Imagine on the brink of spend billions of {dollars} on an acquisition, solely to search out out that the goal of the acquisition was the sufferer of a number of cyberattacks affecting billions of accounts. One would suppose such a state of affairs can be an enormous purple flag that no company board or normal counsel would ever neglect, whatever the measurement of the acquisition, however that clarion name doesn’t appear to be heard universally.
That’s what occurred across the 2017 revelation of the huge breach of Yahoo uncovered by its sale to Verizon, and it price the search engine firm a $400 million hit to its buy value. Apparently, nonetheless, cybersecurity and associated technological parts are nonetheless comparatively low on the important due diligence guidelines.
The proper time to start out evaluating the cybersecurity danger profile of an acquisition goal, specialists agree, is early on within the due diligence course of. Too typically due diligence is restricted to stability sheets, gross sales operations, and excellent authorized obligations, with cybersecurity, compliance, and technical compatibility of safety instruments left to the top of the dialogue, if they’re mentioned in any respect.
“The worth of pre-sign due diligence is to ensure that corporations are assessing all of the related dangers earlier than they signal on the dotted line,” says John Hauser, principal and cyber due diligence chief at Ernst & Young, in addition to a former FBI particular agent and a former assistant United States Attorney. “Cyber is usually a main think about deciding whether or not or not a consumer decides to stroll away” from a merger or acquisition.
Early cyber due diligence permits a possible suitor to “negotiate higher phrases by way of the acquisition value reductions, or indemnities, or different contractual provisions,” he provides.
In conjunction with the standard enterprise due diligence, corporations are turning to menace intelligence specialists to judge the possible goal’s danger profile, on the lookout for proof that the corporate might need been breached with information on the market on the Dark Web or maybe has weak controls on different inner operations. Using open supply intelligence (OSINT), he stated, investigators typically can discover proof of a breach, equivalent to indicators of leaked credentials, communications between the goal firm infrastructure and any recognized malware households and command and management servers, or different insights.
Other important intelligence could be gleaned by asking the goal firm to offer information equivalent to attestations made to a cyber insurance coverage supplier, supply code, penetration check outcomes, and previous compliance stories.
“You’re beginning to see extra technical verification, transferring into the pre-sign part,” Hauser says.
Assessing Vulnerabilities
Cyber criminals typically watch mergers and acquisitions exercise, on the lookout for a doubtlessly weak goal being acquired by a stronger firm, particularly one which may have a variety of invaluable info for the cybercrooks, notes Heather Clauson Haughian, founder and managing companion on the Atlanta-based regulation agency Culhane Meadows. Once the acquisition goes by way of, it might not be unusual for the goal agency to get attacked with the hopes of breaching a weak hyperlink and thus accessing the extra profitable a part of the merged corporations.
Another vulnerability happens when organizations with differing compliance necessities be a part of, Haughian says. While the buying group could be effectively versed in its personal compliance reporting necessities, it won’t have the identical experience with the corporate it acquires.
If the buying firm doesn’t make use of compliance specialists for the acquired firm’s operations, there might be a spot in compliance reporting, together with missed alternatives to layer safety controls over the acquired firm, leaving it weak to a cyberattack, she says.
In such circumstances, utilizing a third-party advisory service is advisable, says Shay Colson, managing companion of cyber diligence at Bellingham, Washington-based agency Coastal Cyber Risk Advisors. An organization executing a bolt-on, add-on, or tuck-in acquisition can have its third-party adviser consider the goal’s safety posture, together with what its program appears like, strengths and weaknesses, and present safety instrument units.
“Then you will get views on the targets which can be each goal to the goal and cope with this integration problem,” he says.
Taking Responsibility
Ultimately, normal counsels want to come back in control as shortly as attainable on cyber danger and cybersecurity. “They are going to be those who personal cyber danger at their enterprise as a result of if there’s an incident, they’re calling exterior counsel, they’re coordinating forensics, they usually’re regulatory response obligations,” Colson says.
“I believe the extra proactive [general counsels] are, [they are] going to understand that cyber danger is a spot the place they’ll truly drive worth to the enterprise and allow issues,” he provides. “It’s only a matter of time earlier than increasingly GCs get on board with that.”
EY’s Hauser stated that SEC Chairman Gary Gensler’s current proposed guidelines for public corporations and different monetary providers organizations may assist boards of administrators to navigate by way of the cybersecurity due diligence challenges.
There is a consensus that there’s a rising danger of cybercrimes and that boards must pay better consideration to it, he stated. Courts and regulators are making it explicitly clear that failing to do correct cyber due diligence makes it simpler for a future plaintiff to accuse a board member of negligence. That, mixed with Gensler’s proposed guidelines that put extra private duty on C-suites and board members, and you’ve got the proper storm for cybersecurity specialists to take a extra lively position in board-level selections, he notes.