Those who have lived through mergers understand they are an intensive period of highly focused and compressed effort for both the acquiring and the acquired company, and their teams. From the first confidentiality agreement through closing, a period often lasting months, a long list of due diligence and action items is constantly studied and checked off while additional items are added.
As the days tick down, it is easy to miss critical issues. One area that has traditionally received less than full attention is cyber risk. This is risky because any problem often rolls out after the deal closes. The problem could be a missed warning, a careless sharing of cyber liability, an unforeseen payments snafu, an unrevealed hack, or the use of legacy software that has security holes. Most merger agreements say that the information provided to the other party is true and correct at closing. To avoid a defense that the issue was not inquired of by the buyer, at least basic due diligence must be made to identify and quantify any cyber risk before closing a merger.
Some industries, like banking, carefully consider cyber risk in the acquisition of financial institutions. Regulatory approvals may depend on proving the risk has been studied. Cyber risk can impact pricing and reserves for liability, it can also weaken a stronger company post-closing. The same concerns may be true in a number of industries.
There are five areas for initial inquiry related to cyber risk for merger parties as to each other’s operation. These areas should be inquired of regardless of the industries involved.
UNDERSTANDING ALLOCATION & INDEMNITY OF RISKS
Many companies use outside technology vendors for a wide array of back-shop work. This is a weak link in cyber assessment for merger or acquisition. The computing, processing, payments, or other technology work almost certainly will be supported by an agreement, terms of engagement, or a referenced and adopted set of policies. These agreements are critical to liability assessments, especially for shifting of cyber risk. They must be reviewed.
Contract language matters in this area. There is a significant difference in cyber risk between assurances of limiting intrusion tied to a standard and promises of no intrusion at all. The buyer should determine the relative risks created by the language, the solvency of the third-party vendor to back promised risk retention, and understand any residual cyber risk. It is also important to understand the risks imposed by agreements for cloud computing, payments technology, and payroll processing. A related risk is that the vendor is not generally bound to assist transiting the company to the buyer’s systems at a known cost or schedule, or will not maintain the systems if operations remain separate. A review of the agreements should look for these issues.
A review of IT licensing is also necessary. At a minimum, lining up current systems with relevant contracts may find gaps or expired licensing.
KNOW AND UNDERSTAND EACH SUSPECTED INTRUSION
Known intrusions, even if resolved, are a must for early identification. If material, they should result in an escrow or defined as a reason to break up a deal. Computer crimes and cyber intrusion insurance should be identified and quantified.
Suspected and immaterial intrusions usually are frequently not disclosed in M&A transactions unless a specific inquiry is made. Financial statements may not identify intrusions, given that they may be explained away as immaterial and may not be in the notes to financial statements. Immaterial intrusions often are discounted as not being proven so as to require positive notification to the customer base. That assessment may be biased and may not be aligned with standards mandated by various states, the Federal Trade Commission, or others.
For example, what if last year a senior employee lost a laptop in a car theft? The first determination of materiality is whether the information on the laptop was encrypted or whether it was passcode protected. If the laptop was not protected, there is a definable risk that must be discussed and potential liability allocated. This is especially true if no or insufficient notification was given to customers or applicable agencies.
Some regulated industries are encouraged to self-assess as to liability or risk areas and are rewarded by limitations on assessment of fines, penalties and other negative aspects of the assessment if the organization has promptly instituted reasonable changes. The cyber risk assessment area often is one of those encouraged risk-assessment areas. Self-assessments are also valuable windows into the safety, security, and efficacy of the company’s cyber and security controls. Reviewing self-assessments is a vital element of any M&A due-diligence inquiry because they are a wealth of information regarding the cyber health of the parties.
PAYROLL, HR, 401(K), AND HEALTH-CARE INFORMATION
Often overlooked in due diligence is the cyber risk associated with payroll, HR records, 401(k) administration, HSAs, and medical insurance. Third-party vendors are often involved in this area. Acquire the agreements related to these services and conduct a review of the security and confidentiality of this data, the vendor providing the service, and the vendor maintaining historical records. An analysis should be made of any intrusion liability, given that critical, sensitive data regarding employees is involved.
THE M&A TEAM
The buyer and its attorneys could be a serious cyber risk on a merger deal. By digging around in the most sensitive areas of a company, e-mailing sensitive information, or allowing data-room access to sensitive files, it is vitally important that the merger team lock down confidentiality, access, and intrusion risks relating to all data. Access should be limited to team members and constantly monitored with entry logs or similar summaries. Warnings should be given relating to proper use of the data. Merger data should be subject to a zero-tolerance standard of protection and properly walled off, access to which is highly controlled.