Cybersecurity vulnerabilities have potentially devastating impact on merger and acquisition (M&A) activity. From poor cyber risk due diligence, to failures in post-merger processes, data security issues have created catastrophic exposures for numerous companies.
The complexities and extent of cyber M&A harm are highlighted in the Marriott International and Equifax data breaches. In the Marriott incident, hundreds of millions of customer records were compromised due to an intrusion into IT systems used by Starwood Hotels & Resorts Worldwide. Starwood had been acquired by Marriott in September 2016. Prior to the transaction, Starwood’s systems had been compromised by a sophisticated intrusion, however this breach was not identified until over two years after acquisition, when Marriott was required to bear responsibility for the incident.
Equifax sustained an estimated US $1.4 billion loss due to a major data breach of 148 million records. The breach was directly attributed to Equifax’s aggressive, acquisition-based growth strategy which resulted in its information security teams attempting to manage a disparate muddle of inconsistent computer systems, security frameworks and applications. The US House Committee on Oversight found Equifax’s failure to implement IT systems integration fostered a poor patching culture and resulted in the company suffering an “entirely preventable” breach.
These incidents underline how M&A activity, unless carefully managed, can create an environment which heightens information security exposures.
It is important organisations carefully manage and minimise the potential for cyber-related M&A harm.
This can be done by adopting due diligence and investigative approaches that address the following issues whenever organisation’s undertake M&A activity.
In many transactions the target company’s commercial data will be one of the key assets used to drive the financial, reputational and strategic value of the deal. Despite the importance of this data, acquiring companies rarely extend their due diligence to examine the way the target’s key data records have been collected, protected, maintained and controlled. In many cases data and integrity related investigations do not occur until well after a transaction’s close, where they can become lost in the long list of post-merger integration tasks.
Where a target’s data processes are not promptly assessed, acquiring organisations are exposed to long-term problems. These include failures to identify non-compliance with privacy and data protection laws, unaddressed technology vulnerabilities, pre-existing internal safeguard breaches, and inconsistent approaches to data governance. Each of these exposures regularly results in major cyber events.
Many organisations face a time delay between when their systems are compromised, and their awareness of the breach. In complicated third party attacks it is not uncommon for a breach to go undetected for years. To assess a target company’s cybersecurity risk profile, analysis should not be limited to a single point in time, and should also include a historic assessment of how the target company’s data and networks assets have been managed across their lifecycle.
Acquiring companies must also appreciate that once they complete the transactions, they will assume all of the cyber risks of its target, including responsibility for the historic actions that were undertaken from the point when personal and corporate data were first collected.
This is because data privacy contractual and regulatory obligations not only attach to current uses of data, but also to any actions that have occurred from the point of data collection, up until its current state.
In many cases historical failings to secure and protect records will become integral allegations in data and privacy regulatory and third party claims.
A due diligence process will only identify data lifecycle problems where a wide scope is adopted that examines an organisation’s historical cyber behaviours and processes, as well as the company’s current policies, systems and internal controls. Preliminary concerns should also encourage the organisation to embark on more robust investigations which include independent expert analysis.
Destructive cyber incidents also occur where an organisation’s employees are socially engineered and coerced into committing actions which damage the organisation or allow a third party to compromise its systems.
If a target organisation does not conduct regular phishing awareness programs and staff training, serious questions should be asked about the wider cybersecurity risk-management program that has been adopted.
A related concern is how the target organisation manages the personal and corporate data it shares with third parties and its approach to using managed service providers (MSPs). The Australian Cyber Security Centre has noted that cyber adversities continue to compromise MSPs and pivot through the provider’s supply chain to attack their customers. A target organisation may have a significant underlying vulnerability, if it has failed to properly investigate how key MSPs maintain the organisation’s data and preserve systems security. These issues can create significant M&A transaction risks, given many of the largest Australasian breaches in 2019 were directly attributed to the actions taken by third party MSPs and technology providers.
Due diligence should also examine how the insurance arrangements for both the acquiring and target companies address future cyber incidents. Stand-alone cyber insurance wordings have both claims and occurrence-based coverages and, on their face, can respond to a cyber event that is discovered after an M&A transaction, subject to their terms.
Pitfalls exist however as many cyber wordings include change in control and transactions clauses which can curtail coverage for incidents that occur after an organisation is acquired by another company. Policy conditions may also apply to changes in ownership/operations and newly-created subsidiaries which curtail post-merger cyber insurance response. Where coverage gaps are identified, specialist post-merger cyber insurance solutions should be explored. Cyber-security risks should also be examined in relation to any Warranty & Indemnity insurance policy obtained, including the extent to which exclusions may apply to purchase agreements representations and warranties.
