Cybersecurity has emerged as a significant business risk that requires active management by companies and their boards. Increasing attention is being paid to the effect on M&A transactions of cybersecurity regulations and standards. In America, cybersecurity is a complex issue, with sector-specific laws and regulations at both the federal and state levels; a wide range of government and industry groups issuing comments and guidelines; and many other attempts to codify best practices. Understanding how that fast-changing landscape affects potential portfolio companies is an important investment consideration in 2015. Failing to understand how cyber risk can impact the value of a portfolio company can mean the difference between a successful and unsuccessful (or less successful) investment.
Costs to Meet Regulatory and Industry Requirements
If a target company’s IT infrastructure fails to comply with current – or, more likely, upcoming – regulatory and industry standards, upgrading the company’s IT infrastructure to meet regulators’ standards could entail a significant outlay of capital.
Consider, for example, consumer-facing companies that accept credit cards. Every merchant that accepts name-brand credit cards must comply with a set of data security standards known as the “Payment Card Industry Data Security Standard,” or “PCI DSS.” Major merchants annually must demonstrate compliance with the standard through an external assessment. (Merchants who process a smaller volume of transactions demonstrate compliance through a self-assessment.) Potential buyers of such businesses should be aware of – and know how the target company is preparing for – any significant changes to PCI DSS or the industry rules governing how credit card transactions are processed.
In fact, the American credit card industry is on the verge of a seismic shift away from relying primarily on magnetic strips and towards “EMV technology” that uses an electronic chip built into the cards (and is already widely in use in Europe). This is good news for minimizing fraud – but also could present a significant cost to merchants. They may have to upgrade credit card terminals, train employees on using the new terminals, and upgrade other hardware and software to implement the changes. The major card brands have announced that merchants who fail to implement such changes by October 2015 will bear the liability for fraudulent transactions that occur using the less-secure magnetic stripe technology. If you’re considering a deal involving a retailer, these expenses may not be readily apparent, but they’re foreseeable if you know where to look.
The credit card industry is not alone in facing potentially significant changes driven by cybersecurity concerns. In a recent speech, Benjamin Lawsky, the outgoing Superintendent of New York’s Department of Financial Services (“DFS”), announced that the agency is “currently considering regulations that would mandate the use of multi-factor authentication” for financial institutions regulated by DFS. The practice requires an additional step – such as an access code algorithmically generated by a token in the user’s possession – beyond entering a username and password in order to access a computer system. Just as with the switch to chip-based credit cards, moving a company’s systems over to two-factor authentication could be costly and time-consuming, which would be useful information to learn during pre-acquisition due diligence.
Costs of a Data Breach
Another potential due diligence consideration is the risk that a potential portfolio company may be the subject of a data breach, which in some cases could be material to the business. Although there is no easy way to quantify this risk, both the sector in which a particular company operates, as well as its cybersecurity practices, can help buyers assess that risk. The costs incurred in responding to a significant data breach can be material. For instance, Target reported breach-related costs of some $191 million in the 2014 fiscal year (offset by about $46 million in insurance payments).
What Steps Should a Private Equity Firm Take?
Given these concerns, what steps should a private equity firm take in order to evaluate properly cybersecurity concerns in the deal context?
Consider the Sector. As a first step, evaluate the target company’s market sector for cybersecurity risk and relevant regulations. Whether cybersecurity standards are prescriptive, in development or essentially undecided may depend in large part on the sector in which the target company operates. Ensure that you (or your outside advisers) have looked not only to regulatory rules, but also are aware of guidance issued by self-regulatory bodies, as well as so-called “soft” guidance that may portend future changes that could materially affect the target’s operations.
Beware Prior Data Security Incidents. How often a potential portfolio company has been the subject of a cyberattack or actually experienced a breach of security can provide important insights into the adequacy of the company’s data protection procedures, as well as its risk profile. It is important to examine the nature of any prior attempted and/or successful breaches, as well as the company’s response to such attempted and/or successful breaches. Among other things, you may want to confirm that a U.S. target, if required to do so, has properly disclosed any prior data breaches consistent with the disclosure laws of 47 states.
For publicly traded U.S. companies, understanding prior data breaches is important for another reason: the U.S. Securities and Exchange Commission has issued specific guidance suggesting that companies that have suffered breaches should consider disclosing information about them in their annual Form 10-K filings or, if the incident is material to the company’s operations, through a Form 8-K filing. Failure to properly disclose a prior data security incident could result in an enforcement action.
Review Cybersecurity Assessments. Many companies conduct so-called “penetration testing” in which ethical hackers hired by the company attempt to breach the company’s computer network. These “white-hat” hackers might be outside consultants, or part of an internal “red team” specifically tasked with conducting ongoing assessments of the company’s IT infrastructure. Under some regimes – including PCI DSS, as noted above – annual assessments of a company’s cybersecurity protocols are mandatory, so the target should have them readily available. Consider seeking these reports as part of your due diligence.
Consider the Vendors. Reviewing the target’s IT infrastructure means understanding how it stores its data. What functions are outsourced? Who are the vendors? What sorts of security protocols do those vendors maintain? Here, reviewing vendor questionnaires (if available) may give insight into the risks that the third parties pose to the target company.
Relatedly, which third parties have access to the target company’s IT systems? Some recent, high-profile data breaches have been publicly linked to usernames and passwords that were stolen from vendors, and then used to access the company’s computer systems, so how a company vets and monitors third-party access is top of mind for many regulators.
Examine Corporate Governance. Understanding how IT security is managed by the target might provide valuable insight into how the company prioritizes cybersecurity. Increasingly, regulators expect that there will be a single person designated to oversee IT Security, such as a Chief Information Security Officer (“CISO”). In fact, for example, the New York Department of Financial Services recently announced that its examination questions on cybersecurity would include a request that regulated banks and insurance companies provide the CV for their CISO. Whether IT security is a standalone function, whether one person owns it, and what that person’s reporting lines are (e.g., direct to the CEO or buried on the org chart) can offer evidence of the strength of the target’s commitment to IT security.
Are the Target’s Policies and Procedures Commensurate with the Risk? In considering these issues, there is no one-size-fits-all approach. Appropriate due diligence should enable the buyer to assess whether the target’s approach to cybersecurity is commensurate with its risk profile. By asking the right questions, private equity firms can get the information they need in evaluating cybersecurity-related deficiencies and risks in moving forward with the deal.
Focused due diligence can help a private equity firm properly evaluate a target's cybersecurity risk and identify otherwise hidden costs, making post-closing surprises less likely. Of course, the need to manage cybersecurity risk doesn’t end with the closing of the acquisition. There are several steps that can be taken to mitigate post-acquisition risk on an ongoing basis. We will discuss some of those steps in the next issue of The Debevoise & Plimpton Private Equity Report.