Cybersecurity Checklist in Mergers and Acquisitions
For those that work in mergers and acquisitions (M&A), cybersecurity should be top of mind. Here are a couple of scenarios to consider and a checklist.
Scenario A - Insider Trading and Unfair Competition
A pending M&A deal may impact the stock market. This is why insider trading is such a concern. If someone can bet on the market before the news breaks, that person will rake in a hefty sum of money. If someone (say a hacker) can infiltrate, monitor, and observe negotiations between companies, that person could sell the information to traders. Or, that information might be valuable to competitors looking to undercut the purchase price.
The parties involved in the transaction have to ensure that their communications and negotiations are kept secret.
Scenario B - Onboarding Insecure Systems
Those paying attention to the Marriott Data Breach that occurred in 2018 should know that the breach actually occurred 4 years earlier. Based on news reports, the breached occurred at Starwood in 2014. Then, in 2016, Marriott purchased Starwood. It was through Starwood's compromised IT system that Marriott's customers were then exposed.
I don't know if Marriott conducted a cybersecurity investigation of Starwood before the purchase, but after this experience, every company should understand the risk of not performing one.
So with these two scenarios in mind, what should you be thinking about when contemplating an M&A deal. Here's a checklist:
Any security breaches. If the target company has been the victim of a security breach, what did the target company do for remediation. After a cyber incident and systems are back online, the malware could still be lingering in the target company's IT systems.
Copies of privacy and data security policies and procedures. Does the target company have any policies and procedures in place? If they don't, then that might be an indication that their data security and privacy is below standard requirements.
Privacy and cybersecurity audits. Has the target company conducted any audits? If not, the acquiring company many need to conduct one.
Training of employees on privacy and cybersecurity compliance. Employees are the number one risk for cyber incidents. All it takes is one employee to click on a malicious link in a phishing email. It is a red flag if the employees have not been trained on privacy and cybersecurity compliance.
Vendor privacy and data security. Has the target company developed a questionnaire for vendors to ensure that vendors have adequate cyber and privacy policies? The acquiring company should request copies of all contracts with vendors to determine if the vendor is required to comply with privacy, data protection and other applicable laws. Also, is the vendor contractually obligated to indemnify the target company in the event of a cyber incident.
Cybersecurity insurance policies. Does the target company have a cybersecurity insurance policy in place and is it a "claims made" or "occurrence policy"? If the acquiring company "buys" a data breach (like Marriott), it would be nice to know if the target company's insurance carrier will cover the incident.
Cyber and data security permeates many aspects of business operations, including mergers and acquisitions. In the cyber age, due diligence should include a "cyber checkup."
Don't buy a cyber incident.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP