Scribd
Upload
114 views3 pages

Cybersecurity Now Part of Due Diligence Process: Hidden Risks

This document discusses the importance of including cybersecurity due diligence when acquiring a business. It notes that buyers want to understand and manage cyber risks upfront to avoid post-transaction surprises. The Yahoo-Verizon deal reduction due to undisclosed breaches is provided as an example. A thorough due diligence process involving cybersecurity experts can identify risks, compare controls to standards, and ensure buyers are aware of issues pre-closing. The key elements of due diligence outlined include initial risk assessment, reviewing security measures, tailored diligence based on findings, expert engagement, establishing oversight teams, and examining past incidents and insurance.

Uploaded by

humdil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
114 views3 pages

Cybersecurity Now Part of Due Diligence Process: Hidden Risks

This document discusses the importance of including cybersecurity due diligence when acquiring a business. It notes that buyers want to understand and manage cyber risks upfront to avoid post-transaction surprises. The Yahoo-Verizon deal reduction due to undisclosed breaches is provided as an example. A thorough due diligence process involving cybersecurity experts can identify risks, compare controls to standards, and ensure buyers are aware of issues pre-closing. The key elements of due diligence outlined include initial risk assessment, reviewing security measures, tailored diligence based on findings, expert engagement, establishing oversight teams, and examining past incidents and insurance.

Uploaded by

humdil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Cybersecurity Now Part of Due Diligence

Process
By: Imran Ahmad, Gary Volman, and Deven Rath

Given the accelerated pace at which businesses are digitizing taking on that risk. Failure to identify problems can result
their operations and assets, the importance of cybersecurity in discovering, after the fact, issues and liabilities that may
cannot be underscored enough. In the context of an M&A not only diminish the value of the acquisition, but can also
transaction, implementing appropriate cybersecurity result in having to commit significant additional resources to
measures is essential given that the buyer is likely paying a resolve them. Put simply, buyers want to avoid a situation
premium for the target and any failure to accurately assess where they have bought a lemon.
cyber risks may result in a reduced value of the acquisition
As the Yahoo-Verizon case study shows, identifying
or previously unknown litigation exposure. With the
cybersecurity risks during the due diligence phase of a deal
assistance of cybersecurity experts, due diligence can be
is increasingly important, because if the company does not
tailored to ensure that the risks are known and appropriately
detect problems before the deal closes, it risks sustaining
managed so that there are no unexpected surprises post-
losses afterwards. The earlier a buyer can identify problems,
transaction.
the more opportunity it will have to manage the associated
risks: by resolving them, re-negotiating the purchase price,
Hidden Risks or delaying the closing date, if necessary.
It was recently announced that Yahoo! Inc. (Yahoo) and Broadly speaking, cybersecurity risks include the following:
Verizon Communications Inc. (Verizon) had reached an
Business interruption
agreement whereby the purchase price was reduced by
$350 million. Yahoo will be responsible for evenly splitting Legal liability, including litigation
the cash liabilities that may arise from non-Securities and Regulatory investigation and enforcement action
Exchange Commission (SEC) government investigations
Failure to meeting contractual obligations
and third-party litigation related to the breaches. In addition,
Yahoo will continue to be responsible for SEC investigations Loss of critical data (e.g., intellectual property, trade
and shareholder lawsuits. The adjustment to the purchase secrets, etc.)
price stems directly from the data breaches Yahoo reported Reputational harm
over the summer of 2016. This case serves as a reminder of Inconvenience to customers and loss of trust
the importance of a due diligence process that includes an
Expenses related to recovering the data
in-depth review of the targets cybersecurity posture.
Loss of revenue, etc.

Avoid Buying A Lemon Given the potential impact a cyber-incident can have on an
organization, it is no surprise that buyers are increasingly
Acquiring a business can create a number of advantages for
demanding that a cybersecurity due diligence process be
the buyer, but also inherently carries certain risks, such as
undertaken and the findings factor into the negotiation of the
environmental liabilities or obligations to employees. This
purchase agreement.
is why a thorough due diligence process is essential, since
it allows the buyer to identify the level of risk associated
with the transaction and ensure that it is comfortable
Covering the Bases risks or to compare the findings with accepted industry-
specific benchmarks. Experts may conduct necessary on-site
The following elements should be, at a minimum, part of any testing and assess the suitability of the programs in place to
cybersecurity due diligence process. This is by no means an manage risks to both physical security (access to locations/
exhaustive list and it would need to be customized based on computers) and technical security (encryption, firewalls,
the input of cybersecurity experts, depending on the nature of network monitoring). They will also ascertain the costs and
the targets business. Nevertheless, it is a good baseline from consequences of any potential vulnerabilities identified during
which to start. the engagement stage.

1. Initial Identification at the Engagement Stage 5. Setup Risk Oversight Team


Buyers should consider performing cybersecurity risk Organizations may also want to establish a risk oversight
assessments during the initial stages of the transaction, and team to oversee all cybersecurity related matters, including
engage qualified experts as early as possible. The targets the possible issues that may arise during negotiations and
key processes and systems should be identified, including post-closing. The team should be regularly briefed about
the data backup and recovery process. In addition, the buyer cyber-risks uncovered during the diligence process and
should have an understanding of the targets key assets, major key stakeholders should be informed of these risks. The
threats, and potential vulnerabilities. One of the key objectives team should liaise with the target to ensure that security
during the due diligence stage should be to assess the targets measures are comprehensive: employee contracts and
awareness of its operational risks rather than relying on the confidentiality/non-disclosure agreements, employee policies/
targets assurances. training, access to hardware/software, and should include
possible issues in the supply chain. This team should also be
2. Assess Targets Security Measures responsible for managing the integration process to ensure
Due diligence questionnaires based on recognized standards that the buyers network is not put at risk as a result of the
(e.g., NIST, ISO 27001, etc.) should be completed by the targets vulnerabilities.
target to determine what security controls are in place to
protect critical business data. The questionnaires provide 6. Check The Past
buyers with key information on the targets exposure to a Buyers should also ask the target about past cybersecurity
potential data breach and these findings may serve as a incidents, any pending investigations by regulators or
negotiating point throughout the transaction. The findings litigation, and the targets general response to the any
will also help the buyer determine whether the target has a incidents. If the target has suffered numerous cyber
crisis management plan in place which has been approved by incidents, this may be a good indicator that security was
senior management awareness at the senior executive/board not a priority and it may signal that the targets digital assets
level is an important indicator of how seriously the target has (e.g. intellectual property, trade secrets, etc.) have been
considered its cyber-related risks. compromised. Buyers must remember that when they are
acquiring a company, they are directly acquiring its past,
3. Tailoring Diligence present, and future data security problems.
After reviewing the information obtained from the initial
cybersecurity risk assessments, buyers should tailor and 7. Assessing Cyber Insurance
focus their follow-up due diligence accordingly. Findings from In addition to insurance and/or indemnities related to the
the initial risk assessment and due diligence questionnaires representations and warranties in the purchase agreement,
will better inform the buyer of the information now available buyers should evaluate the extent to which cyber risks
to it, the industry it will be operating in, and how important are mitigated by specific coverage, including whether
information security is to the target. Buyers should also enhancements to the cyber program may be available post-
consider how important data is to the targets business, and closing. Most cyber insurance policies cover data breaches
how that data is being protected. and the expenses involved in complying with data breach
notification laws.
4. Engage Cybersecurity Experts
Cybersecurity experts and specialized legal counsel should be
engaged at the outset of the transaction to gauge the targets
cyber-readiness and potential exposure to serious data
breaches. Involving experts is vital, since the parties involved
in the transaction process often do not possess the technical
background necessary to thoroughly assess cybersecurity
Key Takeaways Contact
It is vital for buyers to understand the risks associated with
the digital assets they are acquiring in transactions. Not
understanding the risks can create an unexpected liability Imran Ahmad
post-transaction. Partner
To help understand the risks, cybersecurity due diligence 416.597.6031
should always be part of the buyers broader transactional iahmad@millerthomson.com
analysis. Buyers should consider potential cyber-related
risks in the acquisition process and tailor their diligence to
each targets business.
Gary Volman
The results of cybersecurity due diligence, and any issues Associate
that are discovered, should inform the negotiation of the 416.595.7924
purchase agreement. This will possibly be reflected in the gvolman@millerthomson.com
purchase price, the indemnification/insurance provisions,
or elsewhere in the agreement.
It is important for a buyer to engage cybersecurity experts
in the due diligence process. Engaging experts ensures Deven Rath
that individuals with the necessary technical background Articling Student
are assessing the targets exposure to cyber risks. 416.595.8635
drath@millerthomson.com

millerthomson.com

vancouver calgary edmonton saskatoon regina london kitchener-waterloo guelph toronto vaughan markham montral

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy