So your business has been hacked... What’s the damage? What are the risks? And how can cyber security due diligence help?
What’s the damage?
A couple of email address, some dates of birth and a few telephone numbers may have ended up in the wrong hands. But some of that information is probably public anyway – these days, people live their whole lives online.
Why does it matter and should you really care?
Yahoo has 1 billion reasons to care.
Earlier this year, Yahoo agreed to sell its core web businesses to Verizon for just under $5 billion. However, after Yahoo disclosed in September that it had suffered what it claimed was a state sponsored data security breach, Verizon is reportedly looking to reduce the purchase price by $1 billion.
Yahoo revealed that personal information such as names, email addresses, telephone numbers, dates of birth, encrypted passwords and security questions/answers of at least 500 million user accounts worldwide had been stolen from its network in late 2014. As recently as early September, Yahoo claimed in a filing with the Securities and Exchange Commission that it did not know of any incidents of unauthorised access of customers’ personal data that could have a ‘material adverse effect’ on Verizon’s proposed acquisition.
Now questions are being asked about whether this representation was accurate, why it took Yahoo two years to notify affected users of the massive data breach and what the impact on the transaction with Verizon will be.
The legal, financial and reputational risks – a boardroom perspective
The legal, financial and reputational risks involved in these sorts of large scale data security incidents are firmly on the agendas of boardrooms around the world.
A recent Mergermarket report, Testing the Defenses: Cybersecurity Due Diligence in M&A, highlights an IBM survey which found that the average cost of a data breach in the United States in 2015 reached US$3.79 million, an increase of 7.6% from 2014.
Given the ever increasing risks in this area, companies are asking themselves how they can reassure boards and shareholders that what appears to be an attractive takeover target won’t end up being a poisoned chalice.
While Mergermarket reported that in the majority of cases cyber security issues were not enough alone to cause buyers to walk away from a deal, deal timelines and deal value can be significantly affected by cyber security issues. 80% of respondents to the Mergermarket survey considered that cyber security issues were ‘highly important’ in due diligence (with the remainder considering them ‘somewhat important’).
What are the top 5 ways that cyber security due diligence can help?
It allows you to factor in future compliance costs to the purchase price – most targets can be expected to have some IT and data management compliance issues. However, a comprehensive assessment of the target’s IT operations and security processes can allow you to accurately factor in the cost and time of system fixes, process upgrades and additional compliance training into the purchase price so that you have funds available to address these issues after completing the transaction.
2. Negotiation power
It allows you to negotiate appropriate protections into the purchase agreement – in order to negotiate suitable warranty protections and liability caps you need to have a clear understanding of the nature and scale of any potential compliance issues. These contractual protections are critical in order to ensure you have suitable recourse and are properly covered for any resulting costs of regulatory fines and penalties as well as costs associated with notifying customers, managing complaints, and rectifying and strengthening IT systems.
It informs your decision about transaction insurance (and appropriate coverage limits) – with warranty and indemnity insurance becoming an increasingly common fixture of M&A deals, it can be used as a back up to protections obtained through transaction documents. 63% of respondents to Mergermarket’s survey considered that insurance was among the most important protections in mitigating data security risk.
4. Risk management
It may provide valuable insights into the target’s overall approach to risk management – poor cyber security processes may highlight more widespread governance issues. As one of the respondents to the Mergermarket survey observed, if basic data security policies don’t exist or aren’t enforced, what other problems might there be? Again, compliance concerns should be addressed through warranties and the associated liability regime.
5. Future compliance
It allows you to proactively plan future compliance process improvements – this is especially important given increasing regulation worldwide around data security incidents, including in Australia. Despite its progress being interrupted by the recent federal election, the Privacy Amendment (Notifiable Data Breaches) Bill that would bring in mandatory data breach notification is back on the agenda for the 2016 spring sitting.
In its most recent form, the bill requires companies who suffer a data breach and lost personal details to notify the market if the breach poses a ‘real risk of serious harm’ to the relevant individual (find our previous insights on the bill here). The Government reportedly hopes to pass the bill by the end of this year. Yahoo’s disclosure has reignited calls for similar legislation to be introduced at a federal level in the United States. Mandatory breach reporting requirements already exist in a number of other jurisdictions around the world.
For more information, see our previous article about the value of cyber security due diligence in M&A transactions.
What if you discover a security breach in a target company?
If you’re a buyer and cyber security due diligence reveals that the target has suffered a security breach in the past, not all is lost (though you should certainly ask further questions in order to assess whether appropriate remedial action was taken to address the breach).
In fact, Mergermarket’s report suggests that experience in resolving cyber security issues may even make the target more resilient and improve its ability to manage and mitigate cyber security risks going forward.
Back to Verizon and Yahoo…
So, what might Verizon do with the $1 billion it wants to recoup from the Yahoo deal?
Unfortunately, they might not have that cash for long – Verizon is reportedly considering putting the entire amount in reserve to cover potential liabilities resulting from the hack, including from class action lawsuits.