Data privacy and cybersecurity concerns are changing the way potential investors and acquirers evaluate a target company through due diligence. Data and security related risks can be extremely costly – especially those that are not uncovered in due diligence.
For example, insufficient controls or a history of noncompliance with relevant data protection laws could result in significant post-closing regulatory fines. Additionally, previously undisclosed or undiscovered data breaches may not be obvious in due diligence, but could put large sums of money at risk long after a deal has closed. These risks can open up the acquirer to significant liability. For example, after Verizon purchased Yahoo, it learned that the extent of Yahoo’s 2014 data breach was significantly understated, resulting in a renegotiation that dropped Yahoo’s value by nearly $350 million.
In light of the importance of cybersecurity and data privacy due diligence, updated due diligence strategies should:
- Identify the Target’s Digital Assets;
- Evaluate the Target’s Internal and External Cybersecurity and Data Privacy Programs;
- Identify Ongoing or Past Incidents and Breaches;
- Assess Regulatory Compliance; and
- Assess Potential Liabilities.
1. Identify the Target’s Digital Assets
Acquirers must inventory the digital assets that the target owns. While some digital assets may be obvious, others are not. Digital assets include anything from client lists to source code to customer data. The inventory should include the location of those assets and identify whether they are stored internally or with a third-party vendor.
Finally, the inventory should also evaluate the level of risk that each asset has. For example, a locally stored database containing sensitive information that is protected by access restrictions may be less risky than the same data held by a third party on a cloud server.
2. Evaluate the Target’s Internal and External Cybersecurity and Data Privacy Programs
With the inventory complete, acquirers should focus next on investigating whether the target has policies and procedures in place to protect those assets and handle security threats. Reviewing a target's cybersecurity protocols is a good start, but it is also important to verify that employees are following those protocols. For instance, some companies regularly send spam emails with external links to test if employees are opening suspicious links that make the company vulnerable to phishing attacks. More sophisticated IT efforts include following up with employees who engage in unsafe behavior for additional training. A target with lax security protocols is more likely to be unaware of a prior or ongoing security incident that could become a large expense in the future.
It is important that acquirers also consider the target's external vendors, including the vendor's rights and responsibilities as they relate to data that is shared with them. For instance, some vendor contracts allow the vendor to share email addresses and other data with advertisers. Some contracts require vendors to notify the company of an incident or breach, while others are silent on this issue. Knowing what happens to data once it leaves the company is as important as knowing what happens to the data within the company.
3. Identify Ongoing or Prior Cybersecurity Breaches
Investigating past breaches is helpful in two ways. First, by analyzing the target’s response to a breach, the acquirer can gain insight into how well the target’s internal controls and protocols worked. Second, the acquirer can determine if the target acted in accordance with applicable laws, regulations and standards when responding to the breach. If the target did not follow its own privacy policies or violated law, that risk may negatively affect the target's valuation.
Although uncommon, due diligence sometimes uncovers an ongoing breach. These cases allow the acquirer to see in real time the target’s response, judge the effectiveness of its internal controls, and gauge the potential for future costs arising from the breach.
4. Assess Regulatory Compliance
Identifying past breaches is a good way to know if the target was in compliance in years past; however, the acquirer should also consider whether the target will meet any new regulations on the horizon. For instance, with the European Union’s General Data Protection Regulation (GDPR) taking effect in 2018, due diligence should determine whether the target is subject to the regulation, and if so, whether its compliance posture has a material impact on the target’s valuation.
5. Assess Potential Liabilities in Connection with Traditional Due Diligence
The acquirer should not consider the issues above in a vacuum. Instead, we suggest using the findings from the above to assess the target's data privacy and cybersecurity risks and liabilities in connection with the target’s responses to more traditional due diligence requests. Similar to other forms of due diligence, companies can decide if past events and current practices have exposed the target to material risks, and use those risks to negotiate a lower purchase price.
If not thoroughly considered, data privacy and security risks from the target could lead to surprising and significant costs levied against the acquirer years after the deal is completed.