The need for cyber due diligence in a merger or acquisition is more relevant than ever.
On 9 July 2019, the UK Information Commissioner’s Office (ICO) announced that it would issue Marriot International with a £99 million fine for breach of European data protection law under the European Data Protection Regulation (GDPR). The fine relates to a breach of Starwood Hotels, one of Marriot International’s recent acquisitions. Over 500 million of its guests may have been affected. The ICO’s report says “Marriot failed to exercise sufficient diligence in the Starwood acquisition and should have done more to secure its systems”. This failure underscores the need for parent companies and investment firms to improve their management of the security and privacy risks associated with their acquisitions and subsidiaries and to reckon with appropriate sanctions.
Mergers and acquisitions inevitably entail financial, legal and reputational risks. The Marriott case is one of many examples of problems identified after a transaction that could have been addressed with better due diligence. And in today’s global data economy, cyber due diligence must be an integral part of every business investment, just as common due diligence practices are standard today. Customer data is recognized as a powerful commodity by businesses and regulators worldwide. To successfully negotiate and close a deal, it is essential that the acquiring company understands the cyber risks it could inherit before and after an investment.
Including Cyber Security in the standard practice of assessing reputation, financial and legal due diligence involves all the potential regulatory risks of a transaction – and also protects the investor from paying a potentially excessive price or having to pay a large fine later on before the risk arises. Using this information during the negotiation phase can help companies identify the cost of addressing identified vulnerabilities and use it in price negotiations, especially when the cost of addressing them is significant.
So how can cyber due diligence influence a negotiation and what steps need to be taken to make it right?
Cyber Due Diligence should now be as integral as other types of Due Diligence that were once seen as a significant advantage in a transaction. For example, before the UK Bribery Act (UKBA) or the Foreign Corrupt Practices Act (FCPA), anti-corruption checks were not systematically carried out as part of the transaction negotiation process. And the companies that failed to do so did so at their own risk. According to the findings, anti-corruption is now a standard component of the merger and acquisition process. Since GDPR and China’s Cyber Security Act as well as other global data regulations are now firmly established and begin to unfold their effectiveness, it can be argued equally when it comes to carrying out cyber due diligence today.
So what is the obstacle to conducting cyber due diligence?
The problem is that it is often perceived as “someone else’s problem”, something that can be resolved after the transaction, or that it can be resolved under the radar of regulators or the public, hopefully to avoid any reputational disclosure. If only that were the case!
To avoid a company that invests in or acquires another company breaching regulatory requirements, it must be able to prove that it has conducted a cyber due diligence against regulators prior to the transaction, should a breach later be discovered.
Positive lessons can be learned from examples such as 2016, when Verizon, a large U.S. telecommunications company, used the findings of its cyber due diligence on two Yahoo! data breaches. They negotiated a deal in which Yahoo! would remain responsible for liabilities arising from shareholder lawsuits and post-acquisition investigations.
Use Cyber Due Diligence to inform negotiations
A cyber due diligence, if carried out as a precaution before the transaction, can be an important negotiation tool. The careful due diligence prior to the transaction allowed Verizon to claim £281 million of the Yahoo! purchase price in return for a massive data breach. Cyber Due Diligence therefore serves as a negotiation tool when acquisition decision makers identify red flags from the due diligence process.
The results of the Cyber Due Diligence can also be used for benchmarking other acquisitions – this is helpful for companies that are rapidly expanding their portfolio. This data can be applied to other objectives in a portfolio to identify high-risk areas. Standardizing the results of cyber due diligence with the results of traditional due diligence practices enables investors to gain a holistic view of risk across an entire portfolio. The data can also be used by deal teams to put the investor in the best possible position to negotiate the price and terms of an acquisition.
What should investors do?
Cyber due diligence prior to the transaction must be carried out by specialists with experience in cyber threat analysis. This could include assessing the external cyber threats and internal maturity of a target company and/or determining the cost of remediating identified security vulnerabilities. The results of these assessments should be shared with the deal teams that can take calculated risks from the acquisition and ultimately influence the investment decision. In order to further manage cyber risk for an investor’s portfolio, post-transaction due diligence is a valuable tool for maintaining an investment health check. It can also help identify problems that are likely to arise from the evolving regulatory landscape.
Currently, data protection regulations such as GDPR change the due diligence of companies during a transaction. However, they are limited to the disclosure of legislation once the breach has occurred and only when it affects personal data of EU citizens. As security and privacy rules evolve, it is expected that companies that need to provide accurate information about the state of their systems will act proactively, rather than reactively, once a breach has been detected. Target companies should also take this into account and evaluate their systems before negotiations as part of their overall sales preparation. Clarity about how the identified vulnerabilities could impact the acquisition or investment and what action is taken to address them also avoids a standstill in the transaction process and guarantees the best possible price for the company.
But, of course, it goes without saying that companies should not wait for a merger or acquisition to take place to verify their cyber security. As cyber security regulations continue to evolve and strengthen around the world, few organizations today are immune to the potentially significant reputational and financial impact that a data breach can have. Performing a regular, minimum annual assessment of your data processing processes and cyber security measures is part of every well-managed business today.
If Cyber Security is not a regular discussion point in your management conversations, let Marriott’s experience be a lesson to you. Whether it’s an M&A transaction or not, it’s time to get your cyber security under control.
We can support you in this!