Cybersecurity Due Diligence in M&A Transactions
As former SEC Commissioner Luis Aguilar aptly stated: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
June 22, 2018 at 11:10 AM
4 minute read
Yahoo/Verizon Deal
Yahoo! Inc., Form 10-Q, at 47 |
Lessons Learned
- A target's cybersecurity practices and monitoring should be carefully assessed, especially when its relies heavily on the collection, use and storage of personal data. Yahoo's lack of emphasis on uncovering, responding to and disclosing security incidents demonstrates how even established companies can fall short in addressing data security responsibilities (and also how customary due diligence can fail to uncover theses critical shortfalls).
- The board's involvement and understanding of the company's data security protocols and recent incidents can serve as a litmus test of a company's cybersecurity risk. Buyers must understand that cybersecurity issues are not IT issues, they are core business issues that the board and C-level management must treat seriously or suffer operational consequences.
- Relatedly, a buyer must diligence the company's internal cyberawareness and communication practices, and ensure that employees report data security incidents “up the chain,” including to the board. Yahoo's blunders during the Verizon deal could have been avoided had its legal and IT teams properly reported the 2014 Security Incident when they discovered it, and buyers should smoke out any risk that the seller may have similar reporting breakdowns.
- Cybersecurity diligence should be conducted early, as many companies may be reluctant to disclose such issues (or may not be aware of them). Moreover, cybersecurity weaknesses may not be readily apparent.
$80 million settlement $35 million settlement February 2018 interpretive guidance October 2011 cybersecurity guidance independent audits for up to 20 years Comparitech Ponemon Institute |
Cybersecurity Diligence Priorities
- What types of digital assets does the company collect, use, transmit and store?
- Does the target take appropriate measures to collect only the minimum sensitive data it needs and protect data in storage and transit? “Appropriateness” depends on the value of data and its importance to the company's business. Appropriate measures include an established cybersecurity policy, employee education, awareness and training, appointment of an individual accountable for cybersecurity, regular reporting (including to management by the board's audit committee), and access controls such as encryption. Policies should be updated annually.
- Does the company have a sufficient plan to uncover and respond to security breaches (e.g., an “incident response plan”) and have a person designated to take responsibility for them? Has the company tested its plan through a tabletop exercise?
- Has the company experienced data security incidents in the past? If so, were vulnerabilities remediated?
- Does the company conduct regular assessments of cybersecurity weaknesses and is it committed to making cybersecurity a priority, even at the management and board level? Are such assessments conducted using a third-party, objective process?
- Does the target take appropriate steps to comply with its legal cybersecurity obligations (e.g., state statutes and national regulations, such as the GDPR) or industry-imposed standards (e.g., health care, financial services)?
- Has the company notified governmental agencies about any cyberincidents (such as letters to state attorneys general or the filing of suspicious activity reports with the Financial Crimes Enforcement Network)? Does the company's policy contemplate providing such notices?
- Does the company share sensitive data with third parties, such as cloud vendors? If so, has the target included language for third party cybersecurity compliance in contracts?
Closing Points
Sharon R. Klein is a partner and the chair of Pepper Hamilton's privacy, security and data protection practice. She also leads the firm's technology and digital health practices. Taylor Jon Torrence is an associate in the corporate and securities practice group of the firm. He advises clients on all types of transactions, including mergers acquisitions and joint ventures, as well as privacy and data protection issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllPa. Federal District Courts Reach Full Complement Following Latest Confirmation
The Defense Bar Is Feeling the Strain: Busy Med Mal Trial Schedules Might Be Phila.'s 'New Normal'
7 minute readFederal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute readJudge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250