Cybersecurity is an important consideration when acquiring a business
As you prepare to grow your business through acquisition, there are a multitude of issues to consider both from the technical integration of systems to the potential culture clash between your employees and the target’s personnel. While some of these issues will not be addressed until the post-merger integration, by focusing your efforts on the business and legal due diligence prior to the acquisition, you can familiarize yourself with the target and flag potential issues that need additional attention to allow for a smoother transition.
One often overlooked or minimized area of due diligence is the target’s cybersecurity plan and integration. A poor cybersecurity posture substantially increases the likelihood of a cybersecurity incident, such as a ransomware attack or a business email compromise, which has economic, operational, and regulatory implications. A business may be legally required to notify business partners, consumers, employees, and regulators of actual or suspected data compromises, thus triggering litigation, government investigations, and fines and penalties. Business partners and consumers may also terminate relationships with a business, and a business’ brand may be damaged as result of a cybersecurity incident. An insurance carrier may raise premiums and deductibles or completely decline to insure a business against future cybersecurity incidents. Many of these reputational costs will be difficult to quantify if you attempt to seek indemnification for a breach found post-closing. As such, a business should inquire into a target’s cybersecurity posture as early as possible in the due diligence process. The key issues to raise include:
1. What technical controls does the target have in place to protect its data and computer systems?
Cybersecurity incidents often occur as a result of a business’ failure to implement appropriate technical controls to data and computer systems. This includes failing to implement:
- Endpoint monitoring, an anti-virus-like software that uses artificial intelligence to detect and contain security threats.
- Multifactor authentication, a technology that requires users to enter a secret PIN or use a cell phone (in addition to an ordinary password) to authorize logins to a computer or email account.
- System patches, or remediation of known computer security vulnerabilities that are periodically discovered by security experts and exploited by hackers.
- Phishing alerts, or email headers that notify employees of potentially malicious emails that contain malware or try to compromise email credentials.
- Appropriate supervision of third-party vendors who have access to a business’ network and data.
While these safeguards are not foolproof, they do minimize security risks when used appropriately. Buyers should obtain assurances that these safeguards are in place at the target or insist that they be implemented prior to completing the transaction.
2. Does the target have adequate written security policies and procedures in place?
Many regulators expect businesses to prepare and adhere to adequate, compliant, and up-to-date written policies and procedures governing the security and privacy of sensitive data and information technology systems. These include a:
- Written Information Security Program (WISP), an internal written policy that governs how a business maintains, secures, and disposes of sensitive data, trains employees on information security, and remediates information security risks.
- Incident Response Plan (IRP), an internal written policy that governs how a business is to respond to actual or suspected cybersecurity incidents.
- Bring Your Own Device (BYOD) Policy, an internal written policy that governs how a business mitigates risks associated with employee-owned smartphones, tablets, laptops, and other devices that are used for both work and personal purposes.
- Remote Work Policy, an internal written policy that governs information security practices for employees and vendors working from home or other off-site locations.
Regulators typically discover deficiencies in information security policies and procedures when businesses notify regulators of cybersecurity incidents and must respond to government investigations into why the businesses failed to prevent the intrusions. Having adequate policies and procedures in place evidences compliance with laws governing information security standards.
3. Does the target adequately train employees to recognize and properly respond to cybersecurity threats?
Cybersecurity incidents often occur when employees mistakenly download malware from emails or the Internet, disclose their credentials in response to phishing emails, fail to implement security patches and updates, or set security configurations in ways that allow cybercriminals a foothold into computer networks. All of these mistakes can be prevented through continuous employee training, and yet many businesses fail to implement even basic training. A buyer should ask the target how it trains employees on cybersecurity risks and take care to re-train employees from acquired businesses on cybersecurity best practices.
4. Has the target previously experienced a cybersecurity incident? And if so, did the target learn and grow from the incident? If not, what will the target do to improve in the future?
Nearly every business will experience an actual or suspected cybersecurity incident in its lifetime. Discovering that a target has experienced a prior cybersecurity incident or that a target is not currently compliant with applicable privacy laws should not always be an immediate deal-breaker when buying a business. However, prior to completing the transaction, it is important to make sure that the target has or will take adequate precautions to prevent the incident’s recurrence, minimize potential liability associated with past incidents, and achieve full compliance with data privacy and cybersecurity law. This includes obeying strict data breach notification laws, omnibus consumer privacy laws, biometric information privacy laws, and cybersecurity incident contractual obligations, cooperating with regulatory investigations into cybersecurity incidents to the fullest extent of the law, defending and prosecuting cybersecurity litigation, revamping policies and procedures to prevent recurrence and comply with applicable cybersecurity standards, and training and re-training employees.
Buying a business is exciting, but the buyer should properly vet the target’s cybersecurity posture in order to make sure the new asset does not come with inordinate liability.
Attorneys from McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group and Mergers and Acquisitions Practice Group are available to counsel businesses in every industry on appropriate due diligence when buying new entities.