The cyber security is widely recognized as one of the major challenges for the Governments all over the world, which consider the cyber security as one of the priority topics of their political agenda; this is for the purpose of increasing the security, reliability and resilience levels of the information systems and networks. However, cyber security shall not be considered any more as an exclusive prerogative of the Governmental bodies, nor as restricted to IT departments and information security professionals: indeed, it is undeniable that the cyber risk is not a technological risk, but a strategic and corporate risk which shall be taken in due consideration also from a legal point of view. Hence the need of a corporate cyber-intelligence. That said, like any corporate risk, the cyber risk shall be managed properly within a general framework of information and risk management.
The M&A transactions represent one of the most relevant and vibrant moments of our economy: they bring with them experiences coming from a wide range of professionals, and contribute to create value in many fields.
The value of those transactions is represented by the synergic outcome of several contributions, among which a special mention is reserved to the active involvement of various professionals and several information and data flows: those synergies, on one hand, contribute to create an added value, but, on the other hand, create considerable vulnerabilities, which are increasingly used by groups or individuals for criminal purposes.
Indeed, it is not hard to notice that a wide sharing of information, especially in case of extraordinary transactions, represents a real challenge for practitioners in the field: commercial data, IP information and sensitive data may all be involved in cyber threats.
Therefore, anyone who is involved in M&A transactions shall consider cyber security as one of the main priorities. Indeed, as mentioned above, huge volumes of information shared during the completion of a transaction - including strategic and financial data - as well as the number of people involved in each phase of an extraordinary transaction are much higher than in ordinary transactions. Those elements increase the risk of cyber-attacks, and the possibility that networks, systems and corporate data are undermined. The threats which may be found have different shapes and different purposes. For this reason, taking into account also the dangerousness of some individuals who constitute the threat, the internet is now considered as a true battlefield, and, as such, shall be protected with corporate intelligence strategies. Who are the potential victims and the potential “enemies”, and what is the possible strategy to prevent the cyber war from undermining an extraordinary operation?
As for the potential victims, a particular role is played by the multinational companies, which have already been affect in several occasions by cyber-crimes, which caused them severe damages. Nevertheless, also small and medium-sized companies, which represent the core of the Italian economy, constitute a potential target. With regard to the enemies, they range from petty criminals to professional freelance cyber-criminals, who sell their skills and tools (malware, exploit zero-day, or botnet access), hacktivists (who are guided by alleged “principles” or political or moral aims), or more sophisticated cyber-criminal organizations, often at the service of competitors. Anyway, it should not be underestimated that also employees, collaborators or suppliers of each of the companies involved in an extraordinary operation may represent a potential enemy.
With reference to the analysis of the risks and of the possible strategies, we shall first observe that, although the cyber risk may seem at first sight an emerging risk, its consequences are well known and consolidated: among others, it would be sufficient to mention the damages to reputation, loss of clients, financial damages, disturbance of commercial operations. Therefore, all those who are involved in the field of M&A transactions, including professionals and companies, cannot afford to ignore those threats and risks, and shall become aware of the tools which are able to safeguard their data, clients and reputation, as well as of the possible remedies.
The objective of valuing the cyber security of the target companies should be introduced since the beginning of an extraordinary operation, even when signing a letter or memorandum of intents, for the purpose of putting the potential acquirer in the position of being aware of the possible exposure, and consequent risks and responsibilities, even after the conclusion of the operation. In this scenario, the cyber due diligence is becoming more and more a standard best practice in the M&A transactions.
As known, the primary purpose of the due diligence is to obtain an accurate understanding of the financial and legal condition, the contracts, the assets and liabilities of the target company. The cyber due diligence has become a crucial component of this review and investigation process, in which counsels and consultants specialized in cyber security play an essential role as for the assessment of the cyber risk. This due diligence should include a review and analysis of the policies, programs and information systems and of their correct configuration, as well as of the data protection procedures. Furthermore, it should not only focus on the target company, but also third parties, such as suppliers and key employees should not be disregarded.
The recent well known events regarding the potential acquisition of Yahoo by Verizon and the impact of the cyber-attacks against Yahoo (never declared or discovered during the due diligence) on the final purchase price (which seems to be more than 350 million Dollars) should teach us the importance of an accurate assessment - from a legal and economic point of view - of the cyber risk, since the beginning of the acquisition process, without forgetting that this process could not yet be considered as standardized, but as constantly evolving, taking into account also the different fields in which the target company may operate, and the financial and legal peculiarities of some fields (among others, healthcare, communication, public procurements). Moreover, an accurate due diligence should be followed also by a careful drafting of the acquisition agreement, which includes a careful risk management - abstract or concrete as it may be - and a management of the consequences as for the indemnification and compensation of damages, as well as the potential price-adjustment. In this context, we should not underestimate also the importance of insurance policies which may cover those risks.