Cyber Security and Data Protection Due Diligence in Mergers and Acquisitions

During the merger or acquisition of a company, the investigative and due diligence stage is pivotal. It helps identify potential risks and opportunities that demand careful consideration and can make or break the deal.

Companies also need to be mindful of the amount of personal data involved in M&A deals. Sensitive data could include things like IP addresses and resumes, as well as work contracts, conflict details, and deals with suppliers.

If there's a data breach or cyberattack, it could mess up the deal, hurt smaller suppliers, and even shake up the global financial market. This happened to Yahoo which got hacked, and 3 billion accounts were compromised. This led Verizon to drop a $350 million deal to buy Yahoo. 

The Importance of Due Diligence When Analysing Data Privacy and Cyber Security in M&A Deals

Ultimately, privacy and cybersecurity risks can seriously affect the value of a company. If a business has weak security measures with outdated software and systems, they may likely be vulnerable to cyber attacks or data breaches. These can not only affect relationships with customers, suppliers and employees, but they can also cause financial losses, reputational damage and legal penalties. 

In M&A deals, it's crucial to think about data security and privacy right from the start, not as an afterthought. If the correct due diligence procedures aren’t followed at the investigation stage of an M&A deal and there is a security breach later down the road due to gaps in cybersecurity protection or insurance for instance, this could result in huge losses.  

Businesses should check the data breach history of their potential partners to understand where data has been compromised or breached before. This may indicate whether there are weaknesses in an organisation or where systems may be targeted again in the future. If there has been a cyber attack or data breach, it’s important to understand how it was resolved and whether the business put any measures or controls in place to make sure it doesn’t happen again.

In 2016, Verizon's acquisition of Yahoo was subject to a $350 million decrease in price due to data breaches that had been found prior to the acquisition. The Office of the Privacy Commissioner of Canada (OPC) then looked into the buyer for neglecting to resolve an earlier data breach that occurred in the target company's systems back in 2014, as documented in Personal Information Protection and Electronic Documents Act (PIPEDA) Findings #2022-005.

It wasn't until 2018 that the hack was discovered, exposing up to 339 million pieces of data. The UK ICO suggested a punishment of €99 million, which was ultimately cut to €18.4 million, for the buyer's lack of due diligence throughout the purchase. Similar to the ICO's conclusions, the OPC's 2022 study emphasised the necessity of enhanced monitoring, controls over authentication, and continuous security evaluations.

3 Key Steps to Cybersecurity Due Diligence

The significance of conducting thorough cyber due diligence cannot be overstated. The primary goal of this process is to pinpoint any potential risks that could directly impact the parties involved in the transaction. Notably, the landscape of cyber risks varies across different sectors. As a result, the level of due diligence required may vary for different acquisition targets, with some needing more in-depth assessments than others.

The depth of cyber due diligence becomes particularly crucial when the acquisition target is expected to play a substantial role in day-to-day operations. Throughout the M&A lifecycle, a comprehensive due diligence process can prevent future cybersecurity complications by identifying and addressing potential risks before the deal is finalised.

To effectively conduct cyber due diligence during the M&A phase, a risk-based approach is essential. Here are three key steps to follow:

1. Identify risks

Develop a data map that reveals the extent of the target company's data, its storage locations, and transfer mechanisms. This inventory helps identify potential data security risks, allowing organisations to address them proactively.

2. Cybersecurity Risk Assessments

Examine internal and external cybersecurity assessments of the target organisation to gain insight into its risk posture. Request copies of recent evaluations conducted either internally or by third-party auditors. Assess how the target organisation responded to identified risks and inquire about ongoing security monitoring programs.

3. Test

Establish an integration strategy before completing the deal to ensure a secure transition. In the absence of effective protocols, converging network systems during integration can create vulnerabilities that cybercriminals may exploit. It is crucial to test network compatibility, a responsibility typically undertaken by the Chief Information Officer (CIO) or Chief Information Security Officer (CISO). If these roles are absent, third-party vendors can perform the necessary evaluations.

By adhering to these steps, organisations can navigate the complexities of cyber due diligence, reducing the risk of data breaches and ensuring a more secure and successful merger or acquisition.

What to Look Out for in the Due Diligence Process

When conducting due diligence before a merger or acquisition, it's crucial to ask specific questions to gain a comprehensive understanding of the target organisation's cybersecurity position. 

Track record

Start by examining the target's cybersecurity track record, delving into past incidents, regulatory fines, and data breaches. Evaluate the effectiveness of current security controls, focusing on key risk areas such as security governance, usage of open-source software, cloud security, infrastructure, intellectual property protection, cyber resilience, HR-related concerns, compliance, regulatory adherence, and data privacy. 

Future Plans

Additionally, inquire about the organisation's readiness to adapt to the evolving threat landscape in the future and the efforts required to enhance its security posture if needed. These questions provide valuable insights into the target's cybersecurity resilience and help mitigate potential risks associated with the merger or acquisition.

Policies and practices 

Seek disclosure of the target's cybersecurity policies, risk assessments, and network security assessments, both internally conducted and those performed by external consultants or agents. 

Additionally, focus on understanding the target's approach to data privacy compliance, including policies and procedures for adherence to national or international regulatory frameworks like the GDPR, sector-specific requirements in industries like healthcare and financial services, and the implementation of best practices such as data inventory and governance programs. Inquire about board-level oversight of cybersecurity and data privacy programs.

Threats

Lastly, assess access to the target's personnel responsible for cybersecurity and breach responses, evaluating their readiness to address internal and external threats in alignment with the company's business model. Consider the potential need for forensic experts to conduct assessments of network security or compare network files with backup files, adding a layer of scrutiny to ensure a robust cybersecurity foundation for the impending merger or acquisition.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.