The Brave New World of Cybersecurity in M&A Due Diligence: Pitfalls and Opportunities

Thomas McThenia, shareholder, left, and Richard Markow, law clerk, right, with GrayRobinson in Gainesville, Florida.

For the casual observer, mergers and acquisitions (M&A) deals in the 20th century occurred in a staid and established world carefully controlled and choreographed by Wall Street investment bankers and lawyers. Like poorly behaved school children, new technologies and intellectual property (IP) are increasingly disrupting the M&A establishment. Digital and data technologies revolutionized transactions in the 1970-80s; intellectual property came to the forefront as a source of significant value and collateral in the 1990s and, Internet technology created vast wealth in the early 2000s.

Cybersecurity has become the latest disruptive newcomer to the M&A party. As expanding technology allows companies and platforms to capture, store and distribute critical enterprise, supplier and customer information, attacks are spreading. Traditional M&A due diligence processes struggle to keep pace with increasing cybersecurity problems.

Cybersecurity: The New Kid on the M&A Due Diligence Block

The unique ways that information moves through the networks and channels of entities and M&A participants exposes new vulnerabilities during the M&A process. Interconnected networks extend connectivity and access beyond a single company’s control. Comprehensive cybersecurity due diligence is required to consider the processes and systems that protect the integrity and value of proprietary data, personally identifiable information (PII), and business and financial information. Hacks and cyber threats occur at all stages of M&A deals. The present material risks to impact the value of the deal and the companies involved. Considerations for cybersecurity due diligence are different at each stage of the M&A process.

Verizon’s recent acquisition of Yahoo! illustrates the need to start cybersecurity due diligence before a deal’s announcement. Verizon was caught unaware learning about two unreported data breaches of Yahoo which occurred pre-announcement. The unexpected breach information resulted in Yahoo! being devalued by $350 million and caused significant delays in closing the deal. The liability did not end there. Post-deal, Yahoo!’s successor entity was ordered to pay $85 million to settle a class-action and was subject to FTC remediation measures. A comprehensive cybersecurity due diligence process conducted before the announcement could have alerted deal makers to the materiality of the issue enabling them to better mitigate risks before announcing the deal.

A deal announcement can also become the impetus for hacking. In 2005, shortly after the acquisition of Seisint, Reed Elsevier learned that a hacker had compromised a computerbelonging to a police officer in a small town in Florida. Once behind the firewall of the police department’s network, hackers were able to access records at Accurint, a database service of Seisint. By executing a “Cross-Site Scripting” attack they were able to fold malicious content into the content being delivered from the police department site to Accurint. Accurint provided a path for hackers into the Reed Elsevier Lexus database. This allowed hackers to steal passwords, names, addresses, Social Security and drivers’ license numbers of 310,000 people. Reed Elsevier’s share price fell 1.03% on news of the breach. Cybersecurity due diligence before the deal announcement would have identified Accurint’s vulnerability.

Breaches During Deals Can Be Game-Changers

A breach which occurs during an M&A deal process can be equally devastating. Consider as an example, TripAdvisor’s acquisition of Viator. TripAdvisor paid $200 million for Viator. Less than two months after the deal closing, Viator’s credit card payment processor informed them that the credit card information of over 880,000 customers had been stolen. Forensic analysis determined that an additional 550,000 customers had their PII exposed. TripAdvisor’s stock then dropped 4%, resulting in a $580 million decrease in market capitalization. Additionally, remediation costs were estimated to be over $350 million. A site scan and forensic analysis could have dramatically reduced, if not eliminated, this breach and its impact

M&A due diligence should further consider and account for opportunities for dormant breaches. By way of example, a dormant breach occurred in a 2017 merger of healthcare providers Women’s Health Care Group of PA and the Regional Women’s Health Group of northern New Jersey. A virus had been hidden on a server and workstation of Woman’s Healthcare Group prior to the merger, but was not discovered until after closing. By activating this dormant breach on the post-merger network, a hacker gained system-wide access — exposing 300,000 patient records and resulting in the second largest healthcare industry ransomware data breach.

Cybersecurity Due Diligence for Merged Cultures

Along with new data, a merger or acquisition brings different corporate and IT cultures together. New systems and offerings of the merged entity increase information being pulled across diverse and/or incompatible systems using unproven processes, by unfamiliar employees, partners and customers who do not know what to expect. For example, a system that may have been designed to integrate seamlessly with another may not due to an undocumented custom installation or configuration, the addition of a long-forgotten application programming interface (API), or from the failure to install an upgrade or “fix” to a bug. Cybersecurity due diligence will need to adjust to consider the different corporate and IT cultures and systems prior to, during and after the merger.

Beyond physical systems, human factors play a significant role in M&A cybersecurity. Mergers of two organizations change processes, internal employee and customer relationships and reporting hierarchies. Departments, functions and locations have less familiarity, forcing employees to deal with people, places, systems and processes that are unfamiliar to them. Hackers use this change and lack of familiarity to launch social engineering attacks, like phishing scams or ransomware, attempting to trick employees into defeating security measures or divulging confidential information.

In 2005, a hacker convinced Wachovia bank employees to sell account information on more than 676,000 customers by claiming to be a collection agency. Within a short period, employees that normally performed 50 account searches a day began searching up to 500 accounts, copying and selling the data. Wachovia was not alone. Merged and acquired entities are particularly vulnerable to employee breaches when entities fail to rationalize employee identity and access controls. In this case, security protocols should have flagged a 10-fold increase in account searches without a corresponding increase in need.

Next Steps for M&A Professionals

The M&A industry may benefit from considering disruption from past technological innovations in analogous legal processes. As a new lawyer in the early 1990s, I spent months overseeing the manual review and cataloging of truckloads of banker’s boxes of documents for litigation discovery. E-discovery brought new methods and means to identify, preserve and catalogue documents for use in litigation which are now norms for professionals in litigation. Likewise, in recent years, M&A processes have focused on privacy issues and the risks associated with reporting data breaches. M&A professionals would benefit from considering needed changes for the M&A process to account for cybersecurity in addition to data privacy and breach. Richard Harroch, managing director and global head of M&A for VantagePoint Capital Partners, cautions that traditional M&A lawyers may lack awareness of the broader cybersecurity issues and need to add new capability to their teams — such as IT and cybersecurity expertise. M&A professionals will need a degree of education as to the technical risks and possibilities to consider impact on their processes.

Regulatory concerns are also prompting this new consideration of cybersecurity. The SEC’s recent guidance on cybersecurity disclosures requires companies to disclose material cybersecurity risks and incidents. Materiality considers, among other things, “harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

To comply with privacy and consumer protection laws, along with regulatory and industry standards, M&A teams will need to develop organizational cybersecurity maps and risk assessments that consider the type and means of data collection, storage and access as well as legal assessments of policies, procedures and contracts. The due diligence will also be wise to consider the post-M&A entities and realities of cybersecurity in considering post-closing deal considerations and attribution of liability and value.

Risks associated with human factors need to be addressed. Considerations can include: technological controls, rationalizing employee identity, background checks and access controls to systems and information, as well as policies and legal agreements such as intellectual property policies and agreements, non-disclosure agreements, non-compete agreements and severance agreements.

Due diligence may also need to consider system testing including independent assessments and “Dark Web” style penetration tests, reviews of past breaches for remediation measures and ongoing obligations from both a technical as well as a legal perspective.

The due diligence process also would benefit from considering crisis management, continuity plans, disaster recovery, hosted solutions providing employees with resources and instruction for responding as well as guidance on who to direct inquiries to in the event of a breach or crisis during the M&A process or after a merger. This would include a legal appraisal of underlying contractual, liability and governance agreements for these issues not typically addressed in many M&A situations.

Analysis

In short, comprehensive cybersecurity due diligence recognized the new and changing world being formed by cyber threats and cybersecurity. M&A processes will continue to need to quickly adapt to consider and integrate cyber awareness with legal risks and opportunities to provide a comprehensive appraisal and solution to cyber-related vulnerabilities associated with systems, humans, data processes, impact on value and legal and industry considerations.

Thomas McThenia is a shareholder and managing director at GrayRobinson’s Gainesville office where he practices in cyberlaw, intellectual property, technology, licensing, M&A and commercial transactions. He represents a wide array of clients including multinational corporations, nonprofit organizations, universities, start-up and emerging-growth companies, technology and internet companies, and individual entrepreneurs. He may be contacted at tom.mcthenia@gray-robinson.com.

Richard Markow is a law clerk and currently pending Florida Bar Admission.