Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Cyber Security Due Diligence for Mergers and Acquisitions:
Minimizing and Mitigating Risks
Presented by:
Imran Ahmad – Partner, Miller Thomson Law
Iain Paterson – Managing Director, Cycura Inc.
Key Considerations
Due Diligence
• Cybersecurity risk management
• Review insurance (cyber-specific), employee policies & training, corporate policies
• Any previous breaches, or pending regulatory action (review all jurisdictions in which target operates)
Purchase Agreement Provisions
• Representations and warranties
• Purchase price adjustments, indemnities
Due Diligence• Risk analysis should be tailored to facts; some factors to consider:
• How important data is to company’s business, and how is it being protected; ask direct, but open-ended, questions & tailor due diligence based on concerns
• Track record: past breaches, and company’s response; exposure to law suits or regulatory action
Background
• Encryption, firewalls, internal network monitoring
• Use subject matter experts on deal team
• Physical access to locations/computers
Physical/Technical Security
• Employment contracts & confidentiality/non-disclosure agreements, employee training & policies
• Centralized cybersecurity department, risk awareness at CEO/board level
• Supply chain (e.g. third-party suppliers’ technology and policies)
Corporate Policies & Governance
• Data backups, backup policies
Disaster Recovery/Backup Procedures
Due Diligence• A tiered approach to diligence and review
• Assess the current state of cyber incident readiness via review of policies, response plans and corporate standards
• Identify risks related to data protection, information security and security operations
Level 1 – 5 days
• Technical testing of security controls to identify vulnerabilities and risks
• Validation of protection from external cyber attacks
Level 2 – 5 Days (Plus Level 1)
• Review of customized applications and source code
• Assessment of technical security for internal systems and networks
• Forensic review of breach indicators
Level 3 – 5+ Days (Plus Level 1)
• Categorize, evaluate, and use technology and intelligence gathering to verify the sanctity and integrity of valuable IP
Intellectual Asset Identification
Intellectual Assets• Data or Intellectual Property deemed valuable to a buyer
Customer Databases
• The most commonly stolen and “leaked” or sold asset during a cyber attack.
• Loss of trust/reputation devalues brand
Proprietary Designs, Processes or Technology
• In many instances can be the main source of a value in an organization (eg: Engineering)
• Corporate Espionage Target
Internal Corporate Data
• Sensitive operational information (emails, contracts, etc).
• Can be embarrassing, or possibly expose internal issues.
“Digital Assets”
• Web properties, portals, services, domains and other digital footprint the business owns.
• Source of competitive advantage.
• Most frequent hacking targets.
Benefits and Outcomes
Understand the current risk and
security capabilities of your target
acquisition
Identify any existing or previous breaches that may devalue intellectual
property
Develop advanced plans for a secure
merger of technology,
processes and systems
Reduce your overall risk and exposure during the M&A process
Purchase Agreement: Representations & Warranties
Representations & Warranties• Reps and warranties should complement the due
diligence findings for buyer• Seller has taken industry-standard measures to protect data
(NIST, CSC, ISO, etc.)
• Ensure data handling and security policies are in place
• Business has been operated in accordance with applicable laws, including privacy laws (for each jurisdiction the target operates in)
• Can reduce the potential liability for seller via disclosure• Limit by materiality thresholds or knowledge requirements
• Identify correct individuals for knowledge requirements
Purchase Agreement: Representations & Warranties
Representations & Warranties
• Each side should consider obtaining independent expert advice early on in the process• Cybersecurity consultants (e.g. forensics, pen testers, etc.)
• Privilege issues
• Clearly define materiality threshold in agreement, so as to avoid debate after the fact if there is an incident
Example of a Stock Purchase Agreement (1): Yahoo!
Inc. and Verizon Communications Inc.
2.16(o)
To the Knowledge of Seller, Seller and the Business Subsidiaries have
implemented and maintain organizational, physical, administrative, and
technical measures applicable to Personal Data that are reasonably
consistent with (i) reasonable practices in the industry in which Seller
and the Business Subsidiaries operate, (ii) any existing and currently
effective written contractual commitment made by Seller or the
Business Subsidiaries that is applicable to Personal Data, and (iii) any
written public-facing policy adopted by Seller or the Business
Subsidiaries related to privacy, information security or data security
[…].
Example of a Stock Purchase Agreement (2): Yahoo!
Inc. and Verizon Communications Inc.
2.16(p)
To the Knowledge of Seller, there have not been any incidents of, or
third party claims alleging, (i) Security Breaches, unauthorized access
or unauthorized use of any of Seller’s or the Business Subsidiaries’
information technology systems or (ii) loss, theft, unauthorized access
or acquisition, modification, disclosure, corruption, or other misuse of
any Personal Data in Seller’s or the Business Subsidiaries’ possession,
or other confidential data owned by Seller or the Business Subsidiaries
(or provided to Seller or the Business Subsidiaries by their customers)
in Seller’s or the Business Subsidiaries’ possession, in each case (i)
and (ii) that could reasonably be expected to have a Business Material
Adverse Effect.
Purchase Agreement: Price & Indemnities
Price & Price Adjustments
• Attempt to price in risk initially (but this is not always possible)
• For private transactions, can provide for post-closing adjustment
Indemnities
• Which parties the indemnity should apply to (directors, agents)
• Carve-out a separate basket for cybersecurity (separate from general indemnity claims)
• Length of time representations and warranties apply post-closing
• Notice requirements to indemnifying party (of breach, or legal action)
Other Matters
• Specific insurance coverage for cyber-related risk
• To cover costs associated with data breaches, such as crisis management expenses relating compliance with post-breach notification requirements
• Other costs could include: legal, communications, forensic advisors; benefits such as credit repair and monitoring; government fines
Insurance
• In M&A context, increased attention after deal announcement can result in additional attacks
• Both during negotiation process and during integration period afterwards
Increased Risks
Key Takeways
• Cyber due diligence is going to be the new norm
• Given digitalization of assets, cyber due diligence for
both buyer and seller
– Buyer: doesn’t want to buy a “lemon”
– Seller: doesn’t want to give buyer discount
• Get counsel involved to conduct diligence for legal
privilege purposes
• Get cybersecurity experts to conduct technical due
diligence