DATA SECURITY CHECKLIST DURING M&A DUE-DILIGENCE

In M&A, due diligence on the target’s cyber and other security issues is more important now than ever, for organisations in all sectors not just technology: security is a key business risk, not just a technical issue. The rapid expansion of data security and privacy laws and regulations internationally harbors the potential for substantial liability, with the consequence that cyber compliance. It has become an important focus of the Mergers and Acquisitions (M&A) diligence process. Today, companies cannot undertake an M&A process without thinking about data. Whether a target collects employee data, client data, consumer data or some combination of the three, an analysis of how that data is collected, processed and protected will be critical to the due diligence process.

M&A Cyber security Checklist

Whenever a company is planning to acquire another organization through a merger & acquisition process, it is important to check the security risks that might come along with the acquisition. Until recently, most companies would focus on financial due diligence, paying very little attention to information security due diligence. Unless a company was data heavy, its privacy program, documentation, and data security and acquisition programs were likely minor considerations for an acquirer. This would open up most organizations to significant financial and legal challenges.

Accordingly, buyers should:

• Do relevant due-diligence of the target’s business/sector, including legal and technical – regarding security and data issues. This should also include issuing enhanced legal due diligence checklists covering data protection, privacy and security. If initial responses raise any red flags, the due diligence may have to extend to reviewing security-related policies and possibly using security experts to scrutinize target systems/data as well.
• Transaction documents must compulsorily include provisions appropriate to the specific risks, such as: Possible retentions from the sale price, Representations and warranties on the target’s security policies and implementation.
• It should also include indemnities, enforceable post-completion, covering e.g. investigation, remediation, recovery and compensation costs, fines etc. for security incidents arising from pre-completion target acts/omissions,
• Conduct an insurance review of the target as part of the due diligence review, particularly to check if any pre-existing insurance policies adequately cover cyber/security risks, and if necessary consider obtaining  appropriate specific warranty and indemnity (W&I) policies to cover warranty claims under the purchase agreement, perhaps at the target’s cost.
• Implement the secure integration and migration of the target’s systems/data with the buyer’s systems/data within a reasonable period after completion, aided by the due diligence report, with continual periodic monitoring and addressing of security risks thereafter.

Once the transition or merger is complete, there should be the following:

• Review and adjustment of governance
• Alignment of HR policies, information security. This should be communicated clearly to all employees
• Train employees to know, comprehend and implement policies.
• Get an acknowledgement of the updated policies from all employees
• Conduct on-going evaluations regularly
• Establish new guidelines and baselines for information security
• Ensure that all personnel follow requirements
• Determine which department and security practices need more time for training.
• Validate risk assessment annually
• Recognize what is the business priority
• Make changes based upon results and priority
• Update audit and compliance plans to include new assets also.
• If impacted, update the scope on certifications and attestations
• Communicate changes to external auditors

A thorough and thoughtful due diligence investigation of the selling company’s cyber security and data privacy situation is critical for an acquirer to assess the risks and liabilities it may take on by making an acquisition, and whether such risks are relevant to accurately assessing the value of the target company.