You know a practice area has made it when it is on a standard due diligence checklist. Cybersecurity has made it. Ten years ago, it was a rare attorney who focused on data privacy and protection. Now it is common and standard to review network logs or at least the most recent security audit of a target company, to ask searching questions of the CIO, to review prior breach investigation documentation and generally to understand the data architecture of the target.
The primary fear remains the dreaded unrecognized breach. Indeed, the Yahoo-Verizon deal may be dead because of such a breach, and if not, current reports indicate that Verizon is asking for as much as a $1 billion discount. Ideally, the diligence process would ferret out a large breach, but as the Verizon-Yahoo incident makes clear, this is not always the case. It is no secret that detecting a breach can be challenging – sometimes more so than preventing one – and there is no silver bullet. But beyond breach detection, cybersecurity is changing deals and altering target parameters in a number of ways.
There are a lot of certifications out there. Some, however, shorten the diligence process considerably. These certifications/reports typically involve periodic audits by third parties and rigorous risk assessment and management protocols. In particular, ISO27001 certification and SOC1 and SOC2 reports are good examples of third-party confirmation that a target company’s security is in keeping with current best practices. While these reports and certifications offer no guarantees against a breach, they are confirmation that the entity has considered data privacy issues and conducted a reasonably sophisticated risk assessment. This, in turn, makes the target more attractive to potential buyers and shortens the diligence process.
System integration remains a blind spot for companies during the negotiation phase. The merging of two IT systems is almost invariably messy. The number of administrators and privileged accounts doubles as a general rule and it is not always clear which systems will be preferred in the long run. There may be conflict among IT professionals from the two companies and strong opinions regarding the merits of particular systems and software. At the same time, leadership is understandably focused on the deal, on the value to shareholders and on “getting over the finish line.” Sophisticated cybercriminals thrive in this sort of environment, and weaknesses can go undetected for a very long time.
The General Data Protection Regulation (GDPR) is set to go into effect in May of 2018. This regulation is poised to fundamentally alter the risk calculus for European data controllers and data processors. The reason is the fines authorized under the GDPR; they are enormous. Fines for certain violations can reach €20 million or more. Therefore, European executives in particular will be focused on full compliance and likewise will wish to avoid having to report a data breach to GDPR supervisory authorities. The dramatic increase in potential penalties in Europe will inevitably lead to increased pre-merger scrutiny of the processes and controls in place at target companies. Already, European data controllers that will be governed by the GDPR are insisting on heightened security standards from contractual counterparties. This trend will only continue, and it is highly likely that there will be increased scrutiny on not only merger targets, but on vendors and other third parties providing services to merger targets to ensure compliance. In short, the emphasis on cybersecurity in cross-border deals with EU counterparties is poised to increase markedly in the coming years.
Put simply, mergers usually make organizations more vulnerable in the short term. After a merger, significant data security challenges remain. These should be addressed at the outset, and a clear plan should be negotiated by counsel with input from IT stakeholders at both companies so that integration happens as smoothly and quickly as possible.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Christian Auty is a Principal in the Health Care Law practice group at Chicago-based law firm Much Shelist. He has an established reputation as a strong client advocate and is well versed in issues that arise at the intersection of law and technology. Christian can be reached at (312) 521-2473 or firstname.lastname@example.org.