Imagine getting ready to spend billions of dollars on an acquisition, only to find out that the target of the acquisition was the victim of multiple cyberattacks affecting billions of accounts. One would think such a scenario would be a huge red flag that no corporate board or general counsel would ever forget, regardless of the size of the acquisition, but that clarion call does not seem to be heard universally.
That's what happened around the 2017 revelation of the massive breach of Yahoo uncovered by its sale to Verizon, and it cost the search engine company a $400 million hit to its purchase price. Apparently, however, cybersecurity and related technological components are still relatively low on the essential due diligence checklist.
The right time to start evaluating the cybersecurity risk profile of an acquisition target, experts agree, is early on in the due diligence process. Too often due diligence is limited to balance sheets, sales operations, and outstanding legal obligations, with cybersecurity, compliance, and technical compatibility of security tools left to the end of the discussion, if they are discussed at all.
"The value of pre-sign due diligence is to make sure that companies are assessing all the relevant risks before they sign on the dotted line," says John Hauser, principal and cyber due diligence leader at Ernst & Young, as well as a former FBI special agent and a former assistant United States Attorney. "Cyber can be a major factor in deciding whether or not a client decides to walk away" from a merger or acquisition.
Early cyber due diligence allows a potential suitor to "negotiate better terms through the purchase price reductions, or indemnities, or other contractual provisions," he adds.
In conjunction with the traditional business due diligence, companies are turning to threat intelligence experts to evaluate the prospective target's risk profile, looking for evidence that the company might have been breached with data for sale on the Dark Web or perhaps has weak controls on other internal operations. Using open source intelligence (OSINT), he said, investigators often can find evidence of a breach, such as indicators of leaked credentials, communications between the target company infrastructure and any known malware families and command and control servers, or other insights.
Other significant intelligence can be gleaned by asking the target company to provide data such as attestations made to a cyber insurance provider, source code, penetration test results, and past compliance reports.
"You're starting to see more technical verification, moving into the pre-sign phase," Hauser says.
Cyber criminals often watch mergers and acquisitions activity, looking for a potentially weak target being acquired by a stronger company, especially one that might have a lot of valuable information for the cybercrooks, notes Heather Clauson Haughian, founder and managing partner at the Atlanta-based law firm Culhane Meadows. Once the acquisition goes through, it would not be uncommon for the target firm to get attacked with the hopes of breaching a weak link and thus accessing the more lucrative part of the merged companies.
Another vulnerability occurs when organizations with differing compliance requirements join, Haughian says. While the acquiring organization might be well versed in its own compliance reporting requirements, it might not have the same expertise with the company it acquires.
If the acquiring company does not employ compliance experts for the acquired company's operations, there could be a gap in compliance reporting, along with missed opportunities to layer security controls over the acquired company, leaving it vulnerable to a cyberattack, she says.
In such cases, using a third-party advisory service is recommended, says Shay Colson, managing partner of cyber diligence at Bellingham, Washington-based firm Coastal Cyber Risk Advisors. A company executing a bolt-on, add-on, or tuck-in acquisition can have its third-party adviser evaluate the target's security posture, including what its program looks like, strengths and weaknesses, and existing security tool sets.
"Then you can get views on the targets that are both objective to the target and deal with this integration challenge," he says.
Ultimately, general counsels need to come up to speed as quickly as possible on cyber risk and cybersecurity. "They are going to be the ones who own cyber risk at their enterprise because if there's an incident, they're calling outside counsel, they're coordinating forensics, and they're looking at regulatory response obligations," Colson says.
"I think the more proactive [general counsels] are, [they are] going to realize that cyber risk is a place where they can actually drive value to the business and enable things," he adds. "It's just a matter of time before more and more GCs get on board with that."
EY's Hauser said that SEC Chairman Gary Gensler's recent proposed rules for public companies and other financial services organizations could help boards of directors to navigate through the cybersecurity due diligence challenges.
There is a consensus that there is a growing risk of cybercrimes and that boards need to pay greater attention to it, he said. Courts and regulators are making it explicitly clear that failing to do proper cyber due diligence makes it easier for a future plaintiff to accuse a board member of negligence. That, combined with Gensler's proposed rules that put more personal responsibility on C-suites and board members, and you have the perfect storm for cybersecurity experts to take a more active role in board-level decisions, he notes.