The Importance of Cybersecurity Due Diligence in M&A Transactions

Most enterprises today are almost totally dependent on digital data and network systems. Virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. This has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. However, the resulting dependence on electronic records and a networked computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders in the event of a security breach.
Accordingly, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.
As recent security incidents have made clear, intruders can operate from anywhere in the world, and by stealing, changing, or destroying critical corporate information, or exploiting access to a company’s systems to harm and disrupt its operations, they have been able to inflict significant damage on numerous businesses. No enterprise is immune from cyberattacks; none are impregnable. Virtually all enterprises have been breached and have had at least some of their sensitive information compromised.
In FY 2006, federal agencies reported 5,503 information security incidents to the U.S. Computer Emergency Readiness Team (US-CERT). In FY 2014, the reported incidents totaled 67,168—an increase of 1,121 percent. Given that corporations are loathe to report cybersecurity breaches and may not detect successful incidents, the number of reported incidents probably represents only the “tip of the iceberg” of cyber attacks and intrusions.
Over the past three years, the consequences to organizations affected by such security breaches have been significant, and in some cases near catastrophic. One need only consider the injury suffered by organizations such as Target, Home Depot, Sony, and Yahoo!, or to victims of the recent “Petya” ransomware attacks such as Federal Express, DLA Piper, and A.P. Moller Maersk to realize the significance of such events.
It should be critically important to a prospective acquirer of a target enterprise to understand and evaluate the extent to which the enterprise is vulnerable to a cyber attack. Equally important, an acquirer must know if the target may have experienced an attack that compromised its high-value digital assets without management’s awareness or clear comprehension of the severity of harm to critical corporation information and IP assets. Otherwise, the acquirer in an M&A transaction is at risk of buying the cyber vulnerability of the target company and assuming the damage and liability from incidents it suffers. In short, it will not comprehend the potentially devalued nature of the assets it is acquiring, nor the magnitude of liabilities it may incur at closing.
Cyber Threats to M&A Deals
M&A practice may at times overlook the significance of the cybersecurity risks facing target enterprises, including the risk that cyber attacks could already be devaluing the digital assets of a target without the target’s awareness and without the acquirer’s knowledge. By December 2014, such risks had become widely reported, as demonstrated by the following bleak recap by Nicole Perlroth in The New York Times:
In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers, and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. . . . But the value [of stolen credit cards during this period] . . . which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of the United States corporations, universities and research groups by hackers in China—so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked. . . . Most large organizations have come to the painful recognition that they are already in some state of break-in today.
Most recently, numerous businesses, organizations, and governments found their digital data imperiled by a world-wide dispersal of two waves of malware. The first wave, a ransomware attack dubbed “WannaCry,” began on May 12, 2017. Globally, it infected “230,000 computers in 48 hours,” locking down the computers it infected, and encrypting and rendering inaccessible all of their stored data. The WannaCry worm caused kinetic effects—“paralyzing hospitals, disrupting transport networks, and immobilizing businesses.” WannaCry should make people treat cyber-crime seriously, The Economist, May 20, 2017.
The second wave of malware, called “Petya,” began on June 27, 2017, and severely disrupted operations of “some of the world’s largest companies, including WPP, Roseneft, Merck, . . . AP Moller-Maersk[,] . . . Saint-Bob