M&A and cyber security: key considerations for buyers and sellers - Compliance

As companies continue to collect and hold more data and personal information than ever before – and use progressively more complicated technologies to handle and transfer it – cyber security and privacy compliance risks are increasingly important concerns for buyers and sellers in M&A transactions. Data is big business and its acquisition is becoming a primary driver for transactions.

In today's technology-driven world, an organisation's systems and data are exposed to the internet and a host of security vulnerabilities, both technical and human. Almost all businesses in every sector hold significant amounts of confidential information and data, and cyber security and privacy risks therefore extend to almost all businesses.

These concerns are brought into sharp focus on a change of ownership of a company, when a buyer may take on liabilities they are not aware of which relate to a period for which it has not received the profits. Any failure to take the cyber security of a target company seriously may also allow pre-existing cyber security flaws to flow into the acquiring company. In this way, the M&A transaction can act as a 'Trojan Horse' where vulnerabilities can leak into the buyer's business.

Further, the legislative framework for data and privacy matters in Australia and internationally, and indirect regulatory scrutiny through regulators such as FIRB and the ACCC, imposes additional requirements on sellers, boards and buyers for proper diligence of a target company's compliance.

There are also significant potential financial consequences for the parties involved, both in the form of fines for non-compliance with applicable obligations, and reparative costs in bringing the acquired company 'up to scratch'. In this context, it is worth noting that the maximum fines for serious or repeated breaches of the Privacy Act 1988 (Cth) (Privacy Act) are expected to increase significantly in the near future. This would bring the Privacy Act into line with the General Data Protection Regulation (GDPR) penalty regime imposed in Europe, as well as penalties now applicable for breaches of the Australian Consumer Law.¹

Impact on M&A transactions

On discovery of cyber issues, deals may stall, valuations may be hit or the transaction may simply not proceed at all.

According to a recent report by Forescout Technologies (Forescout Report),² 53% of respondents reported that they had encountered a critical cyber security issue or incident during an M&A deal that put the deal into jeopardy. Around two-thirds of the respondents said that their companies had regrets in making an M&A deal due to cyber security concerns.

Considering that 73% of respondents also agreed that technology acquisition is their top priority for their M&A strategy over the next 12 months, the importance of understanding the risks involved has never been more pertinent.

One example of how significant a cyber security issue can be in an M&A context was the discovery of a data breach during the negotiation of Verizon's purchase of Yahoo! for US$4.8 billion. The discovery resulted in a US$350 million reduction in the purchase price paid by Verizon, and penalties of over US$35 million to Yahoo! (not to mention the US$80 million in settling actions brought by shareholders).

While the deal did still proceed, the complications caused to both parties were significant, especially given that Yahoo! Did not have cyber insurance.

Is cyber insurance the answer?

In our experience, even where a party does have insurance, this does not mean that all cyber risks will be covered. As noted in Aon's report Cyber Perils in a Growing Market, cyber insurance and professional liability policies are generally 'named perils' policies as opposed to 'all risk' policies, and are unlikely to cover all cyber risks.

By way of example, payment diversion fraud coverage for 'spoofing', 'phishing' and other social engineering incidents are generally excluded under typical cyber and professional liability policies. In addition, typical cyber risk policies also specifically exclude fiduciary liability litigation which, as demonstrated by a number of high value actions in the US, can be significant.³

For this reason, the policy wording, scope and limitations are all crucial to coverage, and should be reviewed as part of the due diligence process in addition to the in-depth review of the extent of the risks present in the company.

Cyber security due diligence questions for buyers and sellers

Whether you are a potential seller preparing a business for sale or a buyer carrying out due diligence on a potential target business, it is worthwhile considering the following questions:

What privacy laws and information security obligations apply to the target company? For example, is the company an 'APP entity' required to comply with the Privacy Act including the Australian Privacy Principles? Is the company subject to international privacy obligations, such as the stringent EU GDPR? Is the company an APRA-regulated entity that must comply with the new APRA prudential standard CPS 234 Information Security? Finally, depending on which laws and standards apply, is the company currently complying with those laws and standards, or alternatively, have any previous breaches left the company and/or the buyer open to regulatory or action?
Has the company been exposed to any previous data breach, and if so, has it responded to the breach appropriately? In considering this question, the investigating company should keep in mind that companies can be unaware they have been impacted by a data breach for period of time (months, in some cases) after the data breach actually occurs.
What cyber security measures does the company currently have in place? Does the company maintain strict cyber security protocols (including with its technology and other service providers), and frequently upskill staff on cyber security measures and processes?
Are the company's cyber and professional liability insurance policies drafted broadly enough to cover the broad range of consequences flowing from a data or privacy breach? Will they need to be re-negotiated following the transaction? Will run off insurance cover be required?
How will privacy and cyber security be handled throughout the transaction (including any transition period)? Are the means of transferring data secure, and have protocols been established to ensure access to information is appropriately limited throughout the transaction?⁴

Proactivity is key

In the Forescout Report, 71% of respondents agreed that they are putting more of a focus on a target's cyber security posture than in the past.

While warranties that the company has not experienced a data breach are recommended and do have utility to an extent, their application is often limited to the company having 'knowledge' of that data breach, and the discovery of a breach may not occur until months after completion. In these situations, the buyer may be left to clean up the mess, and even if indemnities do cover related costs, these may not be sufficient to cover the potential reputational damage caused.

Therefore, a comprehensive privacy and cyber security risk review is recommended as part of the M&A due diligence practice. This review should consider a broad range of factors, including:

the levels of access granted to employees, contractors and 'outside' third party service providers;⁵
the proposed method of transferring data during the M&A transaction;
the proposed strategy to combine any data storage systems and maintain current security measures;
the ability of any related insurance policies to cover cyber issues; and
any additional privacy or information security obligations that the company may become subject to as a result of the transaction.

Who can help?

Some companies will have an in-house cyber security team that is well-equipped to handle M&A cyber and privacy due diligence on a potential acquisition target. However, given the potential financial and reputational consequences that can arise from a data breach or other substantive non-compliance with privacy or information security obligations, an external review or support is often required and appropriate.

The cyber security team should play a role in reviewing the proposed process of the M&A deal from a cyber security and data handling and transfer perspective to prevent security breaches where the company may be most vulnerable.

Cyber security and privacy are fundamental concerns for both the seller and the buyer in an M&A transaction. While these issues may not have always been considered a priority when trying to close a deal in the past, in today's data-driven world, any failure to address and carry out appropriate due diligence on cyber security and privacy issues in the sale contract can result in significant detriment to all parties involved.

Footnotes

¹ The maximum penalties for serious or repeated breaches of the Privacy Act is set to increase from A$2.1 million, to the greatest of:

A$10 million;
three times the value of any benefit obtained through the misuse of information; and
10% of a company's annual domestic turnover.

² See: https://www.forescout.com/company/resources/cybersecurity-in-merger-and-acquisition-report/

³ See: https://www.aon.com/cyber-solutions/thinking/cyber-perils-in-a-growing-market/

⁴ Studies show that hackers target M&A deals in order to acquire deal information, client data, executive's emails, intellectual property and sensitive information.

⁵ 30% of security incidents occur due to current employees, and 26% due to former employees, as set out in The Global State of Information Security Survey 2017 by PwC.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.