In-House Counsel, Technology

Thinking About Cyber Due Diligence

Smart in-house lawyers should start talking about this subject NOW.

By  
on

I recently had lunch with one of the Stroz Friedberg guys.

He had a thought, and I’m making it public here:

Acquirers do financial due diligence, and environmental due diligence, and insurance due diligence.

Shouldn’t they be adding cyber due diligence to the list?

I’m talking about asking questions during the diligence process — and perhaps hiring an outside consultant, for maybe $50K or $100K, to do a little more investigation — about the governance, processes, and controls that a company uses to protect the security of its data.

Most folks currently don’t do cyber due diligence. Which is funny, since those same people simultaneously insist that cyber risks are near the top of everyone’s concerns. And surely a cyber-attack during deal negotiations could quickly halt an anticipated transaction.

There’d be no need for cyber due diligence if sellers would just provide a representation: “We comply with all cyber regulations,” or the like. But no one would give a representation like that. So shouldn’t buyers kick the tires on where a seller stands in terms of data security?

Sponsored

This is obvious if you’re buying a company that deals directly with the public and possesses private information. If you’re buying, for example, a credit card company, you’d better be sure that your target (so to speak) protects data security.

But this issue comes up in less obvious ways. Suppose, for example, that you’re buying a New York financial services company. That company is subject to the New York Department of Financial Services Cybersecurity Regulation. It could cost many millions of dollars to bring a company’s cyber security efforts into compliance with that regulation. Isn’t it worth $50K in due diligence to anticipate that cost and perhaps make an allowance for it in your purchase price?

Or suppose you’re buying a business that stores a lot of personal information. Perhaps you’re a hospital chain, buying a new hospital system. You’re not planning to touch the new system’s cyber security. Wouldn’t it be good to know if all of those personal records were in fact secure?

Or suppose you’re a private equity shop, and you’re planning to buy a new portfolio company that keeps some personal records. You’d think that knowing how well those records are protected, and how much it would cost to upgrade the target’s systems to secure the records, would be worth knowing.

That’s not even thinking about international acquisitions. Data security laws in Europe in some respects make legislators in the United States look like pikers. If you’re doing an international acquisition, shouldn’t you go in with your cyber-eyes open?

Sponsored

For starters, acquirers could ask a few questions, such as what the target’s most important computer systems are, where sensitive information is stored, and how that information is protected in transit. Diligence questionnaires could ask targets to summarize controls in place to protect information and explain how the company is organized to control this risk. And inquisitive acquirers could certainly ask about any cyber-attacks or data losses that the target has suffered in the past.

I’m sure that smart lawyers could think of lots of other questions to ask, and cyber-consultants could add some value by investigating systems.

After my technological lunch, I started poking around on the web to see if people are thinking about this. As far as I can tell, cyber due diligence is a fairly new field, with law firms (and vendors) just starting to see the need for cyber due diligence.

But this is guaranteed to become a bigger issue over time. Smart in-house lawyers should start talking about the subject now.

Mark Herrmann spent 17 years as a partner at a leading international law firm and is now responsible for litigation and employment matters at a large international company. He is the author of The Curmudgeon’s Guide to Practicing Law and Inside Straight: Advice About Lawyering, In-House And Out, That Only The Internet Could Provide (affiliate links). You can reach him by email at inhouse@abovethelaw.com.

CRM Banner

Topics

, , , , , , , , , , , , , , ,