Friday, Oct 07, 2016

Cyber Security Due Diligence in M&A Transactions – A Prerequisite

Overview:

What is a Cyber Security Due Diligence? The term has been defined as ‘the review of the governance, processes and controls that are used to secure information assets.’ It can be rightly said that when you buy a Company, you’re buying their data, and one could be buying their data-security problems. In other words, cyber risk should be considered right along with financial and legal due diligence considerations.

Cyber Security is one such aspect that has become extremely vital in today's business atmosphere. Cyber due diligence is a relatively new area of due diligence which has largely emerged as a result of technological advancements and increasing data and privacy threats. Almost all formal sectors today are dependent on technology, connectivity and digital networks to varying degrees. While sectors such as media, information, telecom, software and technology services are enabled by technology, various other sectors such as marketing, banking, education, transport and medical have grown exponentially by incorporating technology as a driver to increase their performance and efficiency.

Thus with the rapidly expanding mergers and acquisitions (“M&A”) environment, companies often overlook the finer aspects of due diligence in their fervor to complete the transaction. Thus, these overlooked aspects tend to be reasons behind deal failures. It is because companies underestimate the importance of thorough due diligence on the target and take several vital things for granted at the time of closing.

However, cyber due diligence remains an un-prioritized and often ignored area in most deals in India and other developing countries. This post seeks to shed light on the importance and scope of cyber due diligence in India by presenting the main risks and consequential impact on M&A deals in India. It also suggests certain strategies to mitigate cyber risks through a study of international best practices.

 

Risks Involved Due to a Lack of Cyber Security Due Diligence:

Regardless of the type of industry, when companies make an acquisition, they are essentially investing in the intellectual property and R&D of the proposed partner organization. Typically, there are few individuals at the buyer corporation who truly understand the network systems they’re about to purchase, which contain the valuable IP they’re acquiring. The integrity of this data must be assessed prior to the purchase – and the team assessing it must be able to provide a level of scrutiny that ensures all areas are fully evaluated, diagnosed, and proved secure.

Threats that arise out of cyber-attacks appear in several forms. Many such threats pose serious direct and indirect financial risks to companies, a pertinent example being how the emergence of ransomware has highlighted the ease with which cyber criminals can halt business operations for days or weeks at a time, resulting in unrecoverable loss of revenue. However, what are the initial threats that result in financial risks? These can broadly be divided into two major categories i.e. electronically stored information (ESI) data breaches and loss of deal value. ESI breach risks can be explained by further dividing them into intellectual property (IP) loss, reputation and brand impact, and remediation costs. Other hidden costs may include value of lost contracts, lost value of customer relationships and insurance premium increases.

Data Storage Breaches:

There are standard clauses in purchase agreements to protect the buyer, for good reason. Any litigation, workforce issues, violation of environmental regulations, and other negatives must be known and accounted for, in order for deals to make sense at the agreed-upon price. But cyber security risks are generally unaccounted for.

 The lack of focus on cybersecurity due diligence in Indian M&A transactions can lead to serious impacts on ESI and data that is stored on online databases such as the cloud. ESI refers to any data that is created, altered, communicated and stored in digital form. Examples of ESI could range from emails exchanged on the company’s servers to confidential information about the company’s IP and trade secrets. The two major ramifications that arise from an ESI breach are both immediate, such as a loss of IP and long term, such as a loss in brand and customer reputation.

Key cyber security risks that buyers can run into:

  • Ongoing Breach: Probably the worst-case scenario – the target company is “owned” by an unknown attacker: any sensitive data or intellectual property might already be gone, and a public relations problem is looming. Not only is the value of the acquisition damaged, but also now the buyer must deal with the fallout, which can be a very expensive undertaking.
  • Unrevealed Previous Breach: The target company suffered a breach in the past that is revealed to the buyer after the purchase. This is similar to the ongoing breach in that valuable data may have been lost, and the intruder could still be in the network.
  • Persistent Intruder: The target company is host to an attacker that maintains their presence in the environment, watching and waiting. Now the purchasing company might be hosting them as well.
  • Disruption Attacks: Is the target company vulnerable to such attacks? What is the threat landscape? Have there been denial of service (DoS) attacks in their past?
  • Dirty Environment: While not necessarily as dangerous as a targeted attack, an environment that shows significant amounts of common malware will need cleaning and improved protection and detection capabilities.
  • Inadequate Security Program: The acquired company has systemic cyber security issues stemming from a weak or nonexistent security program. Weak oversight and guidance will, over time, create vulnerabilities across many security areas that will take time to fix.

Loss of Confidential Intellectual Property:

Surprising as it may seem, despite its widespread ramifications, cases involving IP loss due to cyber-attacks have largely remained in the shadows. It is important to note, however, that IP theft has ramifications that could metastasize over months and years. The effect of an IP loss could include forfeiting the “first to market advantage, a loss in profitability, and in the worst case – losing entire lines of business to competitors or counterfeiters”. In almost all cases, the theft involves stealing of important corporate secrets such as trade secrets, proprietary business information and even merger plans rather than publicly available information such as patents and trademarks.

Loss of brand reputation:

An equally important risk that must be discussed is a company’s loss of reputation in the event of a data breach. The risk is greater for publicly traded companies since reputation and investor sentiment are key factors in determining the company’s share price on the market. Perhaps the greatest risk lies with companies that rely on user data such e-commerce companies or social media networks. In the contemporary digital age, the security of user’s personal information is closely entwined with the right to privacy and it is expected that every business organisation should recognize and protect these rights. This protection however, should not be limited only to users but also to business partners, employees and all other stakeholders. The protection of sensitive information is critical to an organization’s ability to conduct business. A reputation for strict focus on information security would not only make an organisation a trusted business partner, it could also result in a significantly higher price of acquisition by an acquiring company.

Role of Cyber Security Due Diligence in M&A Transactions:

The acquisition of one firm by another requires that the buyer determine the value of the target corporation. This necessarily includes an assessment of risk and compliance issues. The extent to which a target corporation has maintained a cybersecurity strategy, and has the requisite systems and processes in place, is a major risk and compliance consideration.

No buyer wants to acquire a business whose systems may be compromised, or whose system security has not been maintained to a high level. The issue is not just risk, but valuation as well. It follows that M&A due diligence in today’s digital environment necessarily involves inquiry into and assessment of the target corporation’s cybersecurity history, systems and processes.

Typically, the primary aim of due diligence over a target is to help the acquirer determine a fair price to pay for acquisition. The price so arrived at is inversely proportional to the quantum of risks uncovered.

The lack of cyber due diligence does not merely impact the pricing of the target company; it also has the potential to seriously hamper envisaged synergies at the post-merger integration stage. Integrating the electronic network and data of the target post - acquisition to the network of the acquiring company may be extremely problematic if the target’s network infrastructure is weak or flawed. These issues may dilute the benefits of other synergies by adding to further costs in building and revamping cyber infrastructure, often making the transaction counter-productive or resulting in failure.

Momentous Impact on M&A in the Indian Market:

The potential impact on Indian M&A looks grey given the substantial amount companies are spending in solving post data breach problems. Indian companies have especially faced the brunt of not incorporating cybersecurity checks into their due diligence process. A 2016 data breach study by the Ponemon Institute that focuses on the costs of data breaches in India, reveals some important and worrying numbers.

The average per capita cost of a data breach increased from Rs. 3,396 in 2015 to Rs. 3704 in 2016. The average total organizational cost of the data breach increased from Rs. 88.5 million in 2015 to Rs. 97.3 million. Further based on linear projection analysis forecast we estimate a rise in average total organizational cost of the data breach by 15% resulting in Rs. 112.2 million.

Malicious or criminal cyber-attacks resulted in a total cost of Rs. 4,596 million this year, system glitches cost Rs. 2953 million and negligence or human error cost Rs. 3,301 million. Financial institutions, services, industrial and technology companies are the industries with higher data breach costs. A cursory analysis of these figures reveals the loss an acquiring company may have to face due to lapses in the target company’s cybersecurity framework. All in all, none of the figures reveal a very promising picture for successful M&A deals in the Indian market and it is high time that cybersecurity due diligence took a major role in due diligence processes in Indian M&A transactions. 

Lessons to be learnt from International Best Practices:

In order to safeguard against cyber threats, malware and other data protection and security related problems, companies across the world have, in recent years started adopting certain mitigation practices. While conducting due diligence of the target company, a potential acquirer should check inter alia whether the following measures have been adopted and the extent of liability covered by them:

1. Cyber security insurance:

One of the best ways of mitigating risks associated with cyber security is to purchase cyber insurance for the organization. Typically, internet based risks, technology infrastructure and other data related risks are outside the ambit of traditional commercial insurance products. Hence, there is a need for a specialized product which can safeguard the organization against cyber risks. Cyber insurance offers several benefits; it provides inter alia first- party coverage against losses arising out of hacking, malware infection, theft/ destruction of confidential data, etc. in addition to other allied services

Such as timely security-audits, providing investigation services post cyber-attacks, etc. It also provides a unique funding mechanism, which helps businesses affected by cyber-attacks recuperate from major losses and resume day-to-day operations in a smooth manner.

Although cyber insurance is becoming the norm in most jurisdictions having a mature market, it is not the case in India as the market for cyber insurance products is not large as compared to other insurance products.

In the Indian market, only a handful of players such as HDFC Ergo, Tata AIG and ICICI Lombard offer cyber insurance services. However, due to the high premiums charged by these service providers, only a handful of large companies are able to afford them, leaving most of the small and medium sized businesses vulnerable to cyberattacks. Moreover, there is a general perception among Indian companies that such expenditures are unnecessary. This is the result of a lack of awareness and foresight which in the long run will prove catastrophic for technology dependent companies.

2. Security Program Assessment (SPA):

Evaluating digital resilience of the target company is a wise decision. Digital resilience is a highly valued intangible asset which is factored into the price of the transaction. A properly conducted SPA discloses a comprehensive report indicating all potential cyber risks which a company faces and also helps devising mitigation strategies. It also detects areas which need further protection. Having an updated SPA report at the time of acquisition increases the price of the target company as the risks faced by the acquirer are significantly lowered. In the present scenario, most companies in India do not undertake SPA, mainly due to lack of awareness of the risks they face and the benefits which they could gain from taking such measures.

Conclusion:

Written cybersecurity policies are useless unless they are successfully implemented. They need to meet the applicable standards, not only on paper, but in fact, and on an ongoing basis. Best of class cybersecurity strategies ensure that policies are implemented, and remain implemented, with compliance audits that are conducted on a regular basis. It is not uncommon to see requirements for compliance audits in cyber insurance policies. Nor is it uncommon to see them in vendors’ contracts, especially where the vendor’s product or service is critical to the purchaser’s business, or where the vendor has access to the purchaser’s servers or communication systems.

It is high time that Indian companies woke up to realize the importance of cyber due diligence as it is estimated a rise in average total organizational cost of the data breach by Rs. 112.2 million. Given the increasing trend of multi-sectoral M&A activity, Indian companies would do well to follow the norms of matured markets and adopt precautionary and risk mitigating strategies to protect their organization’s data from cyber threats and hackers.

Thus, with the market opening for more and more M&A transactions it is the need of the hour that Indian Companies realize the need of Cyber Security Due Diligence and how well the Industry players in the field of Due Diligence Services can help the Indian Companies to cover Cyber Security in the Due Diligence process.

For more detail:

Download:

Acquisory News Chronicle - September 2016