Overview:
What is a Cyber Security Due
Diligence? The term has been defined as ‘the review of the governance,
processes and controls that are used to secure information assets.’ It can be
rightly said that when you buy a Company, you’re buying their data, and one could
be buying their data-security problems. In other words, cyber risk should be
considered right along with financial and legal due diligence considerations.
Cyber Security is one such aspect
that has become extremely vital in today's business atmosphere. Cyber due
diligence is a relatively new area of due diligence which has largely emerged
as a result of technological advancements and increasing data and privacy
threats. Almost all formal sectors today are dependent on technology,
connectivity and digital networks to varying degrees. While sectors such as
media, information, telecom, software and technology services are enabled by
technology, various other sectors such as marketing, banking, education,
transport and medical have grown exponentially by incorporating technology as a
driver to increase their performance and efficiency.
Thus with the rapidly expanding
mergers and acquisitions (“M&A”) environment, companies often
overlook the finer aspects of due diligence in their fervor to complete the
transaction. Thus, these overlooked aspects tend to be reasons behind deal
failures. It is because companies underestimate the importance of thorough due
diligence on the target and take several vital things for granted at the time
of closing.
However, cyber due diligence
remains an un-prioritized and often ignored area in most deals in India and
other developing countries. This post seeks to shed light on the
importance and scope of cyber due diligence in India by presenting the main
risks and consequential impact on M&A deals in India. It also suggests
certain strategies to mitigate cyber risks through a study of international
best practices.
Risks Involved Due to a Lack of
Cyber Security Due Diligence:
Regardless of the type of
industry, when companies make an acquisition, they are essentially investing in
the intellectual property and R&D of the proposed partner organization.
Typically, there are few individuals at the buyer corporation who truly
understand the network systems they’re about to purchase, which contain the
valuable IP they’re acquiring. The integrity of this data must be assessed
prior to the purchase – and the team assessing it must be able to provide a
level of scrutiny that ensures all areas are fully evaluated, diagnosed, and
proved secure.
Threats that arise out of
cyber-attacks appear in several forms. Many such threats pose serious direct
and indirect financial risks to companies, a pertinent example being how
the emergence of ransomware has highlighted the ease with which cyber
criminals can halt business operations for days or weeks at a time, resulting
in unrecoverable loss of revenue. However, what are the initial threats
that result in financial risks? These can broadly be divided into two major
categories i.e. electronically stored information (ESI) data breaches and loss
of deal value. ESI breach risks can be explained by further dividing them into
intellectual property (IP) loss, reputation and brand impact, and remediation
costs. Other hidden costs may include value of lost contracts, lost value
of customer relationships and insurance premium increases.
Data Storage Breaches:
There are standard clauses in
purchase agreements to protect the buyer, for good reason. Any litigation,
workforce issues, violation of environmental regulations, and other negatives
must be known and accounted for, in order for deals to make sense at the
agreed-upon price. But cyber security risks are generally unaccounted for.
The lack of focus on
cybersecurity due diligence in Indian M&A transactions can lead to serious
impacts on ESI and data that is stored on online databases such as the
cloud. ESI refers to any data that is created, altered, communicated
and stored in digital form. Examples of ESI could range from emails
exchanged on the company’s servers to confidential information about the
company’s IP and trade secrets. The two major ramifications that arise from an
ESI breach are both immediate, such as a loss of IP and long term, such as a
loss in brand and customer reputation.
Key cyber security risks that
buyers can run into:
- Ongoing Breach: Probably the
worst-case scenario – the target company is “owned” by an unknown attacker: any
sensitive data or intellectual property might already be gone, and a public
relations problem is looming. Not only is the value of the acquisition damaged,
but also now the buyer must deal with the fallout, which can be a very
expensive undertaking.
- Unrevealed Previous Breach: The
target company suffered a breach in the past that is revealed to the buyer
after the purchase. This is similar to the ongoing breach in that valuable data
may have been lost, and the intruder could still be in the network.
- Persistent Intruder: The target
company is host to an attacker that maintains their presence in the
environment, watching and waiting. Now the purchasing company might be hosting
them as well.
- Disruption Attacks: Is the target
company vulnerable to such attacks? What is the threat landscape? Have there
been denial of service (DoS) attacks in their past?
- Dirty Environment: While not
necessarily as dangerous as a targeted attack, an environment that shows
significant amounts of common malware will need cleaning and improved
protection and detection capabilities.
- Inadequate Security Program: The
acquired company has systemic cyber security issues stemming from a weak or
nonexistent security program. Weak oversight and guidance will, over time,
create vulnerabilities across many security areas that will take time to fix.
Loss of Confidential
Intellectual Property:
Surprising as it may seem,
despite its widespread ramifications, cases involving IP loss due to
cyber-attacks have largely remained in the shadows. It is important to note,
however, that IP theft has ramifications that could metastasize over months and
years. The effect of an IP loss could include forfeiting the “first to
market advantage, a loss in profitability, and in the worst case – losing
entire lines of business to competitors or counterfeiters”. In almost all
cases, the theft involves stealing of important corporate secrets such as trade
secrets, proprietary business information and even merger plans rather than
publicly available information such as patents and trademarks.
Loss of brand reputation:
An equally important risk that
must be discussed is a company’s loss of reputation in the event of a data
breach. The risk is greater for publicly traded companies since reputation and
investor sentiment are key factors in determining the company’s share price on
the market. Perhaps the greatest risk lies with companies that rely on user
data such e-commerce companies or social media networks. In the contemporary
digital age, the security of user’s personal information is closely entwined
with the right to privacy and it is expected that every business organisation
should recognize and protect these rights. This protection however, should not
be limited only to users but also to business partners, employees and all other
stakeholders. The protection of sensitive information is critical to an
organization’s ability to conduct business. A reputation for strict focus on
information security would not only make an organisation a trusted business
partner, it could also result in a significantly higher price of acquisition by
an acquiring company.
Role of Cyber Security Due
Diligence in M&A Transactions:
The acquisition of one firm by
another requires that the buyer determine the value of the target corporation.
This necessarily includes an assessment of risk and compliance issues. The
extent to which a target corporation has maintained a cybersecurity strategy,
and has the requisite systems and processes in place, is a major risk and
compliance consideration.
No buyer wants to acquire a
business whose systems may be compromised, or whose system security has not been
maintained to a high level. The issue is not just risk, but valuation as well.
It follows that M&A due diligence in today’s digital environment
necessarily involves inquiry into and assessment of the target corporation’s
cybersecurity history, systems and processes.
Typically, the primary aim of due
diligence over a target is to help the acquirer determine a fair price to pay
for acquisition. The price so arrived at is inversely proportional to the
quantum of risks uncovered.
The lack of cyber due diligence
does not merely impact the pricing of the target company; it also has the
potential to seriously hamper envisaged synergies at the post-merger
integration stage. Integrating the electronic network and data of the target
post - acquisition to the network of the acquiring company may be extremely
problematic if the target’s network infrastructure is weak or flawed. These
issues may dilute the benefits of other synergies by adding to further costs in
building and revamping cyber infrastructure, often making the transaction
counter-productive or resulting in failure.
Momentous Impact on M&A in
the Indian Market:
The potential impact on Indian
M&A looks grey given the substantial amount companies are spending in
solving post data breach problems. Indian companies have especially faced the
brunt of not incorporating cybersecurity checks into their due diligence
process. A 2016 data breach study by the Ponemon Institute that
focuses on the costs of data breaches in India, reveals some important and
worrying numbers.
The average per capita cost of a
data breach increased from Rs. 3,396 in 2015 to Rs. 3704 in 2016. The
average total organizational cost of the data breach increased from Rs. 88.5
million in 2015 to Rs. 97.3 million. Further based on linear projection
analysis forecast we estimate a rise in average total organizational cost of
the data breach by 15% resulting in Rs. 112.2 million.
Malicious or criminal
cyber-attacks resulted in a total cost of Rs. 4,596 million this year, system
glitches cost Rs. 2953 million and negligence or human error cost Rs. 3,301
million. Financial institutions, services, industrial and technology
companies are the industries with higher data breach costs. A cursory analysis
of these figures reveals the loss an acquiring company may have to face due to
lapses in the target company’s cybersecurity framework. All in all, none of the
figures reveal a very promising picture for successful M&A deals in the
Indian market and it is high time that cybersecurity due diligence took a major
role in due diligence processes in Indian M&A transactions.
Lessons to be learnt from
International Best Practices:
In order to safeguard against
cyber threats, malware and other data protection and security related problems,
companies across the world have, in recent years started adopting certain
mitigation practices. While conducting due diligence of the target company, a
potential acquirer should check inter alia whether the following
measures have been adopted and the extent of liability covered by them:
1. Cyber security
insurance:
One of the best ways of
mitigating risks associated with cyber security is to purchase cyber insurance
for the organization. Typically, internet based risks, technology
infrastructure and other data related risks are outside the ambit of
traditional commercial insurance products. Hence, there is a need for a
specialized product which can safeguard the organization against cyber risks.
Cyber insurance offers several benefits; it provides inter
alia first- party coverage against losses arising out of hacking, malware
infection, theft/ destruction of confidential data, etc. in addition to other
allied services
Such as timely security-audits,
providing investigation services post cyber-attacks, etc. It also provides a
unique funding mechanism, which helps businesses affected by cyber-attacks
recuperate from major losses and resume day-to-day operations in a smooth
manner.
Although cyber insurance is
becoming the norm in most jurisdictions having a mature market, it is not the
case in India as the market for cyber insurance products is not large as
compared to other insurance products.
In the Indian market, only a
handful of players such as HDFC Ergo, Tata AIG and ICICI
Lombard offer cyber insurance services. However, due to the high
premiums charged by these service providers, only a handful of large companies
are able to afford them, leaving most of the small and medium sized businesses
vulnerable to cyberattacks. Moreover, there is a general perception among
Indian companies that such expenditures are unnecessary. This is the result of
a lack of awareness and foresight which in the long run will prove catastrophic
for technology dependent companies.
2. Security Program Assessment
(SPA):
Evaluating digital resilience of
the target company is a wise decision. Digital resilience is a highly valued
intangible asset which is factored into the price of the transaction. A
properly conducted SPA discloses a comprehensive report indicating all
potential cyber risks which a company faces and also helps devising mitigation
strategies. It also detects areas which need further protection. Having an
updated SPA report at the time of acquisition increases the price of the target
company as the risks faced by the acquirer are significantly lowered. In the
present scenario, most companies in India do not undertake SPA, mainly due to
lack of awareness of the risks they face and the benefits which they could gain
from taking such measures.
Conclusion:
Written cybersecurity policies
are useless unless they are successfully implemented. They need to meet the
applicable standards, not only on paper, but in fact, and on an ongoing basis.
Best of class cybersecurity strategies ensure that policies are implemented,
and remain implemented, with compliance audits that are conducted on a regular
basis. It is not uncommon to see requirements for compliance audits in cyber
insurance policies. Nor is it uncommon to see them in vendors’ contracts,
especially where the vendor’s product or service is critical to the purchaser’s
business, or where the vendor has access to the purchaser’s servers or
communication systems.
It is high time that Indian
companies woke up to realize the importance of cyber due diligence as it is
estimated a rise in average total organizational cost of the data breach by Rs.
112.2 million. Given the increasing trend of multi-sectoral M&A activity,
Indian companies would do well to follow the norms of matured markets and adopt
precautionary and risk mitigating strategies to protect their organization’s
data from cyber threats and hackers.
Thus, with the market opening for
more and more M&A transactions it is the need of the hour that Indian
Companies realize the need of Cyber Security Due Diligence and how well the
Industry players in the field of Due Diligence Services can help the Indian
Companies to cover Cyber Security in the Due Diligence process.
For more detail:
Download: