Canada: Cybersecurity Due Diligence In M&A Transactions During COVID-19

In recent years, we have seen an increased focus on cybersecurity due diligence in many mergers and acquisitions (M&A) transactions. This directly relates to most organizations being heavily dependant on digital assets to operate and deliver products and services to customers.

Prior to a transaction, a target (and its affiliates) may have material data protection weaknesses unbeknownst to it, or may have been a victim of a previous cybersecurity incident that could potentially result in the buyer being held liable post-transaction.

With the COVID-19 pandemic resulting in most Canadian businesses turning to remote work, many cybercriminals have been successfully gaining access to the information technology (IT) environments of various organizations, thereby increasing the cyber risk profile of a potential target.

We outline below key considerations when it comes to preparing digital assets for a transaction and evaluating a target's cybersecurity posture in the context of decentralized business operations.

WHY IS COVID-19 A CYBERSECURITY THREAT?

In March, most organizations were required to move many employees to remote work in a short period of time and maintain business continuity. It is likely that many organizations did not have adequate systems in place or were dramatically scaling up existing remote work protocols. Like any emergency situation, threat actors are known to take advantage of these vulnerabilities.

Threat actors are capable of capitalizing on unprepared employers and employees because:

• New employees may have received inadequate cybersecurity training, thereby making them more likely to fall prey to phishing campaigns and social engineering attempts
• Organizations may not have a dedicated cyber team, a sufficiently resourced team or a third party to respond to its cyber needs. Without a robust support system, a business can suffer from significant losses when a cyber event occurs because they cannot identify or respond quickly and appropriately
• Many organizations may have not updated their incident response plans where their workforce is remote, namely addressing issues such as remote data storge, secure data transfers, coordination and secure communication of IT teams where systems crash, and establishing the infrastructure to set up for remote use of their technologies
• Given limited resources, some organizations have not been able to implement security measures, such as regular patching and multi-factor authentication

Buyers and sellers should be aware that threat actors have significantly increased their focus on phishing attacks. According to Microsoft, there was a 70 per cent increase in the last year in phishing as a means of harvesting user credentials. Obtaining these credentials allows threat actors to gain access to and compromise the network, resulting in data breaches, identity theft and ransomware. Threat actors continue to draw from public sources, such as business profile pages, social media pages and others, to build profiles that appear as legitimate, which increases the likelihood victims will be deceived.

Also, while there has been little change in the overall volume of malware, there is evidence that adversaries are using worldwide attention on COVID-19 to socially engineer lures around our collective anxiety and the flood of information associated with the pandemic.

IMPLICATIONS FOR M&A

In light of the pandemic, almost all organizations will need to review and revise their cybersecurity incident response plans to take into account their remote workforce.

At the beginning of the transaction, buyers and sellers should, at a minimum:

• Understand the data and other technological assets in the transaction, specifically the nature of the data and its level of sensitivity, whether data is encrypted or anonymized, how and where the data is stored and who has access to the data
• Determine to what extent the buyers and sellers' systems are compatible and what expenditure is required to synchronize them
• Closely consider the target's cyber security posture and determine whether it is robust and if any weaknesses must be updated
• Determine whether any existing cyber insurance policies are broad enough to cover the different consequences that could flow from a breach, and consider whether they will need to be renegotiated after closing
• Confirm what measures the sellers' suppliers, contractors, subsidiaries or third parties have taken to strengthen their cyber defences, and their capacity to effectively respond remotely where cyber events occur
• Identify what data privacy laws apply to the seller and its subsidiaries and assess whether their policies comply with the relevant legislation
• Request information of any data breaches the seller, its subsidiaries or third-party affiliates have suffered. Sellers should prepare breach information and where breaches occurred, communicate to buyers what changes were made in response.

During the transaction, there may be additional sensitivity and attention on the sellers' data between the time when the M&A becomes public and closing. It is important to proactively assess and monitor how deal information will be shared and transferred, who will control the data transfer process, and whether the target has adequate remote capabilities to perform all measures securely.

TAKEAWAYS

Poor cyber practices or breaches can result in many losses, including reputational loss, loss of profits, increased costs, deal costs, legal fees, delays in deal completion and liabilities for prior unknown breaches or breaches occurring during or after the acquisition. To avoid these costs, businesses should be proactive in their approach to preparing for transactions and ask important questions about cyber practices and policies, including the capacity to effectively respond remotely to cyber events. Businesses should use COVID-19 as an opportunity to improve their cyber due diligence and protect short term and long-term interests by safeguarding against cyber incidents and protecting sensitive data in M&A transactions.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.