Guide to Cybersecurity Due Diligence Worth Reading
With billions of M&A dollars at stake, there is a need to clear the windshield. Thomas Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients' high-value digital assets.
November 15, 2017 at 02:17 PM
12 minute read
Guide to Cybersecurity Due Diligence in M&A Transactions
Edited by Thomas J. Smedinghoff and Roland L. Trope
American Bar Association, 272 pages, $89.95
On the subject of business risk, Warren Buffett observed that the rearview mirror is always clearer than the windshield. For an M&A acquirer, one prime risk is assessing the effectiveness of a target's cybersecurity program. As data breach incidents involving Yahoo and Neiman Marcus have shown, such incidents can profoundly impact even the largest deals.
With billions of M&A dollars at stake, there is a need to clear the windshield. Thomas Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients' high-value digital assets.
Although the book is primarily written for M&A lawyers, it can also be useful to a wider audience that includes directors, officers, in-house counsel and data security professionals whose duties include the designing, implementing, updating, testing and monitoring of cybersecurity programs.
As noted by in the book's forward, M&A is customarily driven by monetary considerations, with financial due diligence receiving the most attention. Operational due diligence is often harder to conduct, with the target's “cyber status” typically being “the most mysterious.”
Throughout the book's thirteen chapters, it explains how an acquirer can properly assess a target's cybersecurity posture. As such, the book is intended as an issue-spotting resource. It is not intended to prepare an M&A lawyer to be an expert in cyber crime, or to serve as a manual of M&A provisions that specifically address cybersecurity risks.
Although some of the material is repetitive, the editors have done an admirable job in organizing the topics, eliminating jargon, minimizing the use of acronyms, bullet-pointing key checklists, discouraging run-on sentences, reducing paragraph length and ensuring that the entire text appears as though it was written in plain English by a single author.
In his 2012 memoir, Donald Rumsfeld observed that decision-makers typically must contend with two types of unknowns: known unknowns and unknown unknowns.This observation also applies to cyber due diligence. The book assists M&A counsel to “capture both kinds of cybersecurity unknowns,” including: (1) “what the target knows and may be reluctant or slow to disclose” about “the quality of the target's cybersecurity defenses and its experiences with cyber incidents”; and (2) “what the target does not know.”
Two main principles appear throughout the book. The first is that “acquirers should treat as a rebuttable presumption that a target's high-value digital assets are increasingly at risk of becoming cyber-vulnerable assets.” The more renown a company's brand and trove of digital assets, “the greater the probability that it will, or already has, become a victim of reconnaissance probes and damaging cyber attacks.”
The second principle is based on a National Institute of Standards & Technology (NIST) observation that there is no cybersecurity system “that can be engineered to be perfectly secure or absolutely trustworthy.” This is because sophisticated intruder technologies typically outpace the defenses, which often employ “trailing-edge technologies” in discovering vulnerabilities, closing defense gaps, detecting intrusions, identifying what has been accessed, realizing what has been done to it and understanding “what awful things may happen at a time and place of the cyber intruder's choosing.”
One of the best parts of the book is a chapter entitled “Evaluation of Internal Cybersecurity Program,” written by Stuart Levi. The author observes that the “strength of a cybersecurity program depends in large part on the 'buy-in' and role of senior management in overseeing the program.”
Citing the NIST Cybersecurity Framework, Levi explains that senior management does not need to master “the minutiae of how a firewall works or why one type of intrusion detection software was selected over another[,]” but “must understand each component of a company's cyber-risk exposure and how it was addressed.”
Regarding the role of the board of directors, Levi writes that they do not need a “deep-level understanding of the company's technology solution,” but members should receive “regular reports of the company's cybersecurity profile, the steps the company is taking to address the issue, any issues that have arisen since the last report, and how decisions are made.”
Levi suggests that attorneys who conduct M&A due diligence should seek material that reveals how the target's security program has actually performed. In addition to asking “for examples of key cybersecurity decisions that were made over the last two years,” M&A counsel should also ask to review “any cybersecurity reports that have been given to the board.”
Another strength of the Levi chapter is the author's ability to articulate the manner in which M&A counsel can, with a “critical eye,” spot the pertinent issues and ask the probing questions about a target's cyber exposures.
According to Levi, a good place to start a review is to ask whether “a written information security program exist[s] and, if so, when was it developed, and how (if at all) is it regularly updated?” The author notes that it is important for M&A counsel to understand “how the program was first developed[.]” Effective security programs tend to be those “developed by a cross-disciplinary team” that includes stakeholders from the IT department, risk management department, and leaders from the relevant business units. Programs developed by the IT department in a vacuum tend to be less effective.
Other critical areas upon which Levi focuses include: (1) identifying the persons responsible for daily management of the target's cybersecurity program; (2) analyzing how they make decisions; (3) reviewing program compliance with legal requirements and regulatory standards; (4) discerning whether the program is risk-based and tailored to the target's business; (5) probing the program's resilience; (6) understanding the program's implementation and updates; (7) assessing the security capabilities with the target's vendors and third-party providers; (8) researching the target's public pronouncements about its cybersecurity program; and (9) evaluating the appropriateness of the insured's incident response plan.
More than a hundred years ago, Theodore Roosevelt observed that risk is like fire: If controlled it can help you; uncontrolled it will rise up and destroy you. For M&A lawyers assessing a target's cybersecurity risk, this book helps control the fire.
Jeffrey Winn is a management liability attorney with Chubb, a global insurer, and a member of the executive committee of the New York City Bar Association.
Guide to Cybersecurity Due Diligence in M&A Transactions
Edited by Thomas J. Smedinghoff and Roland L. Trope
American Bar Association, 272 pages, $89.95
On the subject of business risk, Warren Buffett observed that the rearview mirror is always clearer than the windshield. For an M&A acquirer, one prime risk is assessing the effectiveness of a target's cybersecurity program. As data breach incidents involving Yahoo and
With billions of M&A dollars at stake, there is a need to clear the windshield. Thomas Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients' high-value digital assets.
Although the book is primarily written for M&A lawyers, it can also be useful to a wider audience that includes directors, officers, in-house counsel and data security professionals whose duties include the designing, implementing, updating, testing and monitoring of cybersecurity programs.
As noted by in the book's forward, M&A is customarily driven by monetary considerations, with financial due diligence receiving the most attention. Operational due diligence is often harder to conduct, with the target's “cyber status” typically being “the most mysterious.”
Throughout the book's thirteen chapters, it explains how an acquirer can properly assess a target's cybersecurity posture. As such, the book is intended as an issue-spotting resource. It is not intended to prepare an M&A lawyer to be an expert in cyber crime, or to serve as a manual of M&A provisions that specifically address cybersecurity risks.
Although some of the material is repetitive, the editors have done an admirable job in organizing the topics, eliminating jargon, minimizing the use of acronyms, bullet-pointing key checklists, discouraging run-on sentences, reducing paragraph length and ensuring that the entire text appears as though it was written in plain English by a single author.
In his 2012 memoir, Donald Rumsfeld observed that decision-makers typically must contend with two types of unknowns: known unknowns and unknown unknowns.This observation also applies to cyber due diligence. The book assists M&A counsel to “capture both kinds of cybersecurity unknowns,” including: (1) “what the target knows and may be reluctant or slow to disclose” about “the quality of the target's cybersecurity defenses and its experiences with cyber incidents”; and (2) “what the target does not know.”
Two main principles appear throughout the book. The first is that “acquirers should treat as a rebuttable presumption that a target's high-value digital assets are increasingly at risk of becoming cyber-vulnerable assets.” The more renown a company's brand and trove of digital assets, “the greater the probability that it will, or already has, become a victim of reconnaissance probes and damaging cyber attacks.”
The second principle is based on a National Institute of Standards & Technology (NIST) observation that there is no cybersecurity system “that can be engineered to be perfectly secure or absolutely trustworthy.” This is because sophisticated intruder technologies typically outpace the defenses, which often employ “trailing-edge technologies” in discovering vulnerabilities, closing defense gaps, detecting intrusions, identifying what has been accessed, realizing what has been done to it and understanding “what awful things may happen at a time and place of the cyber intruder's choosing.”
One of the best parts of the book is a chapter entitled “Evaluation of Internal Cybersecurity Program,” written by Stuart Levi. The author observes that the “strength of a cybersecurity program depends in large part on the 'buy-in' and role of senior management in overseeing the program.”
Citing the NIST Cybersecurity Framework, Levi explains that senior management does not need to master “the minutiae of how a firewall works or why one type of intrusion detection software was selected over another[,]” but “must understand each component of a company's cyber-risk exposure and how it was addressed.”
Regarding the role of the board of directors, Levi writes that they do not need a “deep-level understanding of the company's technology solution,” but members should receive “regular reports of the company's cybersecurity profile, the steps the company is taking to address the issue, any issues that have arisen since the last report, and how decisions are made.”
Levi suggests that attorneys who conduct M&A due diligence should seek material that reveals how the target's security program has actually performed. In addition to asking “for examples of key cybersecurity decisions that were made over the last two years,” M&A counsel should also ask to review “any cybersecurity reports that have been given to the board.”
Another strength of the Levi chapter is the author's ability to articulate the manner in which M&A counsel can, with a “critical eye,” spot the pertinent issues and ask the probing questions about a target's cyber exposures.
According to Levi, a good place to start a review is to ask whether “a written information security program exist[s] and, if so, when was it developed, and how (if at all) is it regularly updated?” The author notes that it is important for M&A counsel to understand “how the program was first developed[.]” Effective security programs tend to be those “developed by a cross-disciplinary team” that includes stakeholders from the IT department, risk management department, and leaders from the relevant business units. Programs developed by the IT department in a vacuum tend to be less effective.
Other critical areas upon which Levi focuses include: (1) identifying the persons responsible for daily management of the target's cybersecurity program; (2) analyzing how they make decisions; (3) reviewing program compliance with legal requirements and regulatory standards; (4) discerning whether the program is risk-based and tailored to the target's business; (5) probing the program's resilience; (6) understanding the program's implementation and updates; (7) assessing the security capabilities with the target's vendors and third-party providers; (8) researching the target's public pronouncements about its cybersecurity program; and (9) evaluating the appropriateness of the insured's incident response plan.
More than a hundred years ago, Theodore Roosevelt observed that risk is like fire: If controlled it can help you; uncontrolled it will rise up and destroy you. For M&A lawyers assessing a target's cybersecurity risk, this book helps control the fire.
Jeffrey Winn is a management liability attorney with Chubb, a global insurer, and a member of the executive committee of the
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'We Learn Much From the Court's Mistakes': Law Journal Review of 'The Worst Supreme Court Decisions, Ever!'
6 minute read'Midnight in Moscow': A Memoir From the Front Lines of Russia's War Against the West
9 minute read'There Are Heroes in Every Story': Review of 'The Eight: The Lemmon Slave Case and the Fight for Freedom'
9 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 3Guarantees Are Back, Whether Law Firms Want to Talk About Them or Not
- 4How I Made Practice Group Chair: 'If You Love What You Do and Put the Time and Effort Into It, You Will Excel,' Says Lisa Saul of Forde & O'Meara
- 5Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250