Theoretically, when a company is for sale, its potential buyer carries out a preliminary investigation phase to ensure that the company, as advertised in its published documents, is the same in reality. This is otherwise known as due diligence.
This can take different forms; the following aspects are usually examined:
- Finance and accounting (auditing, personnel inventory, balance sheet and profit and loss accounts analysis, forecasted business activity, etc.)
- Legal (company statutes, proceedings in process, patent and intellectual property ownership…)
- Strategy (competitor identification, company strengths, distribution channels, etc.)
Although current affairs and news offer plentiful examples of companies that have been impacted by cyberattacks, the issue of cybersecurity is all too often overlooked with regards to mergers and acquisitions.
But mindsets are evolving: in a recent survey conducted by Freshfields Bruckhaus Deringer, specialists in corporate law, 90% of respondents considered that a confirmed cyber-attack could lead to revise the acquisition cost downwards, and 83% of them thought that an attack during the due diligence phase could simply lead to abandon the deal.
Still, the cyber risk is real: as soon as two IT environments are interconnected, the resulting environment often inherits de facto the lowest level of security of the two. Besides, a merger or acquisition can highlight possible compliance gaps, in a context of increasing scrutiny by regulators all over the world.
Is cyber-risk assessment the next pillar of M&A?
Increasingly aware of this risk, companies progressively integrate the notion of “cyber risk” into their reconciliation strategies. The objective is, in principle, simple: to understand whether the merger of two companies, and thus the likely merger of their Information Systems, increases cyber risk.
There is, however, a major difference between standard due diligence and its cybersecurity equivalent. While accounting and legal regulations are clearly understood and shared at the international level, there is as yet no equivalent in the cybersecurity world. Standards are multiplying (by system type, data to protect, industry, country…), but they only remain good practice references which indicate how to properly implement considerations around cybersecurity – not if they actually were implemented properly. There are some notable exceptions, such as PCI-DSS (protection of credit card data) certified environments, or classified, Defense-type environments. These examples, however, are specific, with very restricted scopes.
For the purchaser, acting in good faith and being unaware of security breaches will do nothing to prevent cyberattacks: in cyber risk, we not only endorse responsibility, but directly the risk itself!
In the same manner, it is neither easy (yet, nor impossible) for a company to ensure that its cyber security is “good”. Managing the Information System in line with today’s best practices does not guarantee that its weaknesses will not be exploited tomorrow.
An M&A context is not the only context of interest for examining the IS security aspects through cyber due diligence. For several years, large international insurers have launched their cyber-insurance offers. In this context, they legitimately seek to know the level of information security of companies for which they will provide insurance. At the minimum, insurers seek to know what general level of cyber-risk they will have to cover. Thus, by upstreaming this type of underwriting, cyber-insurers are now supported by IT security experts, whose role it is to carry out due diligence at a fairly high level.
What approach should be taken for cybersecurity due diligence ?
What is security due diligence? It is neither an innovative technology nor a revolutionary method; rather it refers to the balanced and targeted use of different information security tools.
Several approaches are possible:
- A “comprehensive” approach, consisting of both a theoretical and organizational analysis of security, supplemented by penetration tests to gain a vision as closely aligned to reality as possible. This approach, ideal in essence, is often used in the case of start-up buyouts. However, it is almost never used in larger deals, for reasons relating to both cost and a lack of time.
- An “interview” approach, which involves an evaluation of the situation in relation to a known and adapted reference framework during exchanges with security managers at the company in question. The limitation of this approach is that it is based only on statements and declarations. As such, it does not provide any proof of for what is being put forward. Led by a seasoned expert in this activity, this approach nonetheless facilitates a general view of the type of security practices that have been implemented.
- A “questionnaire” approach is offered as a matter of dealing with answers to a series of questions, usually with multiple choice answers. Beyond the lack of depth of such an approach, its outcome strongly depends on the respondents of the questionnaire, and the manner in which the questionnaire is used. Unfortunately, it is often the case that it is barely read or referenced.
Irrespective of the chosen approach, it can be rolled-out at two stages: an initial analysis to provide knowledge and understanding of the security risks, which must feed directly into the “go / nogo” considerations behind the deal. A possible second step involves more detailed analysis for a more precise evaluation of risk(s) in order to determine the corrective actions.
Cyber due diligence as an input for valuation
Whether it is for acquiring a company or assessing the risk taken by cyber insurers, due diligence must serve as a platform for encouraging further reflection on the feasibility of a deal.
It must also constitute an element of added value for the company, to the extent that conforming to and respecting market best practices can prove to be costly.
Finally, cyber due diligence helps to identify the regulatory aspects that must be respected, such as laws affecting Critical Information Infrastructures (USA PCII Program, China’s Cyber Security Law, France’s “LPM”, Singapore’s upcoming New Cybersecurity Act…) and which may require a certain number of adaptations foreseen on the Information System of the company for sale, and / or the purchaser.
Have we ever seen a cybersecurity due diligence lead to the abandonment of a company purchase? Not publicly. We rather witness the rapid correction of the most serious identified vulnerabilities, or sometimes a decision to not connect certain components of the Information Systems.
Will cybersecurity due diligence have any real impact on transactions? To this question, Verizon provided a response with a figure: in February 2017, the operator decreased its offer to purchase Yahoo by US$350 million. This corresponds to more than 7% of the value (US$4.8 billion) initially offered.
