A cybersecurity risk assessment is a critical part of M&A due diligence
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
As of mid-February, the plan for Verizon Communications to acquire a majority of Yahoo’s web assets is still on, despite the announcement of Yahoo having suffered two massive breaches of customer data in 2013 and 2014. The sale price, however, has been discounted by $350 million, and Verizon and Altaba Inc. have agreed to share any ongoing legal responsibilities related to the breaches. Altaba is the entity that will own the portion of Yahoo that Verizon is not acquiring.
Following the disclosure of these breaches, Yahoo was highly criticized for its lax stance on cybersecurity. For example, a team from Venafi Labs looked at the cryptographic posture of external Yahoo web properties and claims to have discovered that 27% of the company’s security certificates had not been reissued since January 2015. According to Venafi, replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced, breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications. In addition, Venafi says 41% of the external Yahoo certificates discovered use SHA-1, a hashing algorithm that is no longer considered secure. Apparently, Yahoo isn’t even attempting to close the barn door after the horses fled.
The Verizon acquisition of Yahoo provides a perfect example of why companies – even those not in the technology industry – need to include cybersecurity due diligence as part of any merger and acquisition (M&A) activity. Any company that plans to acquire another must thoroughly assess the cybersecurity posture of the target company. Too much cyber risk can undermine the value of the deal and delay a proper return on investment.
Tom Kellermann, CEO of Strategic Cyber Ventures LLC, says that companies in M&A activities need to be proactive. “Given the tenacity of the criminals in cyberspace, investors must apply cyber risk to their calculus. Due diligence per mergers and acquisitions must incorporate an assessment of the overall cybersecurity health,” according to Kellermann.
As corporate boards get more deeply involved in understanding their own company’s cybersecurity posture, it stands to reason they would want to know similar information about an acquisition target. Thus, cybersecurity due diligence is quickly becoming part of standard best practices in M&A deals.
The Cybersecurity and the M&A Due Diligence Process report from NYSE Governance Services and Veracode points out: “Buying a company translates to buying data. And buying data means you are buying past, present, and future data security problems. The economic impact of a transaction can shift dramatically if, after the deal is consummated, past or ongoing data breaches come to light.”
The NYSE Governance Services/Veracode report includes survey information from 276 public company directors and oﬃcers: 85% of the respondents said the discovery of major vulnerabilities during the audit of an acquisition target’s software assets would “likely” or “very likely” aﬀect their ﬁnal decision to complete the deal; 22% of those surveyed said the occurrence of a high-proﬁle data breach at an acquisition target would deter them entirely from completing the transaction; Only 4% of the respondents said it’s not important to evaluate the quality and extent of intellectual property and technology as part of M&A due diligence.
Even if major cyber risks are not discovered during the due diligence process, two companies that have vastly different levels of cybersecurity maturity can have problems uniting their systems together. Bringing the less mature company up to the standards of the more mature company can be complicated and expensive.
Outside cybersecurity attorneys and third-party forensic and technical advisors and consultants are becoming integral players in the M&A cyber risk due diligence process. Elaine Stanko, attorney with McNees Wallace & Nurick LLC, recommends that acquiring companies investigate the following of their target acquisition:
- The company’s privacy and data security policies, programs and procedures across all platforms, including mobile, cloud and web
- Audit and compliance records for all applicable industry and government regulations
- Information about all known breaches, even if they haven’t been made public
- Contracts with third party vendors and any information pertaining to their cybersecurity risk postures
- Information about physical security of the computing infrastructure
- Identification of all critical or sensitive data, including protected classes of data, where it is located and how it is protected
- A review of the company’s social media presence and company policies on how employees use social media in an official capacity
To that list I’ll add one more aspect to investigate, and that’s the employee risk. Since many breaches are attributed to insiders, the acquiring company should look at employee cybersecurity training requirements and records.
These days, the fallout from cyber incidents can reach into the millions of dollars. It’s critical that an acquiring company understands what it’s getting when it absorbs another company.