The number of M&A transactions in 2015 has hit record highs, with volumes expected to increase by 11% from 2014, according to Bloomberg. Indeed, one of the hottest areas for M&A activity has been cybersecurity companies, with deals including AVG Technologies’ acquisition of Privax and Blue Coat systems’ acquisition of Perspecsys.
Cybersecurity is one of the top five business risks identified by major corporates, particularly those in retail, health, and technology. Every day, we read of a new data breach somewhere in the world.
In this environment, one would assume that buyers would undertake detailed cyber due diligence as a matter of course. However, this does not seem to be the case. Certainly, a survey on cybersecurity in M&A carried out by Freshfields in 2014 indicated that 78% of respondents thought that cybersecurity was not analysed in any detail in their deals. This is despite the same respondents indicating that cybersecurity deficiencies could derail a deal or adversely affect value.
Our experience is not dissimilar. Cybersecurity due diligence tends to be undertaken by the in-house IT team of a buyer, if at all. The scope and scale of the due diligence tends to be cursory and high level. The representations and warranties in transaction documents covering cybersecurity tend to be relatively high level and have, until recently, tended to relate to past events – has the target suffered a data breach that has been notified to a regulator or to customers? They may go as far as asking for a warranty that the target has implemented reasonable cybersecurity systems, processes and procedures having regard to the industry that it is in. In very few cases, some sellers may be required to warrant the likelihood of data breaches occurring after completion (or recurring, if historic breaches have been disclosed) – but this seems to be the exception rather than the rule.
The question is whether or not this is adequate in the current digital environment. Would directors of the acquirer be derelict in their duties if their company did no, or only limited, cyber due diligence? Could an acquiring company afford not to undertake cyber due diligence if the target controls or processes valuable data? What would the consequences be if adequate due diligence had not been undertaken prior to the acquisition?
Could an acquiring company afford not to undertake cyber due diligence if the target controls or processes valuable data? What would the consequences be if adequate due diligence had not been undertaken prior to the acquisition?
We know that the occurrence of a cybersecurity breach in the lead-up to an acquisition is not unusual. In a well-known incident in January 2015, Australian incumbent Telstra discovered after completing its acquisition of pan-Asian network provider PacNet, that sometime after signature but before completion, PacNet’s corporate IT systems had been compromised, meaning it was likely customer information had been stolen. To its credit, Telstra notified affected customers of the likely compromise as soon as it became aware of the incident, so that they could take steps to protect themselves.
Of course, there are situations in which it is difficult to carry out cyber due diligence, particularly in a hostile or a competitive sale process. But in many cases, acquirers are simply not taking enough steps to understand the cybersecurity risks facing their targets, and how they might address cyber-security issues post acquisition.
Why might cyber-security not be prioritized in a transaction?
A study carried out in 2014 by NERA Economic Consulting found that cyber incidents do not appear to impact share prices significantly in the medium to long term. And even where there is a drop, it often does not take long for the share price to recover. The table on page 40 illustrates this.
Whether this trend will continue remains to be seen. But it certainly appears that in recent history, the correlation between a cybersecurity incident and the share price is weak, at least in relation to listed companies for which the data is readily available.
Looking at some recent data, the share price of TalkTalk fell dramatically after the data breach announced on 22 October, and has since been very volatile. The fact that this was TalkTalk’s third data breach in 2015 may have been a contributing factor. It is true that there seemed to be little effect on TalkTalk’s share price in the months following the previous two data breaches, in February and August.
THE SEVEN PILLARS OF CYBER RESILIENCE
Ensure that your governance bodies have taken the proper steps to ensure that the organisation is cyber-resilient and to protect it against cyber-risks and threats
Know the data you hold, the value of that data, and how well it is being protected.
Review and test the adequacy of your cyber-reilience processes, procedures and systems.
Identify areas of weakness and improve your cyber-resilience processes, procedures and systems.
Take steps to ensure that your organisation actually implements the processes and procedures which have been established and improved
Activate incident management plans immediately to address the situation
Have plans and mechanisms in place to recover as swiftly as possible from a cybersecurity incident and to draw key learnings from the incident.
What is the value of Cyber Due Diligence?
A good cyber due diligence report will take a holistic view (using, for example, our 7 Pillars methodology below) of the target’s cyber-resilience posture. This is important because cyber-resilience is not just an IT issue, it is a business and a risk issue. The fact that an organisation treats cyber-resilience just as an IT issue will tell you something significant about its level of maturity. In our view, a good cyber due diligence investigation should be carried out by business, legal and technical advisers, to obtain a holistic view of the target’s overall cyber-resilience.
Broadly speaking, a cyber due diligence should determine whether the target has inadequate cyber-resilience protections. If the protections are inadequate, it follows that there will be a reasonable likelihood that the target’s systems may have been or will shortly be compromised. This is important because:
- it allows the buyer to determine whether the valuation needs to be discounted for this risk. If, for example, the target is an intellectual property-rich company, and it is the intellectual property that is valuable, then one must consider the possibility that the intellectual property has been stolen, meaning that the target’s exclusivity or trade secrets may have been compromised;
- if the target processes credit card transactions and is not PCI-DSS compliant, then a buyer must factor in the possibility of significant fines from the card schemes, the risk of investigations and audits, and possibly a loss of the ability to process card payments until the situation is rectified;
- a buyer may also need to value the regulatory risk, customer compensation costs and the cost of remediation should there have been a data breach; and
- at the very least, the buyer knows it must prioritise a full and detailed cyber-resilience review and improvement program post-acquisition, and should perhaps discount the purchase price or obtain indemnities for the cost of doing so.
If, however, cyber due diligence indicates that the target has taken reasonable and industry standard steps to ensure that it is cyber-resilient, and there are no warning signs that would indicate that the target may have been compromised, then the buyer can be confident that there is no need to adjust valuations and can instead focus on normal integration post-acquisition. In this instance, there is no necessary rush to carry out a full and detailed cyber-resilience review and improvement program. Of course, a buyer must recognise that a clean cyber due diligence report cannot guarantee that the target’s systems have not been compromised, so it is helpful to have a contingency plan in place.
A good cyber due diligence report will also enable the buyer to make decisions (and potentially gain leverage) in relation to:
- seeking and obtaining appropriate warranties as to the target’s level of cyber-resilience;
- obtaining a specific cyber-security indemnity that sits outside the normal baskets and limits and covers the costs of investigation, remediation, regulatory action and customer compensation, should there be a cyber incident, which has its origins in an act or omission of the target before completion;
- whether or not the occurrence of a cyber incident between signing and completion should be material adverse change, entitling you to terminate the sale agreement, should you be undertaking a split signing and completion; and
- obtaining a warranty and indemnity (W&I) insurance policy, should the acquiring company or vendor be seeking to obtain one, as it is becoming increasingly difficult for underwriters to cover broad cyber-warranties that may extend to the adequacy or sufficiency of systems in place or indeed to future breaches, without an appropriate cyber due diligence exercise.
The latter point is of particular interest. Underwriters may not have had particular issues with covering warranties in M&A transactions that referred only to historic breaches. But as Andrew Graham, Vice-President of the International Mergers and Acquisition Division at Allied World Assurance Company informed the present authors:
“We do not see a great deal of specific due diligence done in cybersecurity at present. I wonder whether this is because not all law firms have the necessary expertise to advise appropriately on cybersecurity issues. From an underwriter’s perspective on W&I deals, as warranty protection around cybersecurity increases, we may find ourselves in the position, on certain deals, that we will need to see targeted and appropriate due diligence undertaken by the insured so that we can adequately wrap up such risk within the scope of the W&I policy.”
Why should cyber due diligence be a focus in telecoms M&A?
Telecoms companies are not immune from cybersecurity issues. On the contrary, they are perhaps more vulnerable to cyber-related threats, as the TalkTalk incident shows. Perhaps more importantly, telecoms companies are, in many cases, subject to a higher level of scrutiny by regulators due to their unique position of operating the networks and services over which a large proportion of internet data flows.
Telecoms companies are, in many cases, subject to a higher level of scrutiny by regulators due to their unique position of operating the networks and services over which a large proportion of internet data flows.
In Europe, providers of electronic communications services are typically required to ensure that their services are secure (see EU Directive 2002/58/EC). They must also inform their national regulatory authority of any personal data breach within 24 hours and, if the personal data or privacy of a user is likely to be harmed, they must also be informed unless specifically identified technological measures have been taken to protect the data. Many communications providers are also required to retain data relating to communications over their networks (although the extent to which this is required differs from country to country after a series of judicial challenges to data retention laws). Requirements to cooperate with law enforcement authorities can often mean that telecoms companies have access to particularly sensitive stores of data that may include telephone recordings, email records and details of other internet communications and web traffic. But they must still comply with their data protection and privacy obligations in respect of the data they handle.
For these reasons, there may be greater regulatory consequences in the event that a telecoms industry target is affected by a cybersecurity breach, and there will ordinarily need to be a high degree of maturity in terms of the target’s cyber-resilience.
Cyber threats are here to stay. Organisations need to be vigilant in ensuring that they are cyber-resilient and to take appropriate steps to do so. They must do so within their own business operations, and also in relation to businesses they acquire. Forewarned is, in the cyber world, forearmed. And it is crucial to be forearmed in telecoms M&A.