Latest Thinking | Cyber Security and M&A

Key due diligence enquiries

Cyber security has historically been neglected as a discrete diligence area in M&A transactions. However, with recent cyber attacks showing that the stakes are high and vulnerability is widespread, cyber security risk is now a key risk area requiring detailed examination.

Failure to properly assess cyber security issues within the context of an acquisition can be costly. A cyber attack can interrupt a target’s operations, inflict financial and legal damage as well as cause serious reputational harm.

In May 2018 the General Data Protection Regulation (the "GDPR") will come into effect, introducing significantly higher regulatory fines for data breach. The maximum fine under the GDPR is the higher of EUR 20,000,000 or 4% of worldwide annual turnover for an “undertaking”. Whilst we need to see how the courts interpret this, it is possible that the courts could adopt anti-trust legal analysis with the effect that, depending on the corporate and operational structure of a private equity fund, the fines could attach to the funds themselves when the financial investor exercises decisive influence over the infringing companies. Accordingly, the need to make appropriate enquiries as part of a due diligence exercise is even more important.

A potential buyer’s cyber security enquiries should include making the following enquiries:
  • Identifying the target’s key data and IP and likely impact of a cyber security breach.
  • Determining whether management is fully engaged on the issue? For example, has a cyber security team been assembled; does it include forensics/technologists?
  • Does the board receive regular reports on cyber security?
  • Reviewing information security and data protection policies.
  • Asking whether data security training is provided to employees to assess organisational awareness of cyber risk?
  • Identifying the existence of an incident response plan which covers the steps/processes to be followed in the event of a breach. If one has not been adopted this may be a red flag, particularly if the business is data heavy (e.g. an online B2C business).
  • Reviewing agreements with vendors/subcontractors to which IT infrastructure and/or data processing has been outsourced. Remember that the target’s standard of data security is materially affected by any such third parties and relevant agreements should contain appropriate contractual data security obligations.
  • Identifying if the target adheres to any information security standards such as PCI DSS and/or ISO27001.
  • Seeing whether the target periodically tests its cyber defences, for example, by means of penetration testing or cyber war games?
  • Understanding whether the target has experienced a data breach historically, and, if so, whether the breach has been notified to regulators, and whether there are any known vulnerabilities in the target’s IT infrastructure?
  • Examine the target’s compliance history with data protection laws and identify whether a regulator, such as the UK Information Commissioner’s Office, has undertaken any investigation or imposed any sanctions. In addition, investigate any privacy related claims, noting that in some businesses (such as retail), a few low level claims/complaints by customers may not be wholly unusual.
  • Establish whether the target has cyber insurance in place and whether this will be affected by the transaction. Does it cover the true cost of a breach e.g. cost of PRs/communications experts, cost of product changes etc.? Consider if there are any factors which might restrict the availability of cyber insurance to the purchaser.
  • Assessing the target’s cyber security health against its competitors/others in its sector/geography.
If you would like further guidance on cyber security or GDPR please contact me.
Barry Fishley, Editor.