Connect with us

Business Technology

Duty of Care Risk in Mergers and Acquisitions (M&A)

Adriaan Brits

Published

on

Mergers and Acquisitions (M&A) are a popular strategy for companies looking to expand their footprint and increase opportunities.  The total number of M&A deals from June 1, 2020 to June 30, 2021 was 16,672.  That was up from 13,446 the twelve months prior.  There are many reasons for companies to pursue M&A strategies such as achieving greater economy of scale, attaining greater market share, geographical diversification, or the acquisition of new technology.  It is important to note in terms of security, an acquiring company inherits any existing cybersecurity vulnerabilities, incidents, and resulting liabilities along with the beneficial assets that are being purchased.   Sometimes poor security history can outweigh any potential perceived benefit.

Cybersecurity Audits are now Standard Practice for M&A Transaction

M&A transactions can take months or even years to complete.  The acquiring company must perform their due diligence to gain a complete understanding of the target organization. A cybersecurity audit is essential to identify the security controls and intrinsic vulnerabilities of the target enterprise.  An undiscovered data breach can not only cripple the deal but might introduce potential liability that involves both a financial burden and/or reputational damage.  Audit questions to consider can include the following.

Does the target company

Conduct regular risk assessments, vulnerability scans, and penetration tests of its systems?

Have a documented cybersecurity strategy that is enforced from the top-down and across the entire organization?

Have a written Incident Response Plan (IRP) that is regularly tested and rehearsed?

Render compromise assessments on itself to identify any vulnerabilities?

Advertisement

Have a recent security architecture review to assess the strength of their infrastructure?

Have a program in place to train its employees on privacy and security best practices?

According to a recent (ISC)2 study on M&A and Cybersecurity, study participants unanimously stated that cybersecurity audits have now become standard practice for M&A activity.  Survey participants listed cybersecurity considerations as a major factor in determining the viability of a deal.  In total, 77% reported making M&A recommendations based on the strength of an existing cybersecurity program.

A Poor Cybersecurity History Can Tarnish a Deal

A company’s cybersecurity history can negatively hamper M&A interest for years to come.  According to the mentioned study, half of the survey respondents agreed that the discovery of previously undisclosed breaches would derail a deal.

The acquisition of Yahoo by Verizon back in 2017 for $4.48 billion nearly fell through due to two data-breach incidents that occurred during the negotiations.  The first attack involved the personal data of some 500 million users and included unencrypted passwords.  Login credentials and personal information were also compromised for nearly 1 billion users in the second attack.  In the end, Verizon chose to go ahead with the deal at a reduced purchase price.

Another example involves the former acquisition of the luxury department store chain Nieman Marcus.  On October 25, 2013, a Canadian group completed an acquisition of the retailer.  What they didn’t know was that a cyber incident had taken place as early as July 16, 2013, in which malware was injected into the company’s payment-processing system.  The incident would eventually compromise the data of 350,000 customer payment cards.  Nieman Marcus became aware of the fraudulent use of those payment cards on December 17, 2013.  On January 10, 2014, it publicly disclosed the incident.  In 2017, it eventually paid $1.6 million to settle a class-action lawsuit filed on behalf of those whose card information was exposed.

Cybersecurity Can be an Acquired Asset

Advertisement

It is important not to view cybersecurity as a liability in terms of M&A activity.  In the mentioned study, 95% of survey respondents considered cybersecurity programs as a tangible asset while 63% considered security tools to be general assets.  Assets include a company’s cybersecurity infrastructure, risk management policies, and training programs.  In fact, 82% stated that the stronger a company’s cybersecurity infrastructure is, the higher assessed value of the organization.  With 50% of companies being impacted by ransomware in 2020 according to a Cisco study, it is understandable why a company’s cybersecurity expertise can be highly valuable to many other companies today.

What Cybersecurity Due Diligence Involves

The occurrence of a cybersecurity incident doesn’t necessarily deter a merger or acquisition.  The way a company dealt with a cybersecurity incident proves far more important.  How the company handled the aftermath of the breach and what they did to fix the vulnerabilities is far more important in the end.  One must assess how the breach occurred and whether the company performed its duty of care in attempting to prevent such an attack in the first place.  A company may be held liable for an attack that it could have prevented had it taken appropriate measures that are deemed to be reasonable. According to HALOCK partner and Board Chair of the DoCRA Council Chris Cronin, in litigation, a demonstrated duty of care shows the absence of negligence which is a determining factor in lawsuits. A growing number of security frameworks are now available that can help organizations define what “reasonable security” actually. Chris recommends two resources that business can use to establish ‘reasonableness.’

Due Diligence is Key.

The Sedona Conference Commentary on a Reasonable Security Test offers guidance with a reasonable security test designed to be consistent with models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks. As a contributing editor for the Reasonable Security Test, Cronin describes the commentary benefits as “demonstrating its universality” in those domains as well as being a “useful analytical tool for management who plan security priorities, budgets, tactics, and resources.”

The Duty of Care Risk Analysis (DoCRA) standard provides principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA brings together a company’s mission, objectives, and obligations to address all perspectives from IT, legal, C-Suite, board of directors, customers, and public to analyze your risk profile.

Overall, a best practice is to have an independent, outside partner perform a risk assessment using Duty of Care Risk Analysis (DoCRA) during the M&A evaluation process.   Fully evaluate the inherent risks of a proposed acquisition and determine the effectiveness of the current security controls, policies, and strategies to secure the target organization’s assets.

Advertisement
Continue Reading
Advertisement
Comments
Advertisement
Advertisement Submit

TechAnnouncer On Facebook

Advertisement
BTC staking campaign BTC staking campaign
Bitcoin2 days ago

Exploring pSTAKE’s edge within Binance’s latest BTC staking campaign

Recently, Binance launched its latest BTC Staking on Babylon Campaign, inviting users to participate in an exciting opportunity to earn...

The 2022 Apple MacBook Air with M2 chip The 2022 Apple MacBook Air with M2 chip
Electronics3 days ago

Apple MacBook Air: A Student’s Best Friend

The 2022 Apple MacBook Air with M2 chip has quickly become a favorite among students and professionals alike. With its...

DJI Avata 2 DJI Avata 2
Drones Technology3 days ago

Experience the Sky Like Never Before with the DJI Avata 2

Flying the DJI Avata 2 Fly More Combo is an exhilarating experience that takes you to new heights. This FPV...

Sony Alpha 7 IV: A Comprehensive Review Sony Alpha 7 IV: A Comprehensive Review
Tech Reviews3 days ago

Unleashing Creativity with the Sony Alpha 7 IV: A Comprehensive Review

The Sony Alpha 7 IV is a remarkable camera that has captured the attention of both amateur and professional photographers...

Tesla Stock Tesla Stock
Trending Technology4 days ago

Tesla Stock Slips After EV Maker Misses Estimates on Deliveries

Tesla Inc. faced a significant setback as its stock price dropped over 6% following the announcement of its third-quarter vehicle...

Chinese Stocks Surge Over 7% in Hong Kong Amid Stimulus Optimism Chinese Stocks Surge Over 7% in Hong Kong Amid Stimulus Optimism
Trending Technology4 days ago

Chinese Stocks Surge Over 7% in Hong Kong Amid Stimulus Optimism

Chinese stocks listed in Hong Kong experienced a remarkable surge, climbing more than 7% as traders returned from the National...

Japan’s $4 Trillion Carry Trade Begins to Unwind Japan’s $4 Trillion Carry Trade Begins to Unwind
Trending Technology4 days ago

Japan’s $4 Trillion Carry Trade Begins to Unwind

Japan’s massive $4 trillion carry trade is starting to unwind, as domestic investors shift their focus back to local assets....

Market Turmoil: Iran's Missile Attack on Israel Sends Stocks Down Market Turmoil: Iran's Missile Attack on Israel Sends Stocks Down
Trending Technology4 days ago

Market Turmoil: Iran’s Missile Attack on Israel Sends Stocks Down

U.S. stock markets experienced a significant downturn on October 1, 2024, following Iran’s missile strikes on Israel, which escalated geopolitical...

How Wearable Technology is Shaping Our Future How Wearable Technology is Shaping Our Future
Wearable Technology4 days ago

Revolutionizing Connectivity How Wearable Technology is Shaping Our Future

Wearable technology, commonly known as wearables, refers to electronic devices that can be worn as accessories or implanted into the...

Discussing The Convergence of Decentralization and AI at Token 2049 Discussing The Convergence of Decentralization and AI at Token 2049
Artificial Intelligence1 week ago

Discussing The Convergence of Decentralization and AI at Token 2049: PundiX Summit Looks Deep into the Future

The emergence of decentralized systems is growing at a rapid pace. Its presence is felt across the board, including how...

Advertisement
Advertisement Submit

Trending

Pin It on Pinterest

Share This