Law360 (October 13, 2020, 5:23 PM EDT) --
The average total cost of a data breach has gone up by 10% since 2014. Even if a high-profile data breach does not result in the termination of a transaction, over half (52%) of public company directors and officers asserted that a target company's valuation would be significantly lowered, and 75% of those surveyed said that a high-profile data breach at a target company would have serious implications on the pending transaction.
In light of the additional risks resulting from COVID-19 shutdowns and remote working, having a comprehensive understanding of a target company's cybersecurity risk profile early in the deal process is crucial today. Below are several approaches that businesses can take to understand cybersecurity risks tied to M&A due diligence, including some strategies that can be implemented to proactively identify and remediate breaches.
1. If the target company is publicly held, review cybersecurity-related disclosures.
If a prospective target company is publicly traded, would-be purchasers have an opportunity to identify and begin to assess the company's cybersecurity risks and past incidents. In 2018, the U.S. Securities and Exchange Commission provided guidance to public companies, stating that:
it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
Similar reporting obligations can be found in the U.K., Germany, Japan, Australia and South Africa.
The information contained in cybersecurity risk factors in periodic and current reports, and in disclosures regarding board and executive cybersecurity oversight in annual proxy statements, can shed light on existing cybersecurity practices, the types and extent of risks a company is exposed to, as well as cybersecurity incidents that the company experienced in the applicable filing period, among other things.
To illustrate this, we recently conducted a study encompassing the review and analysis of annual reports on Form 10-K filed by companies in the Fortune 100 on EDGAR for each company's most recent fiscal year ending in 2019 or 2020. We determined: (1) the prevalence of cybersecurity incidents disclosed in risk factors; (2) the types of cybersecurity incidents disclosed; (3) whether those incidents rose to a significant or material level; and (4) whether insurance was mentioned in connection with cybersecurity, as well as the type.
All of the 95 companies whose filings were reviewed included one or more cybersecurity-related risk factors in their annual reports. Of the 95 companies, 48, or 51%, reported that cybersecurity incidents had occurred.
With the additional cybersecurity risks resulting from remote working, it is possible that even more cybersecurity incidents will be disclosed in future filings, with both more companies being affected by such incidents, as well as increases in the number of attacks.
2. Review past cybersecurity incidents.
It is also crucial for due diligence teams to thoroughly investigate the scope and severity of past cybersecurity incidents, in order to determine whether a target company has adequately remediated those incidents and whether it appears to be adequately prepared to face potential future incidents.
In our study, out of the 48 companies that disclosed cybersecurity incidents, 28 of them (58%) stated that the impact of such incidents was deemed by the relevant company to be not material, i.e., the incident did not have a material adverse effect on the company, and/or the impact of the event(s) was not material.
The labeling of cybersecurity incidents as not material, should, however, be treated with caution. Additional investigation may still be warranted, as evidenced by a number of notable examples. Identifying the scope of a cybersecurity incident, the severity of the incident, and whether a breach is ongoing, all present unique challenges, as those answers may change based on the availability of new information or gaps therein.
With the average time to identify and contain a data breach in 2019 at 280 days, it is entirely plausible that at the time of disclosure, the full extent of a breach or other incident may not yet be completely appreciated. Developing an understanding of the target company's experience with cybersecurity incidents can help purchasers assess whether the company's remediation efforts and insurance coverage, if applicable, are effective and align with its response plan(s).
3. Determine whether the target company has cyberinsurance and other protocols regarding cybersecurity protection.
To build a complete picture of the efficacy of a target company's protocols to protect itself from cyberattacks, it is also important to consider the availability of cyberinsurance, employee training programs, information from cybersecurity assessments or audits, and security automation. Information about insurance to protect against losses arising from cybersecurity incidents may be located in public company filings, and policies themselves should be reviewed during due diligence.
In the 95 filings reviewed, we found that 27 companies (28%) mentioned having some form of insurance relating to cybersecurity incidents.
Of those companies, 10 referred to insurance specifically for the cyberrisk insurance purpose, while the remaining 17 companies did not specify whether the insurance was separate from their business interruption or other insurance policies.
While relatively new, the global cyberinsurance market value is expected to grow to $15 billion by 2022 from about $6 billion a year, and with rising costs of cybersecurity incidents, ensuring that a potential target company has insurance coverage in place to manage these risks is important. It has been shown that insurance coverage for cybersecurity-related events is a mitigating factor in connection with the total average cost of a data breach.
A robust cybersecurity due diligence review should also include assessments of a target company's cybersecurity employee education and training programs.
Another study by IBM and Morning Consult found that 53% of American adults working from home due to the current pandemic are using their personal laptops for work — and 61% lacked employer-provided tools to secure those devices. The lack of training and means to ensure that devices used in remote work are secure, leaves businesses more vulnerable to more severe cyberattacks.
Other factors that should be considered include results of past cybersecurity simulations and audits. The reports from those assessments may provide an indication of where weaknesses in a target company's cybersecurity program may exist, and where additional protective measures, and thus spending, are needed.
In addition to that, reviews of the target company's access controls, crisis management or incident response plans, cybersecurity budget, and, if applicable, automation programs, should be undertaken.
Having measures for security automation — including usage of artificial intelligence platforms and automated breach orchestration — results in significant savings in connection with the cost of a data breach; if a target company lacks such automation, the cost of a breach could be more than double than if it had security automation in place.
4. Ensure that the due diligence checklist and questionnaire(s) are tailored to the target company's background.
Drafting the due diligence checklist and questionnaire(s) so that they appropriately reflect the target company's size, industry, complexity and compliance requirements also helps to ensure that any issues that could potentially lead to liability will be uncovered and reflected in the purchase price and terms.
Companies in certain industries, and certain transaction types are noted as carrying higher risk due to specific concerns such as being subject to the requirements of the EU's General Data Protection Regulation, retail industry companies required compliance with the Payment Card Industry data security standard, along with other factors.
To that end, the review of third-party contracts also should include determinations of compliance with such legislation and what obligations exist going forward. This information helps a prospective purchaser understand what costs may be associated with compliance and what limitations there are in connection with data to be acquired.
The checklist and questionnaire(s) should also be drafted to require the disclosure of a target company's privacy statements and data inventory. To determine the level of risk exposure, privacy statements should be evaluated for up-to-datedness and legal compliance, and also compared against a target company's actual practices to ensure consistency.
Additionally, the target company's data inventory, records about what data assets a company possesses, should be requested and evaluated by appropriate experts, so that purchasers are aware of what data is being acquired in connection with the transaction, and so that they can better understand the implications associated with cybersecurity incidents.
Cybersecurity issues are without a doubt becoming increasingly important, especially in the context of mergers and acquisitions. And while transaction agreements will likely include representations and warranties, covenants and conditions to address some of those concerns, as with other areas of focus within M&A due diligence, efforts on the part of both prospective purchasers and sellers to disclose and review relevant information will only help to increase transparency, facilitate negotiations and mitigate the risk of unforeseen cybersecurity attacks before and after closing.
Jennifer Tsai is a legal knowledge analyst at Kira Systems.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 Defined as ""[a]n occurrence that actually or potentially results in adverse consequences to … an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences." United States Securities and Exchange Commission Statement and Guidance on Public Company Cybersecurity Disclosures, available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.
 We excluded five mutual insurance companies because of different filing requirements.
For a reprint of this article, please contact firstname.lastname@example.org.