Is a lack of cyber and data due diligence putting your deal at risk?
- Asia Pacific
- Creating a Secure Organisation
- Resolving Critical Issues and Crises
Is a lack of cyber due diligence putting your deal at risk?
When investors say “technology drives business” what do they mean? Fundamentally, they mean a business’s ability to collect, process, analyze and monetize data. This capability is key to the technology behemoths that drive today’s economy, such as Google, Alibaba or Facebook. But even primary industries such as agriculture and mining now collect and analyze vast amounts of data to give them a competitive edge.
This information is now a corporate asset that is evaluated and assessed in mergers and acquisitions. Valuations of data are hard to come by, but one example is Microsoft’s 2016 acquisition of LinkedIn: Microsoft paid USD 26.2bn for the business social network’s millions of resumes and relationships. Data assets like these are not limited to social networking sites: in 2015, when Caesars Entertainment Corporation went bankrupt, their Total Rewards loyalty program was valued at USD 1bn.
Added to this is more conventional intellectual property such as designs, branding and technology. But even these have migrated to electronic form and online platforms. Collectively, they are the new digital assets that underpin a corporate valuation and are now subject to regulation and litigation – and even theft.
This means that investment and M&A activities are now exposed to poor cyber security risks. Investment in a company with poor cyber security can lead to financial loss through fraud; fines for breaches of regulation from misuse, loss or transfer of data; or losses from theft of intellectual property. These losses may be compounded by reputational damage from publicly known misuse or loss of data.
While data is key to all businesses, little due diligence is done by buyers on the cyber security of the company they acquire or how data is used and controlled, and little preparation is done by sellers to ensure the threats to their data assets are properly mitigated.
Control Risks analyzed PE firms in Asia managing close to USD 1tr of assets and identified, while most carry out occasional ad hoc due diligence on the information security of an acquisition target, only one had a formal program to assess how well data is protected, the chances of a future breach and even whether there had been a previous compromise.
This is surprising given the widespread impact of disruptive tools such as WannaCry and NotPetya and cyber breaches, where large volumes of personal data are compromised, are commonplace. Executives cite cyber security as their biggest risk concern and spend accordingly: USD 124bn of annual global spending on cyber security at the last count. But, if investors and acquirers are extremely interested in their current business’ cyber security, why aren’t they interested in how data is used and secured by the businesses they want to acquire? Simply put, cyber due diligence is still in its infancy.
A useful analogy to understand the level of awareness is corruption due diligence. Anti-corruption due diligence was ‘nice to have’ 15 years ago. It was often limited to acquisitions in particularly sensitive countries and industries. Investors worried about corruption, but it was often an abstract concern and perceived as unlikely to have a long-term impact on a business, and where it did have an impact, it could be managed post hoc.
But, around the mid-2000s, the full force of the US Foreign Corrupt Practice Act (FCPA) started to hit companies, with the multi-billion-dollar remediation costs almost matching the fines. Other countries, such as the UK and Germany, followed with their own anti-corruption legislation. Even China increased enforcement of anti-corruption regulations. Meanwhile, public disgust at corruption, prompted by campaigning organizations such as Global Witness, increased the pressure.
The protection of information from criminal, espionage or even regulatory threats (which is a fundamental objective of cyber security) is at the same stage as anti-corruption compliance in the early 2000s. It is widely acknowledged it is a problem with acquisitions but is seen as a problem that is probably going to impact someone else, can only be resolved post hoc, and can probably be resolved without the need for reputationally damaging disclosure. As with anti-corruption due diligence before FCPA, however, the requirements are rapidly and fundamentally changing.
Just as the FCPA drove investors to formalize their corruption due diligence programs, Europe’s General Data Protection Regulation and China’s Cyber Security Law are, alongside a raft of new data protection regulations and laws globally, beginning to drive a requirement for cyber due diligence. Poor cyber security is not just an abstract problem, but one that will have to be disclosed to regulators, partners, clients and customers, and will lead to large fines, reputational damage and legal costs. Although investor awareness is increasing, it is still maturing.
Investors are asking “how do we perform due diligence on the cyber security of an investment target?” The key issues are: to identify the key information that needs to be protected; then understand what people, processes and technology are being used; and finally determine if these meet the appropriate regulatory standards and best practice.
As with corruption due diligence pre-FCPA, there is pushback on what information is accessible and can be useful for cyber due diligence. In anti-corruption due diligence, the concern was lack of access to detailed financial and sales information, while with cyber due diligence it is claims of limited information on network and data security. But cyber due diligence is, in many ways, a more straightforward process. At its least invasive level it includes identifying examples of poor security behavior and practices on externally facing assets. More in depth, cooperative due diligence tasks include reviewing best practice in cyber security, such as security audits and breach response plans. For complex, high-value investments, a full-scale security audit including vulnerability assessments and penetration testing, managed by all parties, can be executed.
The question of “how do we do cyber (and data) due diligence?” is only now starting to be answered. Like corruption due diligence, it will evolve with multiple approaches appropriate to different countries, industries and relationships. But, like its corruption due diligence cousin, it will become a standard part of the due diligence toolkit.