Chances are that you or someone you know has been the victim of a data breach. The high number of cyberattacks and data breaches, now reported almost daily, calls attention to the importance of addressing these areas in the due diligence process in M&A deals.
Whether a target company has had issues with cybersecurity breaches in the past is a question that should be on the top of all acquirer’s minds, especially if that target has an online presence. If the target is a consumer facing business who regularly collects personal information, acquirers should focus its due diligence requests on the security practices of the target. Has the target implemented credit card tokenization? Have they updated their point-of-sale systems? How long do they retain customer information? If a target does not have a consumer base, the due diligence may instead focus on other areas, including how the target protects its trade secrets or confidential information. However, these are not the only issues that need to be addressed during the cybersecurity due diligence process. Acquirers should not only review historic breaches and the target’s responses to that breach, but acquirers should also obtain information regarding the target’s cybersecurity architecture and its related cybersecurity compliance and risk management practices. If the acquirer can understand the potential risks due to cybersecurity issues, including quantification of those risks, it can better understand how the valuation of the transaction might be affected. The acquirer should also determine if cyber insurance is in place, and if that insurance could potentially mitigate any risk (or if enhancements to cyber insurance would be available after the transaction closes).
As acquirers become more familiar with the liabilities and risks associated with cybersecurity, there will be more scrutiny in this area. If you are a company considering a sale, you should be prepared to answer give detailed answers about any your cybersecurity policies, procedures and compliance with applicable laws. Before the formal due diligence process begins, you should review and update your cybersecurity policies and breach response plans. You should also be prepared to explain any past breaches of customer information or confidential data, and to outline the company has done to address the vulnerabilities that lead to the breach. Companies collecting confidential information should take preemptive measures to avoid data breaches, including maintaining an up-to-date security policy with a response plan, safeguarding sensitive data, encrypting data, and restricting access to only those who need it.
Cybersecurity due diligence is becoming a best practice in M&A deals. With the proper assessment of cybersecurity risks, companies can more accurately manage transaction risks and understand the true value of the transaction.