Cyber security during a merger or acquisition
In 2015 TalkTalk, the UK listed telecoms company, was the victim of a cyber attack during which the personal details of 156,959 customers and bank details of 15,656 customers were accessed by the attackers.
The data breach occurred via three vulnerable webpages that were part of TalkTalk’s acquisition of the UK operations of Tiscali, an Italian telecoms company. According to the UK Information Commissioner’s Office, “TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.”
In October 2016, the ICO fined TalkTalk a record £400,000 for the breach. The ICO currently has the power to issue fines of up to £500,000, although from May 2018 onwards the introduction of the General Data Protection Regulations will mean companies located in the EU can be fined up to the greater of €20m or 4% of global annual turnover (over £73m for a company such as TalkTalk).
The fine was dwarfed however by the total cost to TalkTalk of the clean up, business disruption and reputational damage. In its Q3 trading update TalkTalk estimated the total cost to be over £80m, with £42m relating directly to dealing with the attack and its aftermath, plus £35m trading costs and associated reduced revenues from the loss of 101,000 customers, fewer new connections and significantly increased customer churn.
M&A Due Diligence
Any merger or acquisition carries risks, and directors, company executives and their advisers (e.g. lawyers) have significant responsibilities during a transaction. Traditionally due diligence undertaken by boards has included areas such as financial information, taxation issues, contracts, customers, intellectual property and key employees. Until relatively recently cyber security risks have not been a high priority. But increasingly mergers and acquisitions come with past, present and future cyber security issues bundled into the deal.
In a recent survey report NYSE Governance Services and Veracode reported that 85% of directors believe discovery of a major vulnerability during due diligence would impact their final decision on a merger or acquisition. Meanwhile a Freshfields Bruckhaus Deringer survey of global deal-makers reported that 51% of North American respondents had seen cyber security becoming a key part of due diligence in the past year, compared to only 39% in Europe. That figure is likely to be lower still in New Zealand. It appears that directors are recognising the issue, but perhaps not yet addressing it.
Assess the risks early
These days, almost all companies face some cyber security risks. But the impact of a breach can be much higher for certain types of companies, for example those dealing with sensitive personal data such as medical, criminal or financial records, companies with significant confidential information or trade secrets, or even a company where its security reputation is a critical part of its brand. An early assessment of the likely risk level will help to determine the priority which should be given to cyber security due diligence, and whether external specialist resource may be needed.
A company that takes cyber security seriously will have a clear strategy in place to protect its identified critical assets, defined accountability within the executive team, regular board-level discussions and a shared understanding of the risks, appropriately skilled and experienced security staff, established policies, regular training, and a culture that supports risk awareness and management.
Where the risks and cyber security posture of the two companies are very different there may be significant costs associated with ensuring an ongoing, appropriate level of security for the new joint organisation, even if no issues have been experienced to date.
Once this early and high level review has been completed then more detailed due diligence can cover areas such as security audits, incident response plans, previous incidents or breaches, reliance on third party providers and associated controls, and if necessary specific detailed testing.
Don’t get caught out
Cyber security is becoming a key risk for companies, and one with the potential for a material impact on value. Understanding the risks and vulnerabilities faced by a target company allows the acquirer to decide whether this is something they are prepared to take on, and if so to factor them into the purchase price, rather than facing an unpleasant surprise months or even years later.
Mandy Simpson is CEO at Wellington based consultancy firm Cyber Toa. This article was first published at cybertoa.com
