In the context of a transaction, it is common to focus due diligence on areas such as tax, employment and real estate. Devices enabling connectivity and the adoption of digital technologies (robotic process automation, artificial intelligence, etc.) have increased companies’ vulnerability to a security breach. The connected ecosystem, together with growing regulatory scrutiny of data security, have increased the importance of a cybersecurity due diligence.
Cyber defenses are not impregnable, and cybersecurity concerns are not limited to the technology industry as demonstrated by recent security breaches in the hospitality, airline and health industries. According to the EY Global Information Security Survey 2018–19, 77% of organizations are operating with only limited cybersecurity. Exclusion of cybersecurity due diligence could result in a significant loss of value; worse, it could make it easier for cyber criminals to compromise the security systems of the purchaser.
The value loss could be in the form of theft (of trade secrets, intellectual property or other confidential business data), business shutdowns, regulatory fines, litigation, expenses for forensic and restoration activities, loss of customer trust, and time for crisis management. Cybersecurity due diligence would gather information about:
- Types of high-value digital assets like intellectual property (IP), operations, financial, supplier, customer and plant data, as well as the storage and transfer of data
- Internal rules and regulations — bring your own device (BYOD) policies, identity and access management
- Management, budget and resource allocation for cybersecurity
- Agreements with third parties for data access and the hosting and supply of components, including provisions related to audit and emergency response
- Past breaches
- Risk containment and response-recovery protocols
- Insurance policies
Ideally, cybersecurity due diligence should be performed by a multidisciplinary team consisting of both technical and legal cybersecurity experts who are able to identify, value and reduce the risks. This team would be able to gather information about the target’s risk profile and, more important, interpret the responses and make suitable recommendations to the purchaser. These could include further on-site security assessments, the purchase of cyber insurance, or negotiation of pre-closing covenants, warranties and/or indemnities for discovered and undiscovered issues.
Cyber criminals are moving fast, therefore, it is important for purchasers to manage cybersecurity risks at every stage of the M&A process, including due diligence. Cyber due diligence is an important tool that is available for purchasers to quantify cyber risks — both to assist with deal valuation and to prevent value erosion by protecting digital assets.