Regular audits of cyber security and the security of potential acquisition partners should be at the very heart of the M&A due diligence process
THE LAUNCH of the government-backed ‘Cyber-security in Corporate Finance‘ guide, the product of several months’ work by a taskforce of one dozen UK professional organisations, once again highlights the dangers of cyber crime. Spearheaded by ICAEW, it is the latest in a long line of public initiatives to reduce cyber-related financial, reputation and legal risks.
People have attempted to profit from inside information during sensitive M&A transactions since the invention of the modern finance system. However, the old system of preventing such leaks – keeping the circle of trust small – is no longer enough. With the advent of highly-targeted and sophisticated computer hacking, the leak is no longer limited by the trustworthiness of those in the circle of trust. Equal attention must now be paid to the trustworthiness of the inner circle’s cyber security, which has been further reinforced after the website of a third party law firm with an energy practice was hit, reportedly as part of the LightsOut campaign, which targeted the energy sector.
The weakest link
For this reason, an increasing number of corporates are reviewing the cyber resilience of their external advisers, in an attempt to identify weak links. This is a very good practice. It is not uncommon to find that a security breach occurred on a company’s external adviser’s network, rather than through the company itself.
Whereas contractual obligations may clarify in that circumstance who is legally responsible for the breach, this is not a substitute for seeking to prevent the breach in the first place. This is especially true since, regardless of the underlying facts, a company is likely to be blamed by the public for a breach involving its data, even if the breach was not of their computer system.
The risk of cyber attacks goes beyond the fear that confidential information about a merger might leak and allow improper trading. Cyber security is now at the very heart of what makes an organisation effective and worthwhile. Just as an acquiring company must assure itself that a target company’s finances and legal risks are manageable, it must also assure itself that the cyber risk is acceptable.
Too often, issues of cyber security are left until after a transaction is complete – a question of integration, not value. This is a mistake. A cyber breach could easily have a material impact on the value of a company, which means it is far too late to leave this for the IT team during the integration phase.
This is true for virtually all companies today – not just those in the technology sector. As an example, it would be devastating to invest in a retailer only to find out a few weeks later that it had been subject to an advanced persistent threat that had been systematically stealing its customers’ credit card information. It is a scenario that is by no means hypothetical, with one UK listed company, known for its commitment to managing cyber risks, finding that the failure of a newly acquired company to address such vulnerabilities had offered hackers unfettered access to its networks for well over a year.
The incident, which was highlighted as part of a series of case examples in the ‘Cyber-security in Corporate Finance’ guide, saw intruders steal valuable intellectual property. In a separate incident, email accounts of the entire senior leadership team of an international manufacturer were monitored for several months, during a period of complex negotiations with a foreign government.
Smart companies, therefore, conduct regular audits of their cyber security and the security of potential acquisition partners. This process should be at the very heart of the due diligence process. The audit will allow the effectiveness of information systems to be reviewed and, where required, remedial steps to be taken.
The review must be tailored to the organisation, its risk landscape and the nature of the company being acquired. At the very least, it must include a high-level assessment of existing security and plans, which may include a review of firewalls and logs, virus detection and, perhaps, a search for evidence of exfiltration data and positive indicators of a breach.
This will commonly include an analysis of the target company’s data profile, the kind of attacks that similar companies may have experienced and the type of information already in the public domain, such as potential adversaries. Each review is likely to highlight different types of cyber risk, depending on the business environment in which a company operates – a mining company involved in minerals extraction in a sensitive region; a retailer with significant legacy card payment infrastructure; and an international defence contractor all facing varying degrees of exposure to different types of hackers.
The second stage should review existing systems in greater depth, including the nature of the technology infrastructure, the location of the company’s data, the type of data held and how systems are currently defended. Executives across the organisation will play a key part in this process, which will also offer an opportunity to review the value and understanding of existing policies. In many cases, this may also involve an in-depth review of systems, alongside penetration testing, to ascertain the ability of existing infrastructure to withstand an attack.
There are a series of issues to assess and the cyber security guide offers an insight into the possible questions to ask during the due diligence process. While not an exhaustive list, these may include:
• When did the board last consider cyber-security?
• Who is ultimately responsible for managing cyber security in the company?
• How confident is the company that its most valuable information is properly managed and safe from cyber threats?
• When did the company last experience a cyber or information security breach?
• What steps did they take to mitigate the impact of this breach?
In assessing such risks, it is important to remember that cyber risks can also emanate from within, either inadvertently – by staff accidentally activating viruses or malware by clicking on links in emails – or intentionally – by malicious insiders motivated by the prospect of revenge or financial gain. Indeed, the problem of careless behaviour as potential source of a cyber attack is far greater for those at the top of an organisation.
The stakes are too high for cyber security to remain an afterthought in corporate finance transactions. FDs, alongside their fellow senior directors, owe a duty to their shareholders to understand and mitigate these risks.
Seth Berman is executive managing director and UK head of Stroz Friedberg, an investigations, intelligence and risk management company.