IndiaCorpLaw

The Need for Cyber Security Due Diligence in M&A Transactions

[The
following post is contributed by Prajoy
Dutta
, a third year B.A.,LL.B (Hons.) student at Institute of Law, Nirma
University, Ahmedabad and Srinivas Raman,
a fourth year B.A.,LL.B (Business Law Hons.) student at National Law
University, Jodhpur]

Introduction

In the rapidly
expanding mergers and acquisitions (“M&A”)
environment, companies often overlook the finer aspects of due diligence in
their zeal to complete the transaction. However, these overlooked aspects tend
to be reasons behind deal failures. It is because companies underestimate the
importance of thorough due diligence on the target and take several vital
things for granted at the time of closing.[1]

One such aspect that
has become extremely vital in today’s business atmosphere is cyber security. Cyber
due diligence is a relatively new area of due diligence which has largely
emerged as a result of technological advancements and increasing data and
privacy threats. Due to the onslaught of globalization
and technology, almost all formal sectors today are dependent on technology,
connectivity and digital networks to varying degrees. While sectors such as
media, information, telecom, software and technology services are enabled by
technology, various other sectors such as marketing, banking, education,
transport and medical have grown exponentially by incorporating technology as a
driver to increase their performance and efficiency.

However,
cyber due diligence remains an un-prioritized and often ignored area in most
deals in India and other developing countries.[2]
This post seeks to shed light on the importance and scope of cyber due
diligence in India by presenting the main risks and consequential impact on
M&A deals in India. It also suggests certain strategies to mitigate cyber
risks through a study of international best practices.

Risks
Due to a Lack of Cyber Security Due Diligence

Threats that arise out of cyber-attacks appear in several
forms. Many such threats pose serious direct and indirect financial risks[3] to
companies, a pertinent example being how the emergence
of ransomware[4] has highlighted the ease
with which cyber criminals can halt business operations for days or weeks at a
time, resulting in unrecoverable loss of revenue.[5]
However, what are the initial threats that result in financial risks? These can
broadly be divided into two major categories i.e. electronically stored
information (ESI) data breaches and loss of deal value. ESI breach risks can be
explained by further dividing them into intellectual property (IP) loss,
reputation and brand impact, and remediation costs.[6] Other
hidden costs may include value of lost contracts, lost value of customer
relationships and insurance premium increases.[7]

ESI
and Data Storage Breaches

The lack of focus on cybersecurity due diligence in
Indian M&A transactions can lead to serious impacts on ESI and data that is
stored on online databases such as the cloud.[8] ESI
refers to any data that is created, altered,
communicated and stored in digital form.[9]
Examples of ESI could range from emails exchanged on the company’s servers to
confidential information about the company’s IP and trade secrets. The two
major ramifications that arise from an ESI breach are both immediate, such as a
loss of IP and long term, such as a loss in brand and customer reputation.

Loss
of Confidential Intellectual Property

Surprising as it may seem, despite its widespread
ramifications, cases involving IP loss due to cyber-attacks have largely
remained in the shadows. It is important to note, however, that IP theft has
ramifications that could metastasize over months and years.[10]
The effect of an IP loss could include forfeiting the “first to market
advantage, a loss in profitability, and in the worst case – losing entire lines
of business to competitors or counterfeiters”.[11]
In almost all cases, the theft involves stealing of important corporate secrets
such as trade secrets, proprietary business information and even merger plans
rather than publicly available information such as patents and trademarks.

Loss
of brand reputation

An equally important risk that must be discussed is
a company’s loss of reputation in the event of a data breach. The risk is
greater for publicly traded companies since reputation and investor sentiment
are key factors in determining the company’s share price on the market. Perhaps
the greatest risk lies with companies that rely on user data such e-commerce
companies or social media networks. In the contemporary digital age, the
security of user’s personal information is closely entwined with the right to
privacy and it is expected that every business organisation should recognize
and protect these rights. This protection however, should not be limited only
to users but also to business partners, employees and all other stakeholders.[12]
The protection of sensitive information is critical to an organization’s
ability to conduct business. A reputation for strict focus on information security
would not only make an organisation a trusted business partner, it could also
result in a significantly higher price of acquisition by an acquiring company.

Role
of Cyber Diligence in M&A Transactions

Typically, the primary aim of due diligence over a
target is to help the acquirer determine a fair price to pay for acquisition.
The price so arrived at is inversely proportional to the quantum of risks
uncovered.

The lack of cyber due diligence does not merely
impact the pricing of the target company; it also has the potential to
seriously hamper envisaged synergies at the post-merger integration stage.
Integrating the electronic network and data of the target post – acquisition to
the network of the acquiring company may be extremely problematic if the
target’s network infrastructure is weak or flawed. These issues may dilute the
benefits of other synergies by adding to further costs in building and
revamping cyber infrastructure, often making the transaction counter-productive
or resulting in failure.

The
Consequential Impact on M&A in the Indian Market

The potential impact on Indian M&A looks grim
given the substantial amount companies are spending in solving post data breach
problems. Indian companies have especially faced the brunt of not incorporating
cybersecurity checks into their due diligence process. A 2016 data breach study[13]
by the Ponemon Institute[14]
that focuses on the costs of data breaches in India, reveals some important and
worrying numbers. The average per capita cost of a data breach increased from
Rs. 3,396 in 2015 to Rs. 3704 in 2016.[15]
The average total organizational cost of the data breach increased from Rs.
88.5 million in 2015 to Rs. 97.3 million.[16]
Malicious or criminal cyber-attacks resulted in a total cost of Rs. 4,596
million this year, system glitches cost Rs. 2953 million and negligence or
human error cost Rs. 3,301 million.[17]
Financial institutions, services, industrial and technology companies are the
industries with higher data breach costs.[18]A
cursory analysis of these figures reveals the loss an acquiring company may
have to face due to lapses in the target company’s cybersecurity framework. All
in all, none of the figures reveal a very promising picture for successful
M&A deals in the Indian market and it is high time that cybersecurity due
diligence took a major role in due diligence processes in Indian M&A
transactions. 

Lessons
learnt from International Best Practices

In order to safeguard against cyber threats, malware
and other data protection and security related problems, companies across the
world have, in recent years started adopting certain mitigation practices.
While conducting due diligence of the target company, a potential acquirer
should check inter alia whether the
following measures have been adopted and the extent of liability covered by
them:

1.         Cyber security insurance:

One of the best
ways of mitigating risks associated with cyber security is to purchase cyber insurance
for the organization. Typically, internet based risks, technology
infrastructure and other data related risks are outside the ambit of
traditional commercial insurance products. Hence, there is a need for a
specialized product which can safeguard the organization against cyber risks.
Cyber insurance offers several benefits; it provides inter alia first- party coverage against losses arising out of
hacking, malware infection, theft/ destruction of confidential data, etc. in
addition to other allied services such as timely security-audits, providing
investigation services post cyber-attacks, etc. It also provides a unique
funding mechanism, which helps businesses affected by cyber-attacks recuperate
from major losses and resume day-to-day operations in a smooth manner.[19]

Although cyber
insurance is becoming the norm in most jurisdictions having a mature market, it
is not the case in India as the market for cyber insurance products is not
large as compared to other insurance products. In the Indian market, only a handful
of players such as HDFC Ergo, Tata AIG and ICICI
Lombard offer cyber insurance services.[20] However, due to the high premiums charged by these
service providers, only a handful of large companies are able to afford them,
leaving most of the small and medium sized businesses vulnerable to cyber
attacks. Moreover, there is a general perception among Indian companies that
such expenditures are unnecessary. This is the result of a lack of awareness
and foresight which in the long run will prove catastrophic for technology
dependent companies.

2.         Security Program Assessment (SPA):

Evaluating
digital resilience of the target company is a wise decision. Digital resilience
is a highly valued intangible asset which is factored into the price of the
transaction. A properly conducted SPA discloses a comprehensive report
indicating all potential cyber risks which a company faces and also helps
devising mitigation strategies. It also detects areas which need further
protection.[21]
Having an updated SPA report at the time of acquisition increases the price of
the target company as the risks faced by the acquirer are significantly
lowered. In the present scenario, most companies in India do not undertake SPA,
mainly due to lack of awareness of the risks they face and the benefits which
they could gain from taking such measures.

Conclusion

It is high time that
Indian companies woke up to realize the importance of cyber due diligence.
Given the increasing trend of multi-sectoral M&A activity, Indian companies
would do well to follow the norms of matured markets and adopt precautionary
and risk mitigating strategies to protect their organization’s data from cyber
threats and hackers.

– Prajoy Dutta
& Srinivas Raman



[1] James A Sherer, et. al., Merger and Acquisition Due Diligence Part II- The Devil in the Details,
22 Rich. J.L. & Tech. 1 (2015-2016).


[2] Rachel Louise Enseign, Cybersecurity Due Diligence Key in M&A
Deals,
Wall Street Journal Blog, available at http://blogs.wsj.com/riskandcompliance/2014/04/24/cybersecurity-due-diligence-key-in-ma-deals/.


[3] The global average cost of a
data breach in 2015 was $3.79 million. For more information on related direct
and indirect financial risks, refer the FireEye White Paper titled The Benefits of Cybersecurity Due Diligence
in Mergers and Acquisitions  
available
at https://indiacorplaw.in/wp-content/uploads/2016/09/wp-benefits-of-cyber-security.pdf.


[4] A ransomware is
a type of malicious software designed to block access to a computer system
until a sum of money is paid.


[5]The
Benefits of Cybersecurity Due Diligence in Mergers and Acquisitions
, FireEye, available at https://indiacorplaw.in/wp-content/uploads/2016/09/wp-benefits-of-cyber-security.pdf.


[6] Ibid.


[7] See note 12 below.


[8] For a pertinent example, refer
to the Forbes article on Target
Corp’s major data breach, available at http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#169b1ad06bd1. See also, The Biggest Data
Breaches in 2016, so far
, available at https://www.identityforce.com/blog/2016-data-breaches.


[10] John Gelinee, J. Donald Fancher,
Emily Mossburg, The Hidden Costs of an IP
Breach,  Cyber theft and the loss of
Intellectual Property
, Deloitte University Press (July 25, 2016), available
at http://dupress.com/articles/loss-of-intellectual-property-ip-breach/.


[11] Ibid.


[12]
As stated by Vince de Palma, President and CEO of Shred-it, an information
security services provider
,
available at https://www.shredit.com/en-us/business-brand-reputation-loss-due-to-a-security-breach.


[13]
2016 Cost of Data Breach Study: India
,
Ponemon Institute, available at http://www-03.ibm.com/security/data-breach/.


[14] The Ponemon Institute is an
independent research institution based in the USA that focuses on privacy, data
protection and information security policy.


[15] Ibid.


[16] Ibid.


[17] Ibid.


[18] Ibid.


[19] Tanya C. Fuhrman-Wenman, Cyber
Insurance in International Mergers and Acquisitions,
Denver Law Review (2016)


[20] Indian Perspective of Cyber Liability Insurance, available at http://www.infosecmaestros.com/blog/indian-perspective-of-cyber-liability-insurance.


[21] Zeta Dooly, Seamus Galvin, Jamie Power, et.
al., IPACSO: Towards
Developing an Innovation Framework for ICT Innovators in the Privacy and
CyberSecurity Markets,
470 Communications
in Computer and Information Science
, pp.148-158 (2014), available at http://link.springer.com/chapter/10.1007/978-3-319-12574-9_13 (last viewed on
28.08.16). See also, Cyber Security, available
at https://www.fireeye.com/blog/products-and-services/2016/04/cyber_security_the.html.2