Recently, in the midst of an M&A transaction involving Verizon and Yahoo!, news broke of a Yahoo! cybersecurity breach that had occurred approximately two years earlier. This event raised a lot of speculation around what effect the breach may have on the deal, including by how much it might change the valuation of the transaction (with some commentators speculating in the multiple billions of dollars) and whether Verizon might try to walk away from the deal by invoking a clause which gives it the right to avoid closing the transaction if the purchased business suffers a “material adverse effect.” Regardless of the outcome, the Verizon/Yahoo! situation highlights the importance of cybersecurity diligence and data privacy and security provisions generally in M&A deals.
Historically, M&A due diligence focused on “traditional” risk areas such as tax, employment and benefits, intellectual property protection, and contracts (inbound and outbound). As technology advanced and software became a more significant if not the primary asset, due diligence evolved to include such things as software escrow (where a third party may have copies of a target’s source code) and open source software (where ownership of a company’s source code might be tainted by claims by the open source community) among other things. Specialists with substantive knowledge are now often brought in to perform detailed diligence in these technical areas.
Today, it has become apparent that cybersecurity has become one of the areas where substantive diligence should be conducted not just as an afterthought but as an integral part of the M&A process for any deal, particularly those that involve targets with any kind of online presence. In fact, according to the “Cybersecurity and the M&A Due Diligence Process – A 2016 NYSE Governance Services/Veracode Survey Report,” 85% of public company directors and officers say that an M&A transaction in which they were involved would likely or very likely be affected by “major security vulnerabilities.” In addition, 22% of those surveyed say that they would not acquire a company that had a high-profile data breach, while 52% said they would still go through with the transaction but only at a significantly reduced value. The Verizon/Yahoo! situation and the recent Telstra/Pacnet deal highlights the importance of cybersecurity diligence and the benefits of having carefully-worded contractual provisions to reflect the parties’ negotiated risk-allocation for cybersecurity breaches after a deal is signed.
Verizon/Yahoo! and Telstra/Pacnet
After a months-long bidding process, on July 25, 2016, Verizon announced that it would be acquiring Yahoo! for approximately $4.83B in cash. Less than two months later, on September 22, 2016, Yahoo! issued a press release disclosing that a recent investigation confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes was a state-sponsored actor. Shortly thereafter, newspaper headlines began appearing with titles such as “Verizon Puts Yahoo on Notice After Data Breach” (WSJ 10/13/2016) and “Verizon Sees Yahoo Data Breach as ‘Material’ to Takeover” (WSJ 10/13/2016). This raised the question of how the breach will affect the acquisition and whether Verizon will walk away from the announced deal or demand pricing (or other) concessions.
In another recent situation in which a cybersecurity breach plagued an M&A transaction, in April of 2015, Telstra, an Australia-based telecomm carrier had finalized its $697 million acquisition of Pacnet Limited, a managed service provider that provides data center and undersea cable services to Asia-Pacific corporations. Negotiations on the deal had begun as early as December 2014. In May of 2015 (weeks after the transaction closed), reports began surfacing that Pacnet’s corporate network had been compromised by unknown attackers who had gained full access to Pacnet’s enterprise networks and system as early as April 3, 2015. According to news reports, a Telstra representative stated, “[s]hortly after we completed the acquisition, we were advised that the corporate IT network of Pacnet – essentially the email and other business management systems – had been accessed by an unauthorized third party.” Telstra was not told about the hacking until almost two weeks after the deal was finalized, according to media reports. As a result, Telstra was reportedly considering legal action against the three investment management companies that owned Pacnet, on the theory that those companies allegedly knew about the cyberattack before closing but did not reveal the cyberattack until after the deal closed. While it appears that no such action has been taken, the incident demonstrates the potential litigation risks associated with data breaches in M&A.
Cybersecurity Due Diligence
So what is “cybersecurity due diligence”? To begin, it depends on from whose vantage point you are looking. If you are the acquirer (or aligned with the acquirer), you will want assurances that the target has taken appropriate steps to protect the data with which it has been entrusted. Such assurances, however, will differ depending on the nature of the business of the target. For example, if the target has a consumer facing website that collects significant amounts of personal information (including credit card numbers), some detailed scrutiny of the security practices of the target would be in order. On the other hand, if the target is a B2B service provider that doesn’t collect or store any personal information, a different type of scrutiny would be in order. Note, however, that the lack of personal information doesn’t mean that cybersecurity isn’t an issue. In fact, unauthorized access of trade secrets and confidential information can be an even greater liability in certain situations.
In light of this, the acquirer should consider the cybersecurity exposure that the acquisition of the target may impose. To determine such exposure, a variety of techniques could be used in performing a review of the target. An overall cyber risk assessment early in the process can provide a general idea of the general cyber maturity of the target. In addition to a diligence review of the target’s cyber documentation (e.g., security policy, incident response policy, access control policy, etc.) by the acquirer’s legal team, a well-developed cyber questionnaire could provide a decent perspective on the cyber aspects of the target’s operations. Such a questionnaire would be tailored to the target’s industry but could cover things such as where sensitive data (both customer/consumer information and trade secrets) is located, the complexity of the target’s computer network and liability exposure, the adequacy of the target’s policies and procedures (and associated enforcement) regarding data privacy and security including testing and corrective follow-up, the target’s reliance on third party service providers and the level of security controls in place to monitor those providers’ own policies and procedures, and the overall cybersecurity posture of the entity.
For a more formal analysis, a third party could be brought in by the acquirer’s legal team (in order to provide privilege protection) to do a deeper cyber dive. This could consist of a static analysis of the network defenses from inside the network to an active attempt to break into the network from the outside, which is known as a white hat hacker attack. In addition, there are a number of both internal and external cybersecurity assessment tools that can provide an ostensibly objective score and rating of the target. For software, a security audit could be performed as well as any number of analyses to reveal any coding issues that could lead to security vulnerabilities. Finally, compliance can play a role in assessing security. If the target has already gone through a formal industry audit, such as a payment card industry (PCI) audit, an ISO 27001 assessment, a SSAE 16 audit, or any other security compliance-related processes, the results can be examined to help evaluate any identified issues and the target’s overall security posture.
Addressing Cybersecurity Risks
If any of the above techniques reveal risks that the acquirer finds unacceptable, the acquirer may incorporate these risks in its valuation of the company or negotiate special remedies such as indemnification in the acquisition agreement to cover any “known” vulnerability. If cyber due diligence is on-going at the time of signing, provisions of the acquisition agreement may be negotiated to give the acquirer the ability to terminate the deal under certain circumstances. For example, the acquirer may request a diligence “out” related to unsatisfactory completion of its cybersecurity due diligence. If a serious cybersecurity breach occurs or is discovered between signing and closing, such as in the Verizon/Yahoo! situation, the acquirer might try to invoke the material adverse effect clause if the breach is bad enough. Typically, an acquisition agreement will provide that if the company experiences a material adverse effect or change in its business, operations, financial, or other condition before the closing — an “MAE” or “MAC” — the buyer would be able to avoid its obligation to close. It is very difficult to prove that an MAE has occurred. However, even if a condition does not rise to the level of a formal MAE, some buyers in prior deals involving different circumstances have successfully used the threat to invoke an MAE as leverage to renegotiate for better terms. To avoid this result, target companies often will negotiate to narrow the circumstances in which the buyer can claim that an MAE has occurred by narrowing the definition of MAE by negotiating exceptions or carve-outs in the definition. These typically would address material adverse effects or changes that are outside the target’s control, such as economic changes, industry-specific changes, changes in the stock market, war, terrorism or other hostilities. Some targets have requested an MAE exception for cyber-attacks on the same rationale that terrorism is often included among the list of exceptions.
A buyer may also request specific representations and warranties from the target regarding, among other things, the company’s compliance with its privacy and data protection policies as well as any governmental and non-governmental privacy legal requirements that are applicable to the company. In a private deal, these representations and warranties will form the basis for post-closing indemnification from the seller or target for damages due to breaches that occurred pre-closing. Targets and sellers will need to review these representations and warranties carefully to make sure that they can give them and to insert the appropriate knowledge or MAE qualifiers, as needed.
As with any indemnification provision, there will be negotiation around the limitations of any indemnification, such as how long the representations and warranties should survive and whether the indemnity will be subject to a cap or basket. Typically, these privacy and data provisions are embedded in the company’s intellectual property representations and warranties but we are increasingly seeing them being included as standalone assurances and included among the regulatory matters provisions in deals that had not previously included cybersecurity provisions. We are also seeing evolving trends around the level of indemnity protection that is being requested by buyers for cybersecurity matters.
For the target company, performing its own risk assessment could offer several benefits, particularly if performed before the transaction commences. For example, if a target conducts a risk assessment, the resulting gap analysis can be used to begin to address any significant issues before they arise in the context of the transaction. Such foresight could ultimately result in a higher valuation of the target and reduced risk that major issues arise later that could derail a potential transaction. Further, any resulting certification or compliance assessment can be used as described above to demonstrate the security posture of the target. In the event a transaction moves forward before all deficient elements of a cybersecurity audit are met, a target will want to carefully evaluate which elements to disclose and how to disclose them. Having a plan for addressing such deficient elements can often assuage concerns that might be raised by the acquirer.
Cybersecurity continues to be an issue at the top of the list of concerns for most companies, particularly those in acquisition mode. As acquirers become more sophisticated and better understand the cybersecurity liabilities that they could be inheriting as a result of an M&A transaction, the greater the scrutiny that will be paid to the target companies. The use of cybersecurity questionnaires, cybersecurity-specific M&A processes, and related non-technical mechanisms can offer a good starting point for an acquirer to understand the target’s approach to privacy and cybersecurity. More comprehensive technical mechanisms can be employed when greater detail or more significant concerns exist. Ultimately,the attention given to cybersecurity issues is only likely to increase, which will require corporate legal teams to coordinate their due diligence and other M&A efforts with privacy and data experts.