development team and senior executives “a risk picture up front.”

The risk picture is not necessarily based on technology, but instead on what threats the company might occur by making the acquisition and on the potential liabilities, Leary said.

Looking at Process

The panelists also provided some tips on assessing the cybersecurity of the acquired company.

Conducting a scan of the acquired company's system or penetration testing may not be possible, according to Smedinghoff.

However, although permission to conduct these types of tests may not be forthcoming, he said there are other options. For example, the seller may regularly conduct tests and scans, so the buyer may be able to look at those reports and achieve the same results.

Ultimately, Smedinghoff emphasized that what is important in evaluating a potential acquisition's cybersecurity is knowing whether they have a process-oriented approach to data security.

This process should involve: looking at what data is important; looking at where important systems are; figuring out what to protect; and then doing a risk assessment, he said.

Knowing whether a company has this type of process in place provides some basis for saying that a particular approach or control is appropriate, Smedinghoff said.

Interviews also can be important part in understanding whether a company's process are appropriate, Leary said. Sometimes companies do not have documentation on their processes, but having someone with expertise on the subject can pay dividends in understanding the companies' capabilities.

IP Protections

The panel also discussed measures that can be taken to ensure that the seller is protecting the intellectual property and assets they are about to sell.

Companies may want to go beyond including a standard clause that conditions the closing on the seller protecting its assets, Smedinghoff said.

Depending on what is learned during the due diligence process, companies may want to consider imposing a requirement that additional data security be implemented and provide evidence that it has been done as condition of closing, he advised.

In some contexts if data has been compromised, the loss can be quantified and damages be assessed. But in other cases—such as buying the formula of Coca-Cola—the value to the company being acquired could be completely compromised, Smedinghoff said.

What looks good on the day of closing may not two months after the closing, he said, adding that there is no such thing as a perfect guarantee.

To contact the reporter on this story: Michael Greene in Washington at mgreene@bna.com

To contact the editor responsible for this story: Ryan Tuck at rtuck@bna.com