Be Careful Not to Make a Bad Deal

Failing to conduct a thorough review of the cyber risks associated with an acquisition target is inexcusable.

Companies are starting to learn that it is very important to pay attention to privacy and cyber risks when conducting M&A due diligence.

In 2017, Verizon became the M&A cyber risk poster child when it learned shortly before its purchase of Yahoo that Yahoo had suffered two of the largest data breaches in history, in 2013 and 2014, affecting 1.5 billion users. Ultimately, Verizon shaved $350 million off the purchase price.

Yahoo had not told Verizon of the breaches. Concerned that Yahoo might have misled investors, the SEC opened an investigation into the matter. The SEC recently settled with Altaba for $35 million for the 2014 breach, the first such fine it has imposed for failure to report a cyber-security breach. (Altaba holds the remaining shares of Yahoo that were not purchased by Verizon.)

The SEC settlement agreement with Altaba noted, “Yahoo’s risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches…without disclosing that a massive data breach had in fact already occurred…In response to queries regarding past data breaches by Verizon during due diligence, Yahoo created a spreadsheet that falsely represented to Verizon that it was only aware of four minor breaches in which users’ identifying information was exposed, but did not disclose the 2014 theft of hundreds of millions of users’ personal data in its response.”

After the close of the acquisition, Verizon revealed that three billion user accounts actually had been breached instead of the 1.5 billion reported by Yahoo. The lesson here is that companies must do their own due diligence on cyber risks. They must demand full access to technical data and reports to ensure they understand the security maturity of the acquisition target’s cyber-security program and have a clear picture of prior incidents.

What You Inherit

An acquirer should not look merely for past incidents, however, because serious cyber events can occur after an acquisition due to unknown vulnerabilities—and the blame and expense will lie at the feet of the acquirer. For example, Marriott acquired Starwood Hotels & Resorts in 2016. In November 2018, Marriott disclosed that Starwood’s hotel guest database had been compromised and highly sensitive personal data on approximately 500 million guests had been exposed. The data included names, addresses, phone numbers, credit card information, passport numbers, family member information, and travel itineraries and dates. In a statement, Marriott said its investigation of the hack revealed that Marriott had learned “there had been unauthorized access to the Starwood network since 2014.”

Wow. The obvious questions are what cyber due diligence did Marriott do and why wasn’t this uncovered before the acquisition. Within a day, Marriott was hit with a securities class action suit alleging that investors had been harmed due to public misrepresentations, failure to disclose material facts, and material omissions and misrepresentations.

Similarly, PayPal uncovered cyber problems after it acquired TIO Networks in July 2017. A few months after acquisition, PayPal notified TIO customers it was suspending service because it had discovered “security vulnerabilities on the TIO platform and issues with TIO’s data security program that do not adhere to PayPal’s information security standards.” PayPal then issued another statement a few weeks later announcing it had “identified a potential compromise” of TIO’s systems “of personally identifiable information for approximately 1.6 million customers.”

Not surprisingly, a securities class action lawsuit was filed against PayPal a few days later. The suit claims PayPal failed to disclose that TIO’s data security program was not adequately protecting users’ personally identifiable information and that those vulnerabilities “threatened continued operation of TIO’s platform,” making revenues derived from TIO services “unsustainable.” The suit also alleges PayPal “overstated the benefits of the TIO acquisition” and investors were harmed by PayPal’s “materially false and misleading” statements.

Not every vulnerability nor every past or potential breach can be detected, but failing to conduct a thorough review of the cyber risks associated with an acquisition target is inexcusable.

The case, which is ongoing, begs the question: what due diligence did PayPal do on TIO’s cyber-security program prior to its purchase of the company for $233 million?

The possibility of breaches occurring after an acquisition is a risk that companies buy if they blindly acquire targets without conducting good cyber due diligence. Depending on the circumstances, the costs associated with a breach could exceed the purchase price.

In addition to data breaches, it is important for acquirers to investigate whether any of the target company’s confidential or proprietary data may have been stolen or exposed through a cyber attack. This could include pricing and customer lists, intellectual property or trade secrets, strategic information, marketing plans, personnel data or other sensitive information. These data usually represent a significant amount of the value of a company. It is possible, through good cyber due diligence, to uncover breaches, including the theft of data, that had not previously been detected.

Regulatory Costs

Privacy violations and associated investigations are now costing companies serious money. It is crucial that acquirers examine whether there have been prior privacy violations or whether there is the potential for one, which could result in large fines. Such violations may not yet have been detected by the target or reported to authorities. With the May 2018 implementation of the European Union’s General Data Protection Regulation, followed by Facebook’s Cambridge Analytica data scandal, privacy regulators around the globe have their antennae up, and violations can be hefty, far exceeding the paltry $35 million SEC settlement with Altaba.

In January this year, for example, French regulators fined Google $57 million for failing to clearly inform users how the company was collecting data across about 20 Google services, including Google Maps and YouTube, and using it for advertising. In February, British members of Parliament accused Facebook of “intentionally and knowingly” violating privacy laws and called for investigations and increased regulation of tech companies. Later in February, The Washington Post reported the Federal Trade Commission and Facebook were negotiating a multibillion-dollar fine for privacy infringements at the social media giant that potentially violated its 2011 consent order with the FTC.

The bottom line here is that the green shades in M&A due diligence need to bring in some privacy and cyber-security experts to conduct a thorough assessment of the maturity of the target’s cyber-security program, including technical data and reports that could reveal prior incidents. Breaches, class action lawsuits, regulatory fines and investigations can pull millions—if not billions—from the bottom line of the acquirer.

Not every vulnerability nor every past or potential breach can be detected, but failing to conduct a thorough review of the cyber risks associated with an acquisition target is inexcusable. The information gathered can be used to estimate the costs associated with strengthening a weak cyber-security program, defending against prior breaches or lawsuits, or estimating potential penalties. It’s far better to consider these costs in the purchase price than to hope for the best afterward.

Insurance professionals also should work with their clients to help them manage the cyber risks associated with mergers and acquisitions. Agencies and brokerages can leverage the information obtained through the cyber due diligence process to review policies and ensure their clients have appropriate coverage post acquisition.