Five critical tools for M&A cybersecurity due diligence

Recent surveys show that 73% of buyers conducting due diligence have uncovered evidence of undisclosed data breaches.

As part of due diligence, the buyer’s side counsel should be analyzing both whether the acquisition target has met its obligation under those laws and what obligations it has agreed to undertake. (Credit: Natee Meepian/Shutterstock)

Cybersecurity due diligence has become a bedrock component of mergers and acquisitions. Recent surveys have revealed that as many as 73% of buyers conducting due diligence have uncovered evidence of undisclosed data breaches.

Buyers — and sellers — have ample reasons to be concerned about cybersecurity risks given recent disastrous examples. For instance, Verizon’s acquisition of Yahoo! was significantly disrupted when Yahoo! belatedly disclosed a major data breach that had been ongoing for more than two years. Yahoo! was forced to reduce its sales price by a whopping $350 million, and the Securities and Exchange Commission slapped the internet giant with a $35 million fine for failing to properly disclose the breach.

While not every deal is a multibillion acquisition, supporting the deployment of a cybersecurity due diligence team, there are five tools in the cybersecurity playbook that every buyer can use.

First, ask for a data inventory. A fundamental component of any data privacy or cybersecurity program, the inventory should include every piece of information stored or processed by the target company and provide an understanding of what sort of data is collected, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long it is kept before being disposed. This inventory will, in turn, provide a buyer with a good, basic understanding of the potential laws and regulations that could apply.

Second, ask for a copy of any internal or external cybersecurity assessments or audits. Several of these assessments are employed now, from a full-blown cybersecurity audit to penetration testing and Payment Card Industry (PCI) audits. These reports, or the lack of them, may reveal critical weaknesses in the target’s cybersecurity system.

Third, obtain and scour any outward-facing privacy statements. If any component of the target’s value is based on consumer data, then a review of its privacy commitments is critical. Consumer’s personally identifiable information (PII) may include name, addresses, emails, biometric information, IP addresses and much more. Surprisingly, many businesses still post privacy policies that do not give it appropriate permission to use PII in the ways they need and frequently represent that the business will not sell consumer PII to any third party. Businesses also often make contradictory privacy commitments through conflicting statements on sprawling websites, shopping carts, and in live stores. Poorly worded or contradictory privacy statements can have a significant adverse impact on the value of any data assets being sold.

Fourth, ask for and review all third party and vendor contracts. The privacy and cybersecurity world has been virtually transformed by the passage of major legislation, like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In turn, these privacy laws have driven changes in vendor agreements that impose significant cyber and privacy compliance requirements. As part of due diligence, the buyer’s side counsel should be analyzing both whether the acquisition target has met its obligation under those laws and what obligations it has agreed to undertake. These undertakings may add increased costs to company operations, or seriously limit the usability of the data acquired.

Finally, think outside the due diligence space. If the acquirer has room in their budget, there are many nontraditional techniques buyers can employ to truly confirm a seller’s representations about its cybersecurity. Dark web and threat intelligence searches can determine whether company data, including its intellectual property, is already “in the wild” and for sale to criminals everywhere. That could negatively impact a business’s value.

Certainly, successful cybersecurity due diligence effort should embrace these five tools and much more. And, of course, this due diligence must be backed up with thorough representations and warranties and well thought out cyber insurance coverage. Arguably, there is an even more fundamental element needed: make sure a data privacy and cybersecurity lawyer leads the due diligence effort.

Luis Salazar (Luis@Salazar.law) is managing partner of Salazar Law and The Biometric Law Firm. The views expressed here are the author’s own. 

Related: