By Jeanelle Pran
The digital era in which we live continues to rapidly evolve and commercial enterprises rely significantly on technology to navigate their affairs and conduct everyday business. Companies that intend to collaborate, or form alliances, mergers and partnerships, with other entities now have to consider the cybersecurity implications and risks as part of their due diligence process. This includes, among other things, an assessment of a target company’s cybersecurity and data protection programs and protocols as well as its risk exposures. Risks to cybersecurity threaten to reveal sensitive company information, including confidential employee and client information, trade secrets and operational practices which could have detrimental consequences to business operations and which may leave companies in breach of their compliance obligations.
Incorporating cybersecurity due diligence in the diligence process in company acquisitions therefore has many benefits. For instance, an acquirer can make a more informed decision on the overall health of the target company in question and in particular, whether that target company’s cybersecurity policies and procedures align with the acquirer’s risk tolerance and cybersecurity goals. Incorporating cybersecurity due diligence in the diligence process can also mitigate any financial and reputational losses that can result from cybersecurity breaches or violations of data protection laws. As such, in determining whether to partner with an entity or acquire it, an acquirer should ensure that the target company has healthy and robust cybersecurity standards.
In conducting a cybersecurity due diligence, the following factors and considerations should be taken into account:
- Identify the threat landscape: A thorough analysis should be done on the current threat landscape to gain an understanding of the types of exposures and vulnerabilities which a target company may be subjected to. This would include an examination of the potential bad actors who pose a threat to the transaction, whether in the particular industry or region. For instance, if acquiring a target company in a country known to be susceptible to cybersecurity attacks or threats, this should be taken into account in determining the overall deal package.
- Reviewing and understanding the cybersecurity policies in place: It is important to review a target company’s cybersecurity policies and protocols. This includes examining and/or gaining an understanding of its backup and disaster recovery procedures, data protection safeguards, data breach mitigation strategies, employee training programs and incident response plans.
- Overhaul of the information technology infrastructure: An understanding should be gained on the information technology framework within which the entity operates. This includes uncovering details on the entity’s major information systems and functions, networks, data storage practices, software systems, access controls, information technology licenses and any insurance coverage in respect of any losses relating to the information technology or computer systems. Any relevant documentation required to evidence this should also be requested, where appropriate, and reviewed.
- Historical breaches and threats: Past security breaches and threats can provide useful insight into a target company’s vulnerabilities and overall cybersecurity position. Enquiries should therefore be made as to any threats or instances of hacking, viruses and other cybersecurity breaches experienced in the past (including the nature and causes of those incidents, the target company’s response to same and how these were appropriately addressed or remedied).
- Evaluation of the company’s vendors and suppliers: Given that most commercial enterprises rely on third party suppliers for their goods and services, consideration should be given to any cybersecurity threats which these suppliers may face and their general cybersecurity practices. If suppliers do not have appropriate information technology and cybersecurity systems in place, this could create vulnerabilities in the target company’s network and make it susceptible to infiltration. While it may not always be straightforward to determine the strength of suppliers’ information technology systems, certain questions can be asked to gain some comfort as to any potential risks. For instance, enquiries can be made as to the length of time in which the target company has conducted business with the suppliers and whether there are any known instances of cyber threats or data protection breaches concerning those suppliers during that period.
- Regulatory compliance: If a target company carries on business in a country which has rigorous cybersecurity and data protection regulations, it is essential to ensure that the target company has been, and is, complying with those regulations. Enquiries should be made as to whether there have been any violations of local data protection or cybersecurity legislation, any fines sanctioned in respect of same and any ongoing or threatened litigation resulting from any such violations.
- Employee awareness: Assessing employees’ awareness of the cybersecurity policies and procedures is a good way to examine a target company’s adherence to its policies. Information should be sought on whether there are written cybersecurity policies in place, whether employees have been provided with those written cybersecurity policies, whether regular cybersecurity training is done and whether employees are routinely tested on their knowledge of the cybersecurity systems in place. Copies of any documents relative to these enquiries should also be requested and reviewed.
- Identify dealbreakers: A cybersecurity due diligence may reveal deal-breakers or circumstances which may change the deal for an acquirer. For instance, if the information technology systems and procedures are deemed inadequate by the acquirer and it considers that it would have to expend significant sums of money to remedy it or make it compliant with any data protection and cybersecurity laws, this may change the value of the target company and therefore the deal price. A careful analysis should therefore be done on any exposures or risks if a merger, partnership or alliance is formed with a target company which does not have proper protocols and safeguards in place and how, if at all, this might affect the intended transaction.
It is of little benefit to acquire or partner with a company if that company’s performance and operations can be easily or significantly frustrated by a cyberattack as this can hinder business operations and negatively impact the generation of revenue. Not all deals would require an in-depth cybersecurity due diligence but understanding the operations and business of the target company as well as its information security systems can be a good way of identifying the depth within which a cybersecurity due diligence should be undertaken.
By examining the security policies, practices and risks of an organization, acquirers would be more confident in navigating complex cyber landscapes and better placed to safeguard their operations. Cybersecurity due diligence has therefore emerged as a critical part of the due diligence process as it can influence the success or demise of companies and businesses initiatives. It is therefore an exercise which should certainly form part of the due diligence process.