Mergers & Acquisitions are a complicated process with many facets of risk to consider of the target business – cyber exposures will be one of these but is the correct degree of attention given to this when a multimillion takeover or acquisition is at stake ?
Why are these risks ignored?
Mergers and acquisitions are a very complicated and time consuming activity for a business. Due diligence is undertaken which will involve many facets of the business under consideration. This will include the financial standing, employee numbers and makeup, market share and future prospects of the organisation.
Cyber risk maybe considered during this process but it is doubtful that any in-depth cyber risk management is carried out which could present problems post acquisition / merger.
What cyber security due diligence should be carried out?
- Examination of the types of privacy risks of the targeted business that they may encounter in their industry.
- Obtain detailed knowledge of the computer network and passage of date to include the supply chain and use of cloud providers.
- How data is is managed and in particularly personal data of customers and intellectual property of the organisation.
- Review of any contractual indemnities with customers and third parties who may suffer a data breach as a result of a cyber security breach.
- Obtain details of any previous cyber attacks or compromise of data with details of subsequent measures put in place to rectify similar incidents and improvements in cyber security.
- Ensure that GDPR compliance has been achieved together with any other relevant regulatory requirements in other geographical locations.
- Evidence of any cyber insurance being in place and review of adequacy together with details of claims made under the policy.
- Review of their incident response and business continuity plans with proof of the testing of these.
The Verizon and Yahoo Merger
In February 2007 Verizon Communications Inc purchased Yahoo Inc’s for $4.48 billion, but lowered its original offer by $350 million in view of two significant cyber attacks that hit the internet business.
The takeover agreement included requirements that Yahoo would be responsible for any subsequently discovered cyber incidents.
The existence of cyber insurance will assist with helping to mitigate the cyber risks associated of a proposed acquisition . Insurers will want to know in-depth details of their cyber risk management processes and procedures and only consider inclusion within an existing policy if these are satisfactory.
Image : Shutterstock