Read the full article here: http://bit.ly/1qSVtMv
Financier Worldwide moderates a discussion on cyber-security
risks in M&A between Adam Pang, a director at Merrill DataSite, David
Stanton, a partner at Pillsbury Winthrop Shaw Pittman LLP, and Timothy J.
Nagle, counsel at Reed Smith LLP.
FW: Broadly
speaking, how would you characterise cyber security risks in the context of
M&A? Do dealmakers pay enough attention to this issue, in your opinion?
Pang: The dealmakers we engage with never underestimate
the importance of securing their data, because they know the value of it and
the power it holds when it falls into the wrong hands. The risks are based
around competitors gaining advantage through information; accessing personal
and customer data; and during the due diligence phase of a M&A transaction,
all financial, commercial and operational data has to be disclosed, so there’s
an inherent vulnerability associated with that. This is why dealmakers, in our
experience, pay close attention to the issue of security.
Stanton: Cybersecurity is emerging as one of the most
pressing concerns among the spectrum of risks presented by the loosely governed
and complicated data infrastructures prevalent in today’s corporate
enterprises. In the context of M&A deals, these data governance and control
issues become exacerbated. All too often, organisations do not know their own
data systems and contents well enough to appropriately anticipate and monitor
potential attack vectors or to quantify and prioritise the risks these systems
present. Moreover, corporations that are targets for acquisition may be under
financial pressure, making appropriate attention to the emerging risks of cyber
security unlikely. The lack of visibility into data systems and the lack of
control over data flows within an organisation will confound the risk
assessments of an acquiring entity, since the challenges of tracking,
identifying and preventing cyber incidents are even more difficult to ascertain
from the outside. Lawyers entrusted with the execution of an acquisition
may not be technologically sophisticated or aware of the existential risk that
cyber incidents can present to organisations large and small. Recent
large-scale attacks and the notoriety they have gained may be increasing
awareness of these issues, but understanding how best to address them requires
specialised expertise that may be lacking among the dealmakers.
Nagle: The cyber, data security and privacy considerations
during a transaction arise in three phases. First, the pre deal due diligence
and how the seller can make sufficient sensitive – corporate and personal –
information available to bidders and buyers while protecting it adequately.
Second, evaluation by the prospective purchaser of the state of security and
privacy – for instance, protection of corporate data assets – at the target
company and any representations it has made to customers or regulators in those
areas as part of the due diligence process. Third and finally, the transition
phase where data is being transferred or exchanged, or the networks of the two
companies are being integrated while continuing to support corporate
operations. The importance of data – either intellectual property or customer
information – as a corporate asset of the target entity will drive the
attention that is given to the security and protection of that data. An online
or consumer company will have significant amounts of personal information about
its customers which represent both an obligation of the company – to protect it
per the privacy policy – and an opportunity for the use of data analytics in
marketing, developing new products or services or engaging partners. And a
company that is either dependent on the integrity and availability of its
online presence or the sanctity of its intellectual property is only as
valuable as the extent to which these have been protected. The need to
carefully value the intellectual property portfolio of a company, and ensure its
protection, is well-established. The similar need regarding the company’s data
is just beginning to be understood. An example of this is the public offering
of Facebook shares. Much, if not all, of the value was in the data and its use.
But there was significant uncertainty, as reflected in the stock price, as to
whether and how that value could be realised.While the financial analysts who
are conducting the due diligence are becoming more focused on data as an asset
of the target firm, the investment bankers who are working through the process
and getting the deal done are not as focused on the issue. Their focus is on
execution. They want to conduct due diligence, or make the data available to a
buyer for that purpose. They want to do it as quickly and easily as possible
and provide it to as many people as possible. Limits on sharing or the means of
doing so for the purpose of protecting the information are hindrances to the
goal. They need to be reminded of the need to protect sensitive data –
proprietary or personal – and provided with the most efficient means of
accomplishing that.
FW: What
specific types of cyber security risks are often connected with the M&A
process? How have these risks evolved and changed in recent years?
Stanton: Some risks originate within the acquisition target
in an M&A deal through loose or ineffective data security. Another species
of cyber risk originates with the deal itself. Transacting parties possess
valuable inside information and gain access to a company’s most sensitive corporate
documents. Exposure of this material during negotiations and due diligence to
unauthorised access can present liability hazards for all involved.
Historically, the assessment of cyber risk has grown more important over time.
It has shifted from a cursory assessment and predominately contractual matter,
to an area of probing factual inquiry, requiring significant attention,
scrutiny and care before a deal closes. Formerly, many of the risks associated
with the exposure of insider information or with the potential for unauthorised
access to company data could be shifted with contractual provisions and
liability insurance. Today, however, this threat can be nearly existential, and
requires direct triage and assessment as part of the due diligence process
itself. Attacks have become more intentional, more organised, more targeted and
more disruptive, and cyber hackers and activists have moved far beyond the
annoyance of viruses and denial-of-service attacks to the deliberate theft of
valuable information assets. Such attacks pinpoint a company’s important IP,
its customer lists, know-how and growth strategies – anything that can be
exploited or sold for profit. These targeted incidents can cripple an
organisation, disrupt productivity, or deflate goodwill and customer
confidence. Thus, the risks in this area can materially undermine the viability
of the transaction or the value of the acquisition target and impact the
central benefits and reasons for the deal to proceed.
Nagle: The two risks that arise through the process are
the expanded sharing of sensitive corporate information due to the involvement
of parties – bankers, attorneys, auditors, bidders – with whom the company
might not otherwise interact, and the need to integrate the data and networks of
the companies involved in the transaction. The increased exposure of data is
exacerbated by the distributed and highly mobile set of devices that the
parties and their agents now use. For example, bankers may not be at their
desks but need to see sensitive deal information on their tablets or
smartphones – devices which are not usually encrypted. While it is possible to
use project code names and remove information which identifies the parties,
there is still a significant amount of sensitive business information that is
shared over systems that are not under the control of the technology staffs.
And, unless the principals – buyer and seller – have regular relationships with
the outside parties, for example, auditors, and have either assessed the
security of their networks or have obtained representations regarding security,
then the sensitive information is being sent to networks of uncertain
integrity. The issue of integrating networks during the post closing
transistion phase is similar to any other technology challenge. But the network
of the target company may be functioning to unsatisfactory standards, have
different architecture, operating systems and applications, and be open to
unknown third parties. Over the transition period, these networks and their
data must be combined or integrated, and rationalised into one functioning
entity in a secure fashion while continuously supporting operations. That is
like performing a heart transplant on someone running a marathon with a greater
risk of infection.
Pang: Threats are coming from an ever increasing range of
sources, including, but not limited to, individuals, organised crime networks,
competitors, hactivists, employees or contractors, and even nation states. The
old methods of preventing leaks, by limiting your ‘inner circle’, are no longer
sufficient. Modern, sophisticated and highly targeted computer hacking means
businesses need to do everything possible to mitigate risk. The resilience of
third parties, when it comes to issues of data protection, has become as
important as reviewing one’s own internal security standards. Not very long
ago, and it still happens in some instances, companies engaging in a M&A
project would have created a paper based data room to share documentation and
files during the due diligence process. The physical security of the room was
therefore paramount, as potential buyers would travel to the room, book into
the secured unit – one at a time – manually go through the information and make
return visits if required. Taking this process online has resolved the obvious
flaws and drawbacks in having a paper data room, but it created other
challenges – cyber security being first among them. Those capable of breaching
online security have become greater in number and more sophisticated in terms
of ability, using methods, such as APTs, network-travelling worms, Trojan
horses, phishing and social engineering.
“Lawyers
entrusted with the execution of an acquisition may not be technologically
sophisticated or aware of the existential risk that cyber incidents can present
to organisations large and small.”
— David L. Stanton
FW: Prior to
a close, firms must thoroughly assess the cyber security risk of their desired
target. What particular issues should acquirers consider when conducting cyber
due diligence on a potential target company?
Nagle: One question that should be asked is whether the
target company has cyber risk insurance? Generally, as part of the underwriting
process, the insurer will have a third party assess the security practices and
standards of the company. Firms should review the corporate information
security policy, privacy policy and website privacy policy. Are they up to date
and consistent with current industry practice? If not, that may give some
indication of the overall cyber security readiness of the company. Firms must
also determine whether any audits, inspections or formal actions have been
initiated or conducted by regulators or state attorneys general? Has the
company conducted an internal audit or assessment or retained a vendor to
conduct one? If credit card information is involved, is the company PCI
compliant?Even if the target company has conducted assessments of its network,
it may be prudent for the purchaser to arrange for an independent review,
especially if the company has a significant online presence. Firms must
ascertain what third parties are critical to the functioning of the company or
process, store, or collect significant proprietary or personal information on
behalf of the target company. What contract provisions govern such
relationships and is there a vendor management or assessment program in place
at the target company? Finally, how active is executive management and the
board of directors in cyber security and privacy issues? And is there a chief
information security officer and chief privacy officer?
Pang: A thorough assessment of the IT infrastructure of a
target organisation is always advisable. IT processes, operating systems,
documentation, risk assessment, security standards and previous breaches of
security should all be reviewed during the due diligence phase. Neglecting to
do this upfront and then discovering something after deal-close can cost the
acquiring company both time and money to rectify – not the ideal thing to be
doing in a post-merger situation when resources are better spent integrating
the two entities. It’s also important to discuss the issues thoroughly with the
incumbent expert in charge – the person responsible for the systems and
processes securing the business. For practical reasons, it can be useful for
these discussions to take place over time, as and when questions or issues
arise during due diligence. High-quality virtual data rooms have Q&A
functionality that enable questions to be directed to key departments, such as
IT, and to have the experts in charge answer, with all responses tracked for
future reference.
Stanton: Criteria assessing cyber risk depend in large
measure upon the type of organisation and data systems involved, and should be
tailored appropriately. The maturation of the organisation’s information
governance systems should be assessed, including the existence of metrics,
procedures and tools to effectively measure, monitor and validate physical,
logical and network security concerns. The prevalence of uncategorised ‘dark’
data, outside governance mechanisms, should be determined, and the sufficiency
of the control procedures and processes weighed in light of the organisation’s
risk profile. Outsourcing arrangements and third-parties with access to the
organisations data should be catalogued and evaluated for security concerns.
Cultural factors also play an important part in this. Individual employee
practices should be determined, since the human factor presents distinct cyber
vulnerabilities to any organisation. In an environment where the acquired
entity’s personnel have not been expected to comply with robust security
protocols, this lax cultural milieu can present issues when they are hired into
the acquiring company, and bring their old habits with them. Likewise, the
attempt to enforce dramatically new, more rigorous security protocols upon the
acquired employees can adversely impact their productivity and morale during
integration of the two organisations. This is an area of some technical expertise,
and a due diligence cyber security audit will likely require non-lawyer
technical expertise to conduct.
FW: Corporate
transactions necessarily involve a multitude of professional advisers and
financiers. How does transferring sensitive data between such individuals open
up the process to cyber risk? In what ways can this risk be managed and
mitigated?
Pang: The first and most obvious point to make is
that we would never advise transferring data – particularly sensitive data
– via email between parties involved in an M&A transaction, as this is rife
with security risks. It’s wrong to assume email is a secure medium for
communication, because it’s not. Servers can be accessed, emails cloned, or
simply forwarded by accident without malicious intent. File sharing platforms
also need to be assessed carefully to ensure they’re fit for purpose. There
have been very recent examples where sensitive and personal data has been made
openly and publicly available, not because someone hacked it and exposed it,
but because functionality created a loophole. The best course of action is to
assess and select a secure virtual data room solution, in which multiple
parties can concurrently view information within a protected online
environment, built for the purpose of managing confidential data.
Stanton: Insider trading risks have expanded through cyber
threats beyond the actual participants to include those seeking to obtain
unauthorised access to inside information, the transmission and exchange of
information among these parties present opportunities for data to be accessed
and exploited. Virtual data rooms are widely used and should be encouraged. In
some cases, a return to physical, hard-copy datarooms may actually provide the
best defence. At a minimum, the parties involved should be subject to
confidentiality agreements, whereby they attest to having met an expected level
of data security protections within their respective organisations, and agree
to abide by suitable practices with respect to deal documentation and communications.
Participant awareness and training is critical, and conducting all-hands
cyber-security training at the onset of a deal is worthwhile.
Nagle: If the security and privacy practices of these
advisers are unknown to the principals, any engagement documents should include
some representations regarding data privacy and security in addition to the
standard nondisclosure terms. Those partners are agents of the principals and
should be required to comply with certain standards during and after the transaction.
Any problems will ultimately be the responsibility of the principals.
FW: What
kinds of technology are available to keep sensitive documents private and
secure during the transaction process? Where does the future of this technology
lie?
Stanton: Virtual data rooms remain viable alternatives for
centralising and tracking access to transaction documents, but robust security
in these environments is critical. Physical and logical controls at the server
locations, strong passwords, SSL encrypted transmission, document watermarks
and data access audit trails are essential. ISO information security
certification is desirable as well. On the other hand, generic file sharing
sites such as Dropbox, Google Docs and the like are not sufficiently secure and
should be avoided. Technology is not, however, the only answer. Training and
education are also critical components.
Nagle: To the extent possible, all paper or electronic
documents should remain within the physical and technical control of the
seller, as related to the due diligence phase, or the parties, for deal
documents. This is frequently not feasible given the variety and number of
advisors and auditors. Technology such as virtual ‘reading rooms’ which are
accessible from the Internet but require authentication provide security,
accountability and an ability to monitor access. There are also means of
‘tagging’ the most sensitive documents to ensure they are not distributed or to
account for their location. The challenge will be to maintain some level of
technical control in the mobile environment. One consideration may be to issue
devices that have been configured with security features such as encryption to
the members of the deal team that will have the greatest access to highly
sensitive documents. Once the deal is complete, the devices can be returned,
wiped and reused for future deals.
Pang: It’s important to recognise though that people are
just as important as technology when it comes to the issue of cyber security.
You can’t afford to be complacent in this area – all our employees, for
example, undergo extensive background checks and must sign stringent NDAs. To
meet the security standards required to guarantee a system is being operated
securely, ISO/IEC 27001:2005 for instance, over 200 internal security protocols
need to be in place and it’s these that significantly reduce the security risks
associated any technology being used. In our experience, the future of this
technology lies in securing mobile devices and tablets; investment is heavily focussed
in this area to balance convenience with iron-clad security.
“We would
never advise transferring data – particularly sensitive data – via email
between parties involved in an M&A transaction, as this is rife with
security risks.”
— Adam Pang
FW: Monitoring
information access can help guide the negotiation process as well as highlight
suspicious activity connected with a deal. What systems and processes can firms
put in place to gain such benefits?
Nagle: There are no technologies that are specific or
unique to the M&A context. Rather, existing network security, monitoring
and access management tools should be in place to provide the level of security
commensurate with the sensitivity of the data that is being accessed.
Pang: We use real-time reporting capabilities, which
means the sell-side teams engaged in a project can at any moment see which
individual has accessed exactly what information down to page-level, as well as
when they looked at it and for exactly how long. This gives them advantage in that
any suspicious activity would send up red flags without delay. It also
importantly means that in a deal negotiation it’s easy to see who is seriously
interested in the asset based on what data has been review and how much time
has been spent looking at it. There really isn’t a better way of monitoring
suspicious activity and progressing deal negotiations to get the best end
valuation.
Stanton: Most virtual data room platforms established in the
M&A context provide robust audit trail capabilities, whereby all document
views can be tracked and monitored. Secure passwords and dual-level encryption,
particularly with physical random number keys, will deter unauthorised users
from accessing a site with a stolen or borrowed password. Access controls and
locked doors for physical data rooms should be aligned with a key-card tracking
system to monitor people going in and out. Data also should be appropriately
segmented, so that only those who actually require access are provided the
ability to obtain or view highly sensitive materials.
FW: Could you
outline some of the key legal and regulatory developments on cyber security
that have unfolded in the last year or so? Will these have an impact on the
M&A process going forward?
Pang: State governments have increasingly taken a more
active role in reviewing cyber security issues within the private sector. This
activity is leading to new regulatory requirements throughout the industry –
this includes an increase in regulatory compliance obligations on how networks
are secured, particularly in heavily regulated industries, increased
involvement by law enforcement, and an expansion of disclosure obligations with
respect to cyber security incidents. In the UK, the FSA now has specific
guidelines and suggested good practices, which an organisation should consider
as part of their information management processes. Additional obligations apply
to specific sectors, such as telecoms, which are now required to report
breaches to authorities and in some cases, individuals too. The financial
sector must control and organise their data more responsibly and effectively
than ever before, with adequate risk-management systems in place, including
taking appropriate steps to protect themselves against cyber attack. As this is
an ever evolving process, it will be increasingly important for companies to
regularly review these guidelines to make sure they are compliant with the
latest legal framework, along with their chosen partners.
Stanton: The SEC’s cyber risk disclosure requirement, the FTC’s
scrutiny of hacking incidents and privacy breaches, the publicity of cyber
incidents under HIPPA regulations and by state attorneys general, and the
activist plaintiff’s bar are all encouraging greater care, and a more detailed
and nuanced assessment of cyber risk in and outside the M&A context.
Nagle: The highly regulated industries – financial
services, health care, energy – have cyber security requirements in place which
will continue to develop. Other industries, for example online retail, telecommunications,
government contractors, will begin to experience more stringent cyber security
controls as government initiatives such as the NIST Framework process continue
to unfold, or as significant events such as the Target data breach
occur. At some point, companies in any industry and of any size will be
asked about their practices by customers, insurance companies and boards of
directors. Another forcing function is the recent initiatives by the
Securities and Exchange Commission (SEC), extending cyber security regulation
to financial services firms that have not been impacted such as investment
managers, funds, and broker dealers; and requiring more substantive disclosures
in public filings by all publicly-held companies.
“At some
point, companies in any industry and of any size will be asked about their
practices by customers, insurance companies and boards of directors.”
— Timothy J. Nagle
FW: What
final advice can you offer to acquirers and vendors on managing and mitigating
cyber risk during the M&A process?
Stanton: Engage legal counsel familiar with cyber issues and
risks. Engage outside experts as needed to conduct inspections and audits.
Explore cyber insurance, since coverage under traditional policies may not
cover cyber incidents. Quantify the risks. It is always worthwhile to establish
through audits and due diligence inquiries what kinds of risks are present,
where the vectors of attack are most likely, what systems may be impacted and
how prepared the target organisation is to respond. But also, actually put a
dollar amount on those risks and weigh this with the probability of these
adverse events occurring. This kind of bottom-line assessment helps the parties
to appropriately price the acquisition and to budget for the remedial steps
that will be necessary during the integration of the acquired company into its
new parent. Finally, educate, educate, educate. The prevalence of cyber
incidents is growing faster than our awareness and responsiveness to them.
Members of the deal team should be well-trained and warned of the risks of
cyber attack, and best practices during the deal process should be enforced
culturally and contractually.
Nagle: Data and intellectual property are corporate assets
which impact the valuation of a company. Privacy practices and data security
standards are essential elements of any corporate governance structure. And
cyber security risks – from the malicious outsider to the well intentioned but
misguided insider who opens a suspicious email – are present in all industries.
Consider these assets, practices and risks as you would any other element of
the M&A process. You must be able to say that you have considered and
accounted for these issues in your process.
Pang: Typically a merger or acquisition follows six
specific phases – preparation; engagement, selection and appointment of
external advisors; initial approaches; preparation of information about the
business; financing terms of the transaction; and completion. During
preparation, it’s wise to limit the number of people brought into the ‘inner
circle’. Then information and process flows can be mapped out, current working
practices reviewed and a third party data room provider appointed. Think about
how diaries and meetings are planned and communicated, and then consider your
social media profile to limit the likelihood of ‘spear phishing’. When engaging
advisers, establish a shared principal of governance, think about due diligence
procedures and put in place an incident plan. At the point of initial
approaches, consider the risk profile of the sector and country, and any local
regulatory norms. Then consider what information you will provide and how you
will share that with the parties involved in the transaction. Limit the number
of people receiving information and obtain the relevant approvals, before
disclosure. It’s also a good idea to have confidentiality agreements with all
parties in place before sharing any data, then continuously monitor who
accesses information and when – ideally through a real-time report available in
premier VDR solutions. Also, consider whether some information can be kept
offline and whether the information requested is beyond market practice. If
acquiring a business, it is now common practice to carry out diligence on the
organisations cyber security measures and past records on how it dealt with any
previous issues. Finally, upon completion continue to monitor information
relating to the transaction, transfer funds securely and be conscious that your
organisation may be at increased risk of cyber-attack. It is time to consider
reviewing and strengthening security policies across the new organisation and
how the combined entities will manage information, it’s possible, for example,
to continue to use a VDR for secure post-integration purposes.
Adam Pang is a director at Merrill DataSite. Mr Pang
joined the firm in June 2006. He has over 13 years of experience in financial
and information solutions management, working both in London and Hong Kong.
Based in the London office, Mr Pang is focused on driving the International
sales effort in the UK and Emerging Markets. He can be contacted on + 44 (0)20
7422 6268 or by email: adam.pang@merrillcorp.com.
David L.
Stanton is a partner in the
litigation practice of Pillsbury Winthrop Shaw Pittman LLP. He leads the firm’s
nationally recognised Information Law and Electronic Discovery group, oversees
the firm’s nationwide Litigation Support department, and is a member of
Pillsbury’s Privacy, Data Security & Information Use group. Mr Stanton is
also a member of the firm’s Professional Responsibility Committee and serves as
Pillsbury’s executive partner for Anti-Bribery/Anti-Corruption Compliance. Mr
Stanton can be contacted on +1 (213) 488 727 or by email:
david.stanton@pillsburylaw.com.
Timothy J.
Nagle is a counsel at Reed Smith
LLP and a member of Reed Smith’s Data Security, Privacy & Management
practice group. His most recent experience prior to joining the firm is as in
house counsel with a global financial services firm where he supported security,
privacy and technology executives., With a broad background in security and
privacy across government and industry, Mr Nagle supports clients in the areas
of government contracts, financial services, energy and health care regulatory
matters. He can be contacted on +1 (202) 414 9225 or by email:
tnagle@reedsmith.com.
Read the
full article here: http://www.financierworldwide.com/managing-cyber-security-risks-in-ma#.U7U_VObNdW8
No comments:
Post a Comment