The Importance of Cybersecurity Due Diligence in M&A Transactions
Thomas J Smedinghoff & Roland L Troupe.
Business Law Today - September 28, 2017
Most enterprises today are almost totally dependent on digital data and network systems. Virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. This has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. However, the resulting dependence on electronic records and a networked computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders in the event of a security breach.
Accordingly, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.
As recent security incidents have made clear, intruders can operate from anywhere in the world, and by stealing, changing, or destroying critical corporate information, or exploiting access to a company’s systems to harm and disrupt its operations, they have been able to inflict significant damage on numerous businesses. No enterprise is immune from cyberattacks; none are impregnable. Virtually all enterprises have been breached and have had at least some of their sensitive information compromised.
In FY 2006, federal agencies reported 5,503 information security incidents to the U.S. Computer Emergency Readiness Team (US-CERT). In FY 2014, the reported incidents totaled 67,168—an increase of 1,121 percent. Given that corporations are loathe to report cybersecurity breaches and may not detect successful incidents, the number of reported incidents probably represents only the “tip of the iceberg” of cyber attacks and intrusions.
Over the past three years, the consequences to organizations affected by such security breaches have been significant, and in some cases near catastrophic. One need only consider the injury suffered by organizations such as Target, Home Depot, Sony, and Yahoo!, or to victims of the recent “Petya” ransomware attacks such as Federal Express, DLA Piper, and A.P. Moller Maersk to realize the significance of such events.
It should be critically important to a prospective acquirer of a target enterprise to understand and evaluate the extent to which the enterprise is vulnerable to a cyber attack. Equally important, an acquirer must know if the target may have experienced an attack that compromised its high-value digital assets without management’s awareness or clear comprehension of the severity of harm to critical corporation information and IP assets. Otherwise, the acquirer in an M&A transaction is at risk of buying the cyber vulnerability of the target company and assuming the damage and liability from incidents it suffers. In short, it will not comprehend the potentially devalued nature of the assets it is acquiring, nor the magnitude of liabilities it may incur at closing.
Cyber Threats to M&A Deals
M&A practice may at times overlook the significance of the cybersecurity risks facing target enterprises, including the risk that cyber attacks could already be devaluing the digital assets of a target without the target’s awareness and without the acquirer’s knowledge. By December 2014, such risks had become widely reported, as demonstrated by the following bleak recap by Nicole Perlroth in The New York Times:
In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers, and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. . . . But the value [of stolen credit cards during this period] . . . which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of the United States corporations, universities and research groups by hackers in China—so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked. . . . Most large organizations have come to the painful recognition that they are already in some state of break-in today.
Most recently, numerous businesses, organizations, and governments found their digital data imperiled by a world-wide dispersal of two waves of malware. The first wave, a ransomware attack dubbed “WannaCry,” began on May 12, 2017. Globally, it infected “230,000 computers in 48 hours,” locking down the computers it infected, and encrypting and rendering inaccessible all of their stored data. The WannaCry worm caused kinetic effects—“paralyzing hospitals, disrupting transport networks, and immobilizing businesses.” WannaCry should make people treat cyber-crime seriously, The Economist, May 20, 2017.
The second wave of malware, called “Petya,” began on June 27, 2017, and severely disrupted operations of “some of the world’s largest companies, including WPP, Roseneft, Merck, . . . AP Moller-Maersk[,] . . . Saint-Bobain and the DLA Piper law firm.” Global groups hit by fresh ransomware cyber attack, Fin. Times, June 28, 2017, at 11. For example, one day into the Petya attack, integrated global transport and logistics company A.P. Moller-Maersk “tweeted” on June 27, 2017, that the malware had brought down its “IT systems . . . across multiple sites and select business units.” By the second day, Maersk had “shuttered many of its ports around the world.”
WannaCry and Petya vividly demonstrated the vulnerability of many companies to a crippling cyber attack, and the experience of Target Corp. provides insight into the costs of a major breach. In 2014, Target Corp. experienced a breach of its networks affecting 40 million credit- and debit-card numbers and personally identifiable information for up to 70 million individuals. The remediation costs had a material impact on the company. Target eventually reported that it “incurred $252 million of cumulative Data Breach-related expenses, partially offset by $90 million of expected insurance recoveries, for net cumulative expenses of $162 million.”
Despite the ubiquity of cyber incidents, and the cost and disruptive impact of cyberattacks, such risks appear to remain “below the radar,” underestimated, or belatedly addressed in many M&A deals. Yet with the value of so many enterprises dependent upon the condition of their high-value digital assets, and with so many of those assets vulnerable to cyber attack, consideration of adding a cybersecurity due diligence review would seem a good and prudent precaution at the start of any proposed M&A deal.
Illuminating the Impact of Cyber Incidents on M&A Deals
The cybersecurity experiences of two companies involved in recent M&A transactions demonstrate the critical importance of cybersecurity due diligence.
Luxury department store Neiman Marcus experienced, unawares, a cyber incident that began as early as July 16, 2013. The incident involved injection of malware into the retailer’s customer payment-processing system, ultimately compromising data on about 350,000 customer payment cards.
Several weeks later, on September 8, 2013, as the intruders operated undetected within the retailer’s networks, Neiman Marcus agreed to be acquired by a group led by Ares Management and a Canadian pension plan. On October 25, 2013, the acquisition of Neiman Marcus closed. Five days later, on October 30, 2013, the card-scraping activity of the malware inside the retailer ceased. No report of the incident suggests that Neiman Marcus or its acquirers knew, as of the closing, that the digital assets of the retailer had been compromised by intruders.
On December 17, 2013, Neiman Marcus received the first of several reports indicating fraudulent use of customer credit cards at its stores, and on January 10, 2014, Neiman Marcus publicly disclosed the incident. Shortly thereafter, affected customers filed class-action complaints alleging the retailer failed to protect them adequately against the breach and to provide them timely notice. Although Neiman Marcus sought to dismiss the suit by arguing that there was no harm to the plaintiffs, and thus no standing to sue, the Seventh Circuit allowed the case to proceed, holding that:
[i]t is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.
In so holding, the Seventh Circuit pointed to the continuing risk, noting that: “stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.” In March 2017, Neiman Marcus entered into a settlement with the class-action plaintiffs and agreed to create a settlement fund in the amount of $1,600,000 to cover claims, legal fees, and other litigation-related expenses.
Apparently, neither the buyer nor the seller knew that Neiman Marcus digital assets had been compromised as of the closing, nor did they foresee the future risk of harmful use of such data. As the Neiman Marcus incident illustrates, there is a growing need to assess a target’s cyber vulnerabilities and the potential repercussions from incidents so that they can be given their appropriate weight in the negotiations of a deal.
In late 2014, senior officers and legal staff of Yahoo!, Inc. learned that unauthorized access to its computer network had been gained by what Yahoo! identified as a “state-sponsored actor.” Yahoo! did not, at that point in time, publicly disclose the incident. Yahoo!’s board apparently did not receive a report of the incident or learn of it until almost two years later.
On July 23, 2016, Yahoo! and Verizon Communications Inc. entered into a stock purchase agreement by which Verizon agreed to acquire “one or more subsidiaries of Yahoo holding all of Yahoo’s operating businesses, for approximately $4.83 billion in cash . . . .” The acquisition of Yahoo! was “expected to close in the first quarter of 2017.” Verizon Communications Inc., Form 10-Q for the period ending June 30, 2016, filed Jul. 29, 2016, at 10.
Around the time that Yahoo! and Verizon signed their agreement, “a hacker claimed to have obtained certain Yahoo! user data. [T]he Company could not substantiate the hackers claim [but] . . . intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014.” Yahoo, Inc., Form 10-Q for the period ending September 30, 2016, filed Nov. 9, 2016, at 40.
Thereafter, Yahoo! issued a statement to the U.S. Securities and Exchange Commission (SEC) that said it had no knowledge of “any incidents” of “security breaches, unauthorized access or unauthorized use’ of its IT systems.” Yet less than two weeks later, in September 2016, Yahoo! disclosed to Verizon, and shortly thereafter to the public, that a “copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the First Security Incident).” After disclosing the incident, Yahoo! began notifying potentially affected users, regulators, and other stakeholders.
On December 14, 2016, five weeks after Yahoo! filed its Form 10-Q with the SEC that addressed the First Security Incident, Yahoo! disclosed on its website and in a Form 8-K that analysis of data by Yahoo!’s outside forensic experts convinced Yahoo! that a separate cyber incident involving almost 1 billion accounts had also occurred (the Second Security Incident).
After further negotiations and as a result of the two cyber incidents, Yahoo! agreed with Verizon to modify the terms of the deal as follows:
the purchase price was reduced by $350 million, down to $4.48 billion;Yahoo! would be responsible for all liabilities arising from shareholder lawsuits and SEC investigations related to the two cyber incidents; andYahoo! and Verizon would each be responsible for “50% of any cash liabilities incurred following the closing related to non-SEC . . . government investigations and third-party litigation related to the breaches.”
As the cyber incidents at Neiman Marcus and Yahoo! demonstrate, cybersecurity now deserves to be an integral part of M&A due diligence, and to be done properly, it must begin at the earliest practicable time in the transaction. Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them.
Assessing a Target’s Cybersecurity Defenses
Assessing the quality of a target’s cybersecurity defenses and its experience with cyber incidents poses a challenging risk assessment for an acquirer, and one quite different from other risk assessments in an M&A deal. How does an acquirer’s counsel evaluate the target’s cybersecurity program or inquire into its probable experience with cyber incidents? How does counsel assess the potential devaluation of the target’s high-value digital assets without evidence of what was accessed and exploited? How does counsel determine the “materiality” of apparent cyber incidents without knowing, other than by inference, the nature of the digital assets at risk or the harm that could flow from their compromise?
Cybersecurity due diligence might not yield a precise and exact picture, but it has the capability to provide an acquirer with a far closer approximation of the actual condition of the target’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets. Knowing such facts, the acquirer’s counsel will be in a better position to structure the definitive acquisition agreement to mitigate the risks identified.
To accomplish its goal, the acquirer’s M&A cybersecurity due diligence process should address six categories of topics, as follows:
identify the target’s high-value digital assets and evaluate the relative importance of those assets to the target’s business;evaluate the target’s internal cybersecurity program to protect those high-value digital assets, e.g., whether it is appropriate for the business; whether it is complete, etc.;assess the target’s cyber-risk-management efforts as they relate to third parties on which the target depends for goods, services, data, outsourced business functions, and joint business initiatives;identify the target’s prior breaches and assess its incident-response capabilities;evaluate the status of the target’s cybersecurity regulatory compliance, i.e., identify applicable compliance requirements, determine whether the target is in compliance with its cybersecurity legal obligations, and evaluate the risks posed by any failure of such compliance; andconsider and evaluate the target’s overall resilience and general ability to withstand a direct cyber attack on its digital assets.
Evaluating a Target’s Cyber Incident Experiences
In cases where the target company has experienced a recent security breach, it is important for M&A cybersecurity due diligence teams to assess whether a target company has the means to know five fundamental facts about the target’s experience with any cyber incidents.
First, what data might the attackers have gained (or still be gaining) access to? Did they read files? Did they change permissions so that they could log in and appear authorized? Did they make copies of customer lists? Or worst of all, did they modify data? It is important that the target have the answers to such questions.
Second, what data might the attackers have viewed and exfiltrated copies of? It is possible the attackers saw something they wanted, such as the company’s password file or key product designs. Knowing what data was taken is key to evaluating the scope of the damage done, as well as the potential for future damage.
Third, what data might the attackers have changed? This is often the real bugbear. Did the attackers modify data contained in certain files and, if so, what changes did they make? This can be far more difficult to determine than whether the attackers accessed or removed a copy of a file’s data. For example, in the case of a defense contractor, the attackers might not only have removed a copy of the manufacturing design for a stealth fighter’s aileron, but also modified the target’s copy so that further use of that design data will embed defects or flaws that were not in the original design. No one at the target will know that has happened unless they are extraordinarily familiar with the data and happen to make a close comparison of the currently active file with a back-up that is reasonably good, i.e., that the attackers did not alter. Given that sophisticated, stealthy attacks may continue undetected for months or years, however, how far back does a target’s personnel have to go to obtain a reasonably good and reliable back-up in order to ensure the copy is of the original design and not of the design as modified by the attackers? Even small, seemingly insignificant changes to critical data can have catastrophic impact on products and on users.
Fourth, what defenses of the target did the attackers force the target’s system to reveal? Attackers now have tools that can force a target’s system to “reveal secrets that are relied upon for security.” Such a tool works analogously to the flying of aircraft towards or extremely close to an adversary’s border (or even crossing it briefly and departing) in order to prompt the adversary to turn on its most sophisticated air-defense radar, thereby revealing its location, signature, strength, and other features. In cyber attacks, as with probing air defenses, the prospective attackers want to determine what actions will cause the defensive measures to be activated, or “turned on,” and when it counts, what actions will not cause the defensive measures to “turn on” and enable the attackers to bypass them. Not knowing what the attackers have learned may cause a target to be far more vulnerable to future cyber attacks than the target (or an acquirer) may realize. It may also cause the target’s officers to become overconfident or complacent about their company’s cybersecurity.
Fifth, did the attackers gain entry by breaching a layer of the target’s system that did not have the same defenses as other layers? Many target companies are unaware of the fact that a protection system is only “reliably effective against attacks” that occur “at the same system layer in which the protection system” has been implemented—and that at some of a target’s computer-network system layers there may be fewer or different protections than at others. As a result, the cyber attackers can breach a system by going through a layer that lacks protections at a higher or lower layer, just as attackers in medieval warfare could get past a deep moat and insurmountably high castle wall by tunneling beneath and past both of those defensive layers.
A target’s exposure to cyber intrusions will be a function, in part, of how well prepared it is with tools to address those five features of a cyber incident.
Unfortunately, the means for discovering vulnerabilities, closing gaps in defenses, detecting intrusions, figuring out what has been accessed, what has been done to it, and what awful things may happen at a time and place of the cyber intruder’s choosing, are the trailing-edge technologies. Methods of cyber intrusion, of conducting exploits, and of postponing their detection with stealth continue to outpace any improvements in defenses. A victim’s first knowledge of an attack may come only when the damage or misuse of digital assets becomes conspicuous or is reported by third parties. As a result, “companies often do not discover a data breach” or compromise of their digital assets “until an extended period of time after they have been hacked.” Clifford G. Tsan & Michael D. Billok, Cybersecurity Insurance: Facing Hidden Risks and Uncertainty, N.Y.L.J., May 2, 2016.
For an acquirer there are actually two risks of breaches of the target that may initially be difficult to distinguish from each other. In one kind, the target remains unaware of the attacker’s intrusion and does not know what the attackers have done to or with the high-value digital data they accessed and compromised. In the other kind, the target may have discovered the breach months or years before the start of the acquisition, but for various reasons postpone from disclosing it to the acquirer until the definitive agreement has been signed and due diligence may be quite advanced.
Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them. In light of the transactional difficulties that cyber incidents can create, as observed in the Neiman Marcus and Yahoo!/Verizon deals, the inclusion of cybersecurity due diligence early in a proposed M&A deal should be recognized as essential to protecting an acquirer’s interests.