Buying Cyber Risk
When Verizon agreed to buy Yahoo for $4.83 billion, it didn’t know about Yahoo’s 2013 and 2014 data breaches. They were disclosed in the midst of the acquisition—driving home the importance of conducting cyber due diligence early in the M&A process.
The Wall Street Journal reported that, although Yahoo disclosed the 2014 breach involving the personal information of 500,000 users in September 2016, the company had “linked the incident to state-sponsored hackers two years earlier.” Yahoo reportedly discovered the 2013 breach, which involved private information on more than one billion users, in December 2016. Combined, they represent the largest known breach of personally identifiable information (PII). To add to the company’s problems, the Securities and Exchange Commission opened an investigation into whether Yahoo violated its guidance to disclose cyber events that could have a material impact on investors.
Upon learning of the 2014 breach, Verizon signaled that it might seek to renegotiate the deal under the “material adverse change” clause of its purchase agreement. Indeed, the companies recently agreed on a $350 million reduction in price and a division of potential future liabilities arising from the breaches.
Cyber Due Diligence and Risk Management
Buying a company—or even certain assets of a company—means buying its past, present and future cyber risks, including its privacy and regulatory issues, infrastructure weaknesses, and software and hardware vulnerabilities. Brokers should be aware of this, whether buying or selling a brokerage practice or advising clients seeking to acquire or divest assets or entire businesses.
For example, without conducting cyber due diligence, the buyer risks purchasing a company with active malware within its system. Or a company’s security controls could be so weak that interconnecting the buyer’s and seller’s systems could quickly compromise all operations. Or the seller’s intellectual property could have been stolen or serious breaches of PII could have occurred, exposing future market share.
A company’s data are some of its most valuable assets. It is important to know if the data being purchased have been stolen, disclosed or compromised. The Wall Street Journal reported in 2012 that Chinese hackers had unfettered access to Nortel’s systems for nearly a decade, using seven passwords stolen from executives. They stole technical papers, R&D reports, business plans and anything else they wanted. The paper noted that, “Mr. Shields [the internal investigator] and several former colleagues said the company didn’t fix the hacking problem before starting to sell its assets, and didn’t disclose the hacking to prospective buyers. Nortel assets have been purchased by Avaya Inc., Ciena Corp., Telefon AB L.M. Ericsson and Genband.”
This type of activity continues today. Electronic espionage, theft by insiders and intelligence gathering by nation states are commonplace. Cyber defense company FireEye noted in a 2016 report that it had “observed several likely China-based threat groups targeting companies engaged in M&A-related activity.”
Brokers should realize that no matter the size of the deal or perceived sophistication of the parties, the security of digital assets cannot be taken for granted. “To assume a company has adequate protections against theft of confidential information or intellectual property is to take an enormous and unnecessary risk that could change the value of the underlying deal,” note Tom Smedinghoff and Roland Trope, co-editors of A Guide to Cybersecurity Due Diligence in M&A Transactions, which will be published in early summer 2017 by the American Bar Association.
The Impact of Cyber Due Diligence on a Deal
Cyber due diligence is critically important to buyers and sellers. Evidence of a strong cybersecurity posture can be marketed as an asset and result in a higher valuation of target companies. Weak cyber-security practices, however, can cause a reduction in purchase price to offset necessary expenditures to correct security issues or resolve potential liabilities—or it can scuttle the deal altogether.
In 2016, the New York Stock Exchange and Veracode conducted a survey of 276 public company directors and officers to better understand cyber risk-management practices in the M&A environment. Of the respondents, 85% indicated the discovery of major vulnerabilities in a target company’s software assets would likely or very likely affect their final decision on the acquisition. Although 52% of the respondents said they would buy the company at a significantly lower valuation, 22% of them said a high-profile data breach would cause them to decline the acquisition.
A similar study, performed a couple of years earlier by the UK law firm Freshfields Bruckhaus Deringer, surveyed deal-makers instead of directors, but it had comparable findings. Of the survey respondents, 90% said previous cyber breaches could reduce the value of the target company, and 83% said a deal could be scuttled if previous breaches were revealed.
Significantly, the report noted that the opinions of the respondents did not necessarily indicate that cyber due diligence was occurring. “It is odd that most respondents to the survey said they were concerned about cyber security risks but that most respondents aren’t actually doing anything about them during the M&A process,” it said.
The Yahoo—Verizon acquisition has likely changed that.
What to Do
Brokers can help clients by advocating for a robust cyber-risk assessment early in the M&A process. This can range from a review of documents to a comprehensive analysis of the IT infrastructure and cyber-security program, including vulnerability scanning or penetration testing. The scope of the assessment will depend on the size of the company, sensitivity of data, compliance requirements and complexity of business operations.
If a company manufactures (or even uses) products with embedded software or uses wireless devices, it is important to check for security vulnerabilities, as the engineers that develop this software or select the devices usually work outside of IT and may not consider security risks during the innovation process. Medical devices, automobile computers and hotel door-locking systems are recent examples of products that have been hacked.
Cyber-security programs should be assessed against the best practices and standards applicable to the company. For example, a global manufacturing company that contracts with the U.S. Government, accepts credit cards at its outlet stores and administers its own health plan may have to meet the ISO 27001 standard for information security, the National Institute of Standards and Technology cyber-security requirements, the Payment Card Industry Data Security Standard, and the HIPAA Security Rule.
Cyber due diligence also must check whether privacy and security compliance requirements are integrated into the cyber-security program. The European Union imposes strict data protection obligations with respect to PII, and its new General Data Protection Regulation, which goes into effect in May 2018, strengthens them and includes breach notification provisions. Fines under the General Data Protection Regulation can be onerous, reaching up to 20 million Euros or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. European Workers’ Councils and national data protection authorities may impose additional requirements.
A cyber due diligence report should provide detailed findings and enough specificity that potential business interruption or other relevant loss exposures can be identified and quantified. John Dempsey, managing director and global practice leader at Aon, recently noted that, “Accurate exposure quantification can be a game changer. When a company correlates its cyber risks to financial exposures, decisions about whether the price should be adjusted or a deal aborted can be made with greater clarity.”
Quantifying cyber risks also helps the buyer evaluate whether the target’s existing insurance coverage is adequate to transfer the identified risks. Brokers also can help clients manage cyber risks through transactional liability insurance, which includes representations and warranties coverage and may cover the discovery of a cyber event.
Jody Westby is CEO of Global Cyber Risk. firstname.lastname@example.org