Cybersecurity Is an Enterprise Risk in M&A Deals

By Daniel R. Stoller

April 22 — Companies involved in a merger or acquisition must be cognizant of cybersecurity risks or face possible grave financial and reputational harm, privacy attorneys told Bloomberg BNA.

To avoid potential pitfalls, companies on both sides of the deal need to pay close attention to insider threats and cybersecurity risks involved in the due diligence process.

Merging companies must also prepare for the potential hazards incorporating new technology into an existing company. Ultimately the acquiring company needs to appropriate the necessary level of cybersecurity threat prevention spending.

Cybersecurity issues in a deal are “calibrated to the nature of the business being acquired, such as whether the target has confidential materials and personally identifiable information,” Jeffrey P. Cunard of Debevoise & Plimpton's Cybersecurity & Data Privacy practice, in Washington, said.

Companies that deal with sensitive information—such as “consumer companies, credit card processing companies, banking and financial services and the health care industry”—will need to pay closer attention to cybersecurity risks in any merger, Steven L. Caponi, a corporate and intellectual property partner at K&L Gates, in Wilmington, Del., said. The medical field must pay even more attention because of Health Insurance Portability and Accountability Act requirements that can cause very severe statutory penalties, he added.

There are concrete steps companies can take before and after a deal to protect against potential deal-threatening cybersecurity risks.

Insider Threats

Throughout the course of a deal, companies must combat against insider cybersecurity threats from employees and contractors.

Even though the new risk of cyberattacks is high in mergers and acquisitions, insiders have always attempted to derail deals “by leaking memos,” Cunard said. The threat of a deal falling due to an insider threat isn't “heightened just due to the Internet,” he said.

Companies need to pay attention to two types of cybersecurity-related insider threats: “the knucklehead insider who leaves the thumb drive in the airport lounge” and the “malicious insider” who is either out for revenge or trying to profit off of sensitive information, Jeremy Feigelson, head of Debevoise & Plimpton's Cybersecurity & Data Privacy practice, in New York, said.

Caponi said that to limit the risk of insider threats, companies must focus on the actions of their employees. A “large percentage of cyberattacks” in mergers and acquisitions “involve people,” he said.

Companies must protect against employees stealing sensitive deal information. Information technology specialists need to “make sure people are not downloading and stealing” information, especially if your company has “powerful trade secrets,” Caponi said.

Steve Grossman, vice president of program management at Bay Dynamics in New York, said that companies must also communicate with their employees throughout the merger process. The increased discourse will “decrease the level of uncertainty in regards to job security” and thus lower the chance of an insider cyberattack, he added.

Due Diligence and Warranties

Before a merger, companies must focus their efforts on due diligence to detect cybersecurity threats and negotiate reps and warranties to protect against any deal pitfalls.

Due diligence allows parties to “get their act together” and makes sure that “exposure and vulnerabilities are understood,” Grossman said.

Caponi said cybersecurity issues must be treated as an “independent, significant and potentially enterprise risk.” The acquiring company must play close attention to the target and “try to determine to what extent a data breach will occur,” he said.

If the target is a high risk industry—such as health-care and banking—then there needs to be a comparatively “more thorough due diligence” process, Caponi said.

Increased discourse between a company and its employees over job security during the merger process may lower the chance of an insider cyberattack.

To make sure that the target company has a good cybersecurity posture, companies should bring in a third party to conduct penetration tests to detect levels of malware currently on the target's computer system, Caponi said. The tests shouldn't be “very intrusive” and a “basic scan will find out if there is any malware,” he said.

Cunard said that additionally, before the merger is approved, parties must “negotiate sets of representations and warranties” to limit the risk from a cybersecurity attack.

The warranties “can be more or less extensive, depending on the size of the business and deal dynamics,” he added.

The representations and warranties help minimize the risk and worry of the acquiring company in the period between signing the deal and closing the merger. In that period “companies are worried that if there is a catastrophic data breach” the valuation doesn't reflect the risk involved, Cunard said.

Acquiring Technology

The specifics of the deal affect how a company approaches post-merger cybersecurity concerns, Caponi said.

If a company is “acquiring technology” they must be “very methodological” in integrating it into their current network, he said. Companies “don't want to bring in an infected server” that ruins their own computer networks, he said.

Grossman said to help with the transition between companies, the chief information security officer (CISO) should play an important role. Even if the “CISO is going to be the quarterback in the transition,” there still needs to be a good team of lawyers and cybersecurity specialists, he said.

Third party assistance can also help ease the transition, Caponi said. The target company may have “self defense mechanism” against the acquiring company, he said. Third party consultants and outside counsel can be effective making sure the target follow through with securing and maintaining their systems against cyberattacks, he said.

Cybersecurity Spend

Following the merger, companies need to take into account their cybersecurity spend, Feigelson said. “Every company is in a constant statement of assessment and reassessment of their cybersecurity spend” and must continue to do so after a merger, he said.

After the deal closes there is a “60 to 90 day target zone to delve into cybersecurity priority areas of the acquired business,” Feigelson said. After the target zone passes, the cost to remediate cybersecurity issues increases, he said.

After the deal closes there is a “60 to 90 day target zone to delve into cybersecurity priority areas of the acquired business,” and ensure proper spending levels to address any issues.

Companies must “elevate their game” during mergers and acquisitions to limit the harmful affects of potential cyberattacks that might result in the derailment of a deal, Grossman said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com