Those who have lived through mergers can attest to the fact that they are an intensive period of highly focused and compressed effort for both the acquiring and the acquired company, as well as the teams of counsel that diligently assist them. From the first confidentiality agreement through the completion of the merger or acquisition, a period often lasting many months, a long punch list of due diligence and action items is constantly studied and checked off while additional items are added in a type of legal ballet that, although at times messy and imperfect, is looked back on with pride when (and if) the merger successfully concludes.
As the days tick down to the target completion date, information is flying and scraps of reminders and to-do lists abound. It is easy to miss critical issues. One of those areas that until recently has received less than full attention is the cyber risk area. This is increasingly risky as a forgotten area of inquiry because the problem often rolls out in all its ugliness after the merger concludes. The problem could be in the form of a missed warning, an improvident allocation of cyber liability, an unanticipated payments snafu, an undisclosed hack, or the continued use of legacy software that has more holes in it than the proverbial hunk of Swiss cheese.
Most merger agreements contain provisions requiring that the information provided to the other party is true and correct at closing. As cyber risk evolves, the standard-of-care and best-practices requirements of M&A counsel are finding a new sense of urgency as to cyber risk assessments and is certainly not receding as an important part of merger processes. Thus, to avoid a claim that the issue was inappropriately missed, at least basic due diligence must be made in the five areas discussed below to identify and quantify any cyber risk before closing a merger, given that each affects pricing, disclosure to voting shareholders, and allocation of post-closing liability, among others.
Certain industries, including the banking industry that I know best, carefully consider cyber risk in the merger or acquisition of financial institutions. Regulatory approvals may in fact depend on proving that such risk has been studied. Not only does cyber risk potentially and directly impact pricing and reserves for liability, it can also rapidly and unexpectedly weaken a stronger company or institution post-closing. The same concerns may be true in any industry, whether regulated or not.
Therefore, the following five areas are the minimum best-practices inquiries related to cyber risk for merger parties as to each other’s operation. Ask the sample due diligence questions that follow regardless of the industries involved because they each could dramatically impact the transaction.
Inquiry 1: Fully Understand the Allocation and Indemnity of Third-Party Technology Vendor Liability as to Critical Computing, Processing, Payments, or Other Technology Agreements.
More and more companies are relying on outside technology vendors for a wide array of back-shop tasks. A weak link in any organization’s cyber assessment for merger or acquisition is the work done for a company by others. The computing, processing, payments, or other technology work almost certainly will be supported by an agreement, terms of the engagement, or a referenced and adopted set of policies. Such agreements are critical to liability assessments if for nothing else than their shifting of cyber risk. They must be reviewed.
Contract verbiage matters in this area. There is a significant difference in a cyber risk context between assurances of limiting intrusion tied to a best-efforts standard and promises of no intrusion at all. Efforts must be taken in an M&A context to determine the relative risks created by such allocation and the solvency of the third-party vendor to back promised risk retention, and to cautiously advise the client company of any remaining residual cyber risk. Do not forget the risks imposed by agreements for cloud computing, payments technology, and payroll processing.
A related risk is that the vendor will not be bound to assist in the transition of the company to the systems of the acquiring company at a reasonable cost or on a reasonable time schedule, or will not maintain the systems if the operations will remain separate. A review of the agreements will uncover these forms of noncooperation or hefty, unreasonable conversion fees.
Finally, a review of IT licensing should be undertaken. At a minimum, lining up current systems with relevant contract provisions may demonstrate gaps or expired licensing.
Sample Due Diligence Questions for Inquiry 1:
Regarding your technology agreements with third-party vendors, please provide the following as to each:
- The entire agreement, including attachments, exhibits, and amendments, and any indemnification or allocation of liability agreements that may be related to those agreements but entered into separately from those agreements; and
- The latest service organization’s SOC 1 or 2 or SSAE16 ISAE 3402, or equivalent, regarding controls, risk, and financial assessment for the vendor, if any.
Inquiry 2: Know and Understand Each Suspected Intrusion – Material or Not.
Of course, known intrusions, even if resolved, are an absolute must for early identification and, if material, should result in a reservation of merger consideration or should be defined as a reason to break up any merger if widespread and uncovered. Computer crimes and cyber intrusion insurance should also be identified and quantified in making this determination.
Suspected and so-called immaterial intrusions usually are not revealed in many M&A transactions unless specific inquiry is made. Financial statements cannot be relied upon to identify intrusions, given that they may be internally explained away under accounting standards as immaterial and may not be reflected in the notes to financial statements. Immaterial intrusions often are explained and summarily discounted as not being “proven” (at least not yet) so as to require positive notification to all, or a significant portion, of the customer base. However, that assessment of responsibility may be biased by strong competitive or reputational concerns and may not be aligned because those standards are mandated by various states, the Federal Trade Commission, or other agencies.
For example, what if last year your client’s senior-level employee lost his laptop in a car theft? Your first determination of materiality is whether the information contained on the laptop was encrypted or whether its access was passcode protected. If the laptop was not so protected, there is a definable risk that must be discussed and any potential liability allocated. This is especially true if no or insufficient notification was given to customers or applicable agencies.
Sample Due Diligence Questions for Inquiry 2:
Regarding any known or suspected intrusions into the nonpublic information of the Company, or any of its affiliates, please advise as to each:
- A summary of the intrusion as to information accessed or likely accessed; how and when the intrusion was discovered; and any notifications or credit-monitoring options given as to the intrusion to customers, employees, or third parties (with a copy of each form of notification and when sent); and
- The estimated cost of further remediating the intrusion should the information be utilized now or in the future.
Inquiry 3: “Self-Assessments” of Cyber Risk and Deficiency.
Certain regulated industries are encouraged by regulators to self-assess as to liability or risk areas and in so doing are rewarded by limitations on assessment of fines, penalties, and other negative aspects of the assessment if the organization has promptly instituted reasonable changes. The cyber risk assessment area often is one of those encouraged risk-assessment areas. However, self-assessments are also valuable windows into the safety, security, and efficacy (or lack thereof) of the company’s cyber and security controls. Asking for and reviewing self-assessments is becoming a vital element of any M&A due-diligence inquiry because they are a wealth of information regarding the cyber health of the parties.
Sample Due Diligence Questions for Inquiry 3:
Regarding any cyber risk, computer, or potential cyber intrusion self-assessments, studies, reports, analysis, or recommendations (the “assessments”) for the Company, or any of its affiliates, please provide as to each:
- A copy of the assessment, including any summaries, attachments, or exhibits; and
- Any policies and procedures adopted following any assessment to address any assessment recommendations.
Inquiry 4: Payroll, HR, 401(k), and Health-Care Information.
Often overlooked in due diligence is the cyber risk associated with payroll, HR records, 401(k) administration, HSAs, and medical insurance. Third-party vendors typically are involved in this area. Efforts should be made to acquire the agreements related to these services, with an employee benefits specialist conducting an adequate review of the security and confidentiality of this data, the vendor providing the service, and the vendor maintaining historical records. In addition, an analysis should be made of any intrusion liability, given that critical, sensitive data regarding employees is involved.
Sample Due Diligence Questions for Inquiry 4:
Regarding your HR, benefits, and medical-plan agreements, including those maintained with third-party vendors, please provide the following as to each:
- The entire agreement, including attachments, exhibits, and amendments, and any indemnification or allocation of liability agreements that may be related to those agreements but entered into separately from those agreements; and
- The latest service organization’s SOC 1 or 2 or SSAE16 ISAE 3402, or equivalent, regarding controls, risk, and financial assessment for the vendor, if any.
Inquiry 5: You May Be a Serious Cyber Risk!
That’s right. Your firm and its employees and attorneys could be a serious cyber risk regarding a merger deal. By digging around in the most sensitive areas of a company, e-mailing sensitive information, or allowing data-room access to sensitive files, it is vitally important that you, as a key merger team member, lock down confidentiality, access, and your own intrusion risks relating to your client’s data and that of all counterparties. Access should be limited to team members and constantly monitored with entry logs or similar summaries. Warnings should be given relating to proper use of the data. Merger data should be deemed to be subject to a zero-tolerance standard of protection and properly walled off, access to which is highly controlled.
Sample Letter to Staff for Inquiry 5:
Dear Valued Team Member:
You have been selected to be part of the impressive team that will close the XYZ merger transaction for ABC company. It is a great honor for our firm that we have been chosen to handle this large project.
As part of your work, you will be exposed to highly sensitive data and certain nonpublic information. It is important that you treat the data with great care and do not expose it to anyone outside of our team. For example, any work taken out of the office should be safeguarded at all times and not allowed to be placed in a compromised position, stolen, or used by anyone else. When in doubt, protect the client to the maximum degree.
Be especially careful using home-computing systems to send or receive sensitive documents. Despite all of our best efforts, home systems frequently are not well protected against sophisticated intrusions.
Should you have any questions or concerns as we complete this merger, please feel free to let me know.
The cyber risk area is rapidly growing in importance within the M&A due-diligence review and is an area in which you can positively assist your client. Early analysis of cyber risk can avoid tense repricing or liability allocation discussions on the eve of closing an acquisition. Assume that no cyber risk is immaterial unless that risk is proven to be truly so. Protect your client against cyber risk liability and, above all, avoid your firm becoming a cyber risk to your own client.