Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
April 22 — Companies involved in a merger or acquisition must be cognizant of cybersecurity risks or face possible grave financial and reputational harm, privacy attorneys told Bloomberg BNA.
To avoid potential pitfalls, companies on both sides of the deal need to pay close attention to insider threats and cybersecurity risks involved in the due diligence process.
Merging companies must also prepare for the potential hazards incorporating new technology into an existing company. Ultimately the acquiring company needs to appropriate the necessary level of cybersecurity threat prevention spending.
Cybersecurity issues in a deal are “calibrated to the nature of the business being acquired, such as whether the target has confidential materials and personally identifiable information,” Jeffrey P. Cunard of Debevoise & Plimpton's Cybersecurity & Data Privacy practice, in Washington, said.
Companies that deal with sensitive information—such as “consumer companies, credit card processing companies, banking and financial services and the health care industry”—will need to pay closer attention to cybersecurity risks in any merger, Steven L. Caponi, a corporate and intellectual property partner at K&L Gates, in Wilmington, Del., said. The medical field must pay even more attention because of Health Insurance Portability and Accountability Act requirements that can cause very severe statutory penalties, he added.
There are concrete steps companies can take before and after a deal to protect against potential deal-threatening cybersecurity risks.
Throughout the course of a deal, companies must combat against insider cybersecurity threats from employees and contractors.
Even though the new risk of cyberattacks is high in mergers and acquisitions, insiders have always attempted to derail deals “by leaking memos,” Cunard said. The threat of a deal falling due to an insider threat isn't “heightened just due to the Internet,” he said.
Companies need to pay attention to two types of cybersecurity-related insider threats: “the knucklehead insider who leaves the thumb drive in the airport lounge” and the “malicious insider” who is either out for revenge or trying to profit off of sensitive information, Jeremy Feigelson, head of Debevoise & Plimpton's Cybersecurity & Data Privacy practice, in New York, said.
Caponi said that to limit the risk of insider threats, companies must focus on the actions of their employees. A “large percentage of cyberattacks” in mergers and acquisitions “involve people,” he said.
Companies must protect against employees stealing sensitive deal information. Information technology specialists need to “make sure people are not downloading and stealing” information, especially if your company has “powerful trade secrets,” Caponi said.
Steve Grossman, vice president of program management at Bay Dynamics in New York, said that companies must also communicate with their employees throughout the merger process. The increased discourse will “decrease the level of uncertainty in regards to job security” and thus lower the chance of an insider cyberattack, he added.
Before a merger, companies must focus their efforts on due diligence to detect cybersecurity threats and negotiate reps and warranties to protect against any deal pitfalls.
Due diligence allows parties to “get their act together” and makes sure that “exposure and vulnerabilities are understood,” Grossman said.
Caponi said cybersecurity issues must be treated as an “independent, significant and potentially enterprise risk.” The acquiring company must play close attention to the target and “try to determine to what extent a data breach will occur,” he said.
If the target is a high risk industry—such as health-care and banking—then there needs to be a comparatively “more thorough due diligence” process, Caponi said.
Increased discourse between a company and its employees over job security during the merger process may lower the chance of an insider cyberattack.
To make sure that the target company has a good cybersecurity posture, companies should bring in a third party to conduct penetration tests to detect levels of malware currently on the target's computer system, Caponi said. The tests shouldn't be “very intrusive” and a “basic scan will find out if there is any malware,” he said.
Cunard said that additionally, before the merger is approved, parties must “negotiate sets of representations and warranties” to limit the risk from a cybersecurity attack.
The warranties “can be more or less extensive, depending on the size of the business and deal dynamics,” he added.
The representations and warranties help minimize the risk and worry of the acquiring company in the period between signing the deal and closing the merger. In that period “companies are worried that if there is a catastrophic data breach” the valuation doesn't reflect the risk involved, Cunard said.
The specifics of the deal affect how a company approaches post-merger cybersecurity concerns, Caponi said.
If a company is “acquiring technology” they must be “very methodological” in integrating it into their current network, he said. Companies “don't want to bring in an infected server” that ruins their own computer networks, he said.
Grossman said to help with the transition between companies, the chief information security officer (CISO) should play an important role. Even if the “CISO is going to be the quarterback in the transition,” there still needs to be a good team of lawyers and cybersecurity specialists, he said.
Third party assistance can also help ease the transition, Caponi said. The target company may have “self defense mechanism” against the acquiring company, he said. Third party consultants and outside counsel can be effective making sure the target follow through with securing and maintaining their systems against cyberattacks, he said.
Following the merger, companies need to take into account their cybersecurity spend, Feigelson said. “Every company is in a constant statement of assessment and reassessment of their cybersecurity spend” and must continue to do so after a merger, he said.
After the deal closes there is a “60 to 90 day target zone to delve into cybersecurity priority areas of the acquired business,” Feigelson said. After the target zone passes, the cost to remediate cybersecurity issues increases, he said.
After the deal closes there is a “60 to 90 day target zone to delve into cybersecurity priority areas of the acquired business,” and ensure proper spending levels to address any issues.
Companies must “elevate their game” during mergers and acquisitions to limit the harmful affects of potential cyberattacks that might result in the derailment of a deal, Grossman said.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)