Cyber Security Due Diligence for Mergers and Acquisitions:

Minimizing and Mitigating Risks

Presented by:

Imran Ahmad – Partner, Miller Thomson Law

Iain Paterson – Managing Director, Cycura Inc.

Key Considerations

Due Diligence

• Cybersecurity risk management

• Review insurance (cyber-specific), employee policies & training, corporate policies

• Any previous breaches, or pending regulatory action (review all jurisdictions in which target operates)

Purchase Agreement Provisions

• Representations and warranties

• Purchase price adjustments, indemnities

Due Diligence• Risk analysis should be tailored to facts; some factors to consider:

• How important data is to company’s business, and how is it being protected; ask direct, but open-ended, questions & tailor due diligence based on concerns

• Track record: past breaches, and company’s response; exposure to law suits or regulatory action

Background

• Encryption, firewalls, internal network monitoring

• Use subject matter experts on deal team

• Physical access to locations/computers

Physical/Technical Security

• Employment contracts & confidentiality/non-disclosure agreements, employee training & policies

• Centralized cybersecurity department, risk awareness at CEO/board level

• Supply chain (e.g. third-party suppliers’ technology and policies)

Corporate Policies & Governance

• Data backups, backup policies

Disaster Recovery/Backup Procedures

Due Diligence• A tiered approach to diligence and review

• Assess the current state of cyber incident readiness via review of policies, response plans and corporate standards

• Identify risks related to data protection, information security and security operations

Level 1 – 5 days

• Technical testing of security controls to identify vulnerabilities and risks

• Validation of protection from external cyber attacks

Level 2 – 5 Days (Plus Level 1)

• Review of customized applications and source code

• Assessment of technical security for internal systems and networks

• Forensic review of breach indicators

Level 3 – 5+ Days (Plus Level 1)

• Categorize, evaluate, and use technology and intelligence gathering to verify the sanctity and integrity of valuable IP

Intellectual Asset Identification

Intellectual Assets• Data or Intellectual Property deemed valuable to a buyer

Customer Databases

• The most commonly stolen and “leaked” or sold asset during a cyber attack.

• Loss of trust/reputation devalues brand

Proprietary Designs, Processes or Technology

• In many instances can be the main source of a value in an organization (eg: Engineering)

• Corporate Espionage Target

Internal Corporate Data

• Sensitive operational information (emails, contracts, etc).

• Can be embarrassing, or possibly expose internal issues.

“Digital Assets”

• Web properties, portals, services, domains and other digital footprint the business owns.

• Source of competitive advantage.

• Most frequent hacking targets.

Benefits and Outcomes

Understand the current risk and

security capabilities of your target

acquisition

Identify any existing or previous breaches that may devalue intellectual

property

Develop advanced plans for a secure

merger of technology,

processes and systems

Reduce your overall risk and exposure during the M&A process

Purchase Agreement: Representations & Warranties

Representations & Warranties• Reps and warranties should complement the due

diligence findings for buyer• Seller has taken industry-standard measures to protect data

(NIST, CSC, ISO, etc.)

• Ensure data handling and security policies are in place

• Business has been operated in accordance with applicable laws, including privacy laws (for each jurisdiction the target operates in)

• Can reduce the potential liability for seller via disclosure• Limit by materiality thresholds or knowledge requirements

• Identify correct individuals for knowledge requirements

Purchase Agreement: Representations & Warranties

Representations & Warranties

• Each side should consider obtaining independent expert advice early on in the process• Cybersecurity consultants (e.g. forensics, pen testers, etc.)

• Privilege issues

• Clearly define materiality threshold in agreement, so as to avoid debate after the fact if there is an incident

Example of a Stock Purchase Agreement (1): Yahoo!

Inc. and Verizon Communications Inc.

2.16(o)

To the Knowledge of Seller, Seller and the Business Subsidiaries have

implemented and maintain organizational, physical, administrative, and

technical measures applicable to Personal Data that are reasonably

consistent with (i) reasonable practices in the industry in which Seller

and the Business Subsidiaries operate, (ii) any existing and currently

effective written contractual commitment made by Seller or the

Business Subsidiaries that is applicable to Personal Data, and (iii) any

written public-facing policy adopted by Seller or the Business

Subsidiaries related to privacy, information security or data security

[…].

Example of a Stock Purchase Agreement (2): Yahoo!

Inc. and Verizon Communications Inc.

2.16(p)

To the Knowledge of Seller, there have not been any incidents of, or

third party claims alleging, (i) Security Breaches, unauthorized access

or unauthorized use of any of Seller’s or the Business Subsidiaries’

information technology systems or (ii) loss, theft, unauthorized access

or acquisition, modification, disclosure, corruption, or other misuse of

any Personal Data in Seller’s or the Business Subsidiaries’ possession,

or other confidential data owned by Seller or the Business Subsidiaries

(or provided to Seller or the Business Subsidiaries by their customers)

in Seller’s or the Business Subsidiaries’ possession, in each case (i)

and (ii) that could reasonably be expected to have a Business Material

Adverse Effect.

Purchase Agreement: Price & Indemnities

Price & Price Adjustments

• Attempt to price in risk initially (but this is not always possible)

• For private transactions, can provide for post-closing adjustment

Indemnities

• Which parties the indemnity should apply to (directors, agents)

• Carve-out a separate basket for cybersecurity (separate from general indemnity claims)

• Length of time representations and warranties apply post-closing

• Notice requirements to indemnifying party (of breach, or legal action)

Other Matters

• Specific insurance coverage for cyber-related risk

• To cover costs associated with data breaches, such as crisis management expenses relating compliance with post-breach notification requirements

• Other costs could include: legal, communications, forensic advisors; benefits such as credit repair and monitoring; government fines

Insurance

• In M&A context, increased attention after deal announcement can result in additional attacks

• Both during negotiation process and during integration period afterwards

Increased Risks

Key Takeways

• Cyber due diligence is going to be the new norm

• Given digitalization of assets, cyber due diligence for

both buyer and seller

– Buyer: doesn’t want to buy a “lemon”

– Seller: doesn’t want to give buyer discount

• Get counsel involved to conduct diligence for legal

privilege purposes

• Get cybersecurity experts to conduct technical due

diligence