Cyber security due diligence in M&A transactions

The Importance of cyber due diligence

Data breaches, ransomware attacks and other cyber security incidents are becoming increasingly common.  The potential losses resulting from a cyber incidents are wide ranging, including: economic losses (including interruption to business), internal costs (such as the time spent on identifying and managing the fall-out incident), external costs (such as legal or PR advice), regulatory fines, damages awarded in civil actions and reputational damage.

Cyber security due diligence (“Cyber Diligence”) is becoming an increasingly important in M&A transactions.  In 2020, the ICO imposed a £18.4m fine on Marriott International Inc (“Marriott”) for a personal data breach resulting from a large-scale cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc (“Starwood”).  The attack occurred before Marriott had acquired Starwood and went undetected until September 2018.  This is a cautionary tale on the high level of fines the ICO is willing to impose, and the potential consequences of a data breach falling undetected during the due diligence process.

The results from Cyber Diligence can reveal deal breakers or deal changers for the buyer, including price adjustment and changes to contractual terms.

Types of Cyber due diligence

The buyer’s approach to Cyber Diligence should be tailored to the target and there are a number of different types and levels of due diligence that a buyer can conduct. Different businesses will be subject to differen vulnerabilities and threats, and, while some transactions may only require a high-level Cyber Diligence, others may call for a more thorough examination.  An assessment of the vulnerability level should be based on:

• the nature of the data being handled or held by the target, for example whether it holds a large amount of sensitive or personal data or valuable intellectual property;
• the likely affect any loss or breach in respect of this data would have on the business;
• the nature of the target’s data protection systems and processes; and
• the target’s history of cyber-attacks and data breaches.

Examples of these cyber diligence exercises include:

Information assets

A comprehensive understanding of the data assets held by the target, including their nature, value to the target, the manner in which they are held, where they are held, the contractual terms on which they are held, transferred to any third parties and how they are protected, is essential.

Risk assessments and security audits

The buyer may wish to review the target’s own historic security audits or may conduct their own if the Target has not conducted any.

Regulatory compliance

Enquiries should be made to ensure that the target meets all of the relevant legal and regulatory standards and practices in the jurisdictions in which it operates.

Breach experience and recovery plans

An assessment of historic breaches of data security suffered by the target should be made, considering:

• the nature of the breaches (for example whether triggered by internal or external factors);
• the effect of those breaches on the company (these could extend beyond the immediate loss of data to include both financial and reputational loss);
• the target’s immediate response to those breaches (including time taken to discover the breach, level of reporting and remedial measures); and
• what, if any, steps were taken following the breach to ensure that similar attacks are prevented.

Third-party risk

If the target’s business relies on third parties in its supply chain to process, hold, transfer or otherwise manage information assets, it is important to review the contracts under which these arrangements are governed.

Employee risk

The purchaser should assess the target’s internal processes to ensure that employees and senior management understand the business’ cybersecurity risks and policies.

Using the results from Cyber Diligence in negotiations

Assuming that the risks identified are not so significant as to terminate the deal, it may be necessary to negotiate a lower purchase price and/or consider the inclusion of specific terms in the purchase contract in response to the discovered issues such as warranties and indemnities, as considered below.

Warranties

These terms entitle the buyer to damages if a breach occurs, provided that they can demonstrate loss.

No security incidents

This is a warranty that the target has not suffered any cybersecurity incidents within a certain period prior to the date of the agreement.

Downtime

This is a warranty that the target has not suffered more than a certain number of incidents of systems downtimes (for example, that it has suffered no more than two incidents lasting for four-hour periods during the two years prior to the date of the agreement).

Third party data-sharing agreements

Warranties should be included in respect of any arrangement by which data is shared, managed, retained or otherwise handled by a third party.

Compliance with laws

These warranties should consider both compliance with laws and regulations (with specific reference to applicable data security legislation in the relevant jurisdiction included) and the target’s data security policies. The seller should also warrant that it is not subject to any regulatory investigations nor is it reasonably likely to be so.

Specific indemnities

If particular problems are discovered which need to be remedied, a specific indemnity may be appropriate. Indemnities entitle the buyer to be reimbursed for a specific loss on a pound for pound basis, without having to prove a breach of contract.  The terms of the indemnity (and, in particular, any financial caps) will depend on the nature of the issue.

How we can help – Speak to our Corporate & Commercial Specialists

If you are considering the acquisition of a business, we can assist you with every stage including due diligence, and can put you in touch with a Cyber Diligence specialist if required. If you would like advice, or to discuss your requirements in more details then please contact us on 0330 175 7608 or email enquiries@ibblaw.co.uk. Alternatively, contact us via the enquiry form at the top of our Corporate and Commercial page.