Cybersecurity Due Diligence in M&A Transactions
Reprinted with permission from the June 22, 2018 issue of The Legal Intelligencer. © 2018 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
As former SEC Commissioner Luis Aguilar aptly stated: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” The statistics on data breaches echo the commissioner’s message: 2017 saw an 88 percent increase in the amount of compromised records compared with 2016. All companies in today’s economy rely on digital assets to conduct business. Companies collect and store personal data about users for payment, marketing and analytics purposes. Business-to-business and business-to-consumer companies alike collect sensitive data about employees and their families for payroll and benefit administration. Moreover, companies’ confidential information, transaction information and trade secrets are contained in electronic records which, if compromised, could severely affect the business’ value.
Equifax’s breach and Facebook’s Cambridge Analytica scandal highlight cybersecurity’s increasing link to reputation. Additionally, government agencies like the SEC and FTC are paying close attention to cybersecurity issues. The FTC, which has brought over 50 cybersecurity lawsuits, compiled all of its enforcement messages into its “ Start with Security” guidance—essential reading for all businesses.
Verizon’s acquisition of Yahoo, and Yahoo’s settlement with private litigants and the SEC underscores the importance of cybersecurity as a critical component of the diligence process in M&A transactions.
Yahoo/Verizon Deal
In July 2016, Verizon and Yahoo entered into a purchase agreement whereby Verizon would acquire Yahoo’s business for $4.83 billion. Soon after, a hacker claimed to have obtained Yahoo user data. After Yahoo conducted an investigation, it publicly disclosed that in late 2014 it suffered a data breach affecting at least 500 million accounts (2014 security incident). Yahoo initiated its investigation of the 2014 security incident on July 30—seven days after the purchase agreement had been signed—and did not inform Verizon about the breach until nearly two months later. In December 2016, Yahoo announced its discovery of a separate security breach that occurred in August 2013 and affected more than one billion accounts (2013 security incident).
By the end of 2016, an independent committee investigation by Yahoo’s board found that “the company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts … ,” Yahoo! Inc., Form 10-Q, at 47 (March 1, 2017). Additionally, “the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.”
During the process, Verizon assessed the effect of the 2013 and 2014 security incidents on Yahoo’s business to decide whether to reduce the purchase price or walk away from the deal. When the dust settled, Verizon negotiated a $350 million price reduction and a liability-sharing arrangement with Yahoo.
Lessons Learned
The Yahoo acquisition presents several lessons to M&A acquirers during the diligence phase:
- A target’s cybersecurity practices and monitoring should be carefully assessed, especially when its relies heavily on the collection, use and storage of personal data. Yahoo’s lack of emphasis on uncovering, responding to and disclosing security incidents demonstrates how even established companies can fall short in addressing data security responsibilities (and also how customary due diligence can fail to uncover theses critical shortfalls).
- The board’s involvement and understanding of the company’s data security protocols and recent incidents can serve as a litmus test of a company’s cybersecurity risk. Buyers must understand that cybersecurity issues are not IT issues, they are core business issues that the board and C-level management must treat seriously or suffer operational consequences.
- Relatedly, a buyer must diligence the company’s internal cyberawareness and communication practices, and ensure that employees report data security incidents “up the chain,” including to the board. Yahoo’s blunders during the Verizon deal could have been avoided had its legal and IT teams properly reported the 2014 Security Incident when they discovered it, and buyers should smoke out any risk that the seller may have similar reporting breakdowns.
- Cybersecurity diligence should be conducted early, as many companies may be reluctant to disclose such issues (or may not be aware of them). Moreover, cybersecurity weaknesses may not be readily apparent.
Aside from its troubles with Verizon during the acquisition, Yahoo faced consequences from its mishandling of the security breaches from government agencies and private litigants. Following the breaches, both the FBI and the Senate investigated Yahoo. This year, Yahoo agreed to a proposed $80 million settlement for a securities fraud class action, and a $35 million settlement with the SEC, both related to lack of public disclosure regarding its security incidents. The SEC settlement follows the SEC’s February 2018 interpretive guidance on public company cybersecurity disclosures, which many view as evidence of the commission’s increasing focus on data security since its original October 2011 cybersecurity guidance.
Due diligence may also avoid the threat of recent FTC settlements, which have required companies with cybersecurity failures to implement comprehensive overhauls to their privacy and security programs and be subject to regular independent audits for up to 20 years, in addition to monetary penalties. In many cases, the costs of two decades of regulatory scrutiny outweigh any one-time fine.
Finally, cybersecurity blunders take a toll on a company’s market value. Studies by Comparitech and the Ponemon Institute indicate that shares of companies that suffer a breach typically drop between 0.5 percent and 5 percent immediately following announcement of the breach, and over time tend to underperform when compared against the broader market (e.g., the stocks analyzed by Comparitech underperformed the NASDAQ by an average of 7.33 percent per year after the breach announcement, and 41.6 percent after three years). Ponemon’s study found that 31 percent of customers surveyed terminated their relationship with organizations that notified them of data breaches, and 65 percent lost trust in such organizations. Beyond impacts on value, revenue and potential shareholder derivative suits, the operational consequences can be costly as well: following Target’s 2013 data breach (after which its stock price dropped 11 percent and profit dropped 46 percent during the subsequent quarter), it invested over $100 million in data security improvements such as chip-card implementation and another $61 million in other breach-related expenses.
Cybersecurity Diligence Priorities
As illustrated by the Yahoo acquisition, cybersecurity diligence is a critical component of every deal. A buyer’s diligence process should be structured to assess the following:
- What types of digital assets does the company collect, use, transmit and store?
- Does the target take appropriate measures to collect only the minimum sensitive data it needs and protect data in storage and transit? “Appropriateness” depends on the value of data and its importance to the company’s business. Appropriate measures include an established cybersecurity policy, employee education, awareness and training, appointment of an individual accountable for cybersecurity, regular reporting (including to management by the board’s audit committee), and access controls such as encryption. Policies should be updated annually.
- Does the company have a sufficient plan to uncover and respond to security breaches (e.g., an “incident response plan”) and have a person designated to take responsibility for them? Has the company tested its plan through a tabletop exercise?
- Has the company experienced data security incidents in the past? If so, were vulnerabilities remediated?
- Does the company conduct regular assessments of cybersecurity weaknesses and is it committed to making cybersecurity a priority, even at the management and board level? Are such assessments conducted using a third-party, objective process?
- Does the target take appropriate steps to comply with its legal cybersecurity obligations (e.g., state statutes and national regulations, such as the GDPR) or industry-imposed standards (e.g., health care, financial services)?
- Has the company notified governmental agencies about any cyberincidents (such as letters to state attorneys general or the filing of suspicious activity reports with the Financial Crimes Enforcement Network)? Does the company’s policy contemplate providing such notices?
- Does the company share sensitive data with third parties, such as cloud vendors? If so, has the target included language for third party cybersecurity compliance in contracts?
Buyers should also supplement their diligence with tools available at the documentation stage, mitigating their risk through representations and warranties, indemnification provisions, and constructing appropriate baskets and caps. After closing, the buyer should prioritize investment in compliance and manage risk through cyberliability insurance.
Closing Points
As data breaches and subsequent lawsuits increase, and as data collection and digital assets become ubiquitous components of all companies’ businesses, so too should diligence into a target’s protections for those valuable digital assets. Increasing regulatory scrutiny only magnifies that point, and assessing the target’s legal compliance adds yet another priority that buyers must examine during their deal-making processes. Perhaps the most important lesson buyers can take from the Yahoo acquisition is that they rely on the seller’s internal cybersecurity procedures at their own risk. In kicking the tires on a potential target, the buyer must ask all the right questions to reduce its own risk. If not, post-acquisition compliance issues will contaminate the combined enterprise.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.