Cybersecurity due diligence becomes focus in M&A transactions

Risks from Covid-19-related to remote working, growth in cybercrime, puts spotlight on digital security

Cybersecurity due diligence becomes focus in M&A transactions
Imran Ahmad, partner at Blakes, says more due diligence on cybersecurity is needed in the M&A process.

There is an increasing focus on cybersecurity due diligence in M&A transactions, not only as organizations become more dependent on digital technology, but as Covid-19 has highlighted security issues as more people work from home, says Blake, Cassels & Graydon LLP partner Imran Ahmad.

“When it comes to M&A transactions over the past year or two, cybersecurity has become a really important part of the due diligence process,” Ahmad says. “It’s because there is increasing risk on the cybersecurity front, and you want make sure that what you’re buying — or selling — doesn’t have those risks.”

Due diligence on cybersecurity issues is being done in a more meaningful way these days, Ahmad says. “Going beyond a generic review, what we’re seeing is a deeper analysis of processes, protocols and incidents that may have occurred in the past.”

Ahmad says that law firms dealing with M&A are increasingly bringing in those with cybersecurity expertise to look at such issues as part of the transaction process or have staff in the firm who can deal with these types of concerns. In some cases, due diligence on a transaction could involve an audit of cybersecurity issues, much like potential homeowners would have a house inspection done before they complete the purchase.

He adds that before a transaction, a target company may have material data protection weaknesses they aren’t even aware of. They may have been a victim of a previous cybersecurity incident that could potentially come to haunt the buyer post-transaction.

There is also the matter of integrating the buyer’s systems with the seller’s systems, something that is becoming a bigger concern in bolt-on acquisitions. Integrating those systems can cause security issues and “introducing some level of uncertainty into the newly combined company,” Ahmad says.

With the COVID-19 pandemic resulting in most Canadian businesses turning to remote work, Ahmad says many cybercriminals have been successfully gaining access to various organizations’ information technology environments, thereby increasing the cyber risk profile of a potential target.

Research from Blakes shows that between March and April, when many companies were moving to remote work, there was an increase of between three and five times in the number of breaches reported to the firm.

“That is significant, and the interesting part is that it has stayed at those levels. The number of cybersecurity incidents have increased in and beyond what we’ve seen in previous years.”

He adds that these figures are also consistent with “what we’ve been hearing globally is that ransomware has really taken off, that cyberattacks are increasing year over year, but more importantly, they have increased during the pandemic.”

When organizations moved their employees to remote work quickly in the spring, Ahmad says many did not have adequate systems in place as they were working hard to scale up existing remote work protocols. This makes it easier for cybercriminals to take advantage of these vulnerabilities. Also, employees may not be adequately trained to deal with security issues while working in remote work situations.

For example, on the hardware side, employees taking computers home may be using it for personal purposes, “so what vulnerabilities does that bring?” Ahmad says. “Are they practising good cyber hygiene?”

Ahmad also suggests there is evidence that adversaries are using worldwide attention on COVID-19 to socially engineer “lures” around our collective anxiety and the flood of information associated with the pandemic.

Ahmad says organizations were required to move many employees to remote work in a short period and maintain business continuity. As a result, it is likely many did not have adequate systems in place or were dramatically scaling up existing remote work protocols. And like in any crisis, criminals “are known to take advantage of these vulnerabilities.”

Many organizations may not have updated their incident response plans, as in addressing issues such as remote data storage, secure data transfers, coordination and secure communication between IT teams, and establishing the infrastructure to set up for remote use of their technologies.

Ahmad notes that cybercriminals have significantly increased their focus on phishing attacks and that workplaces should make sure they have adequate training protocols for ensuring staff are aware of how phishing attacks work.

According to Microsoft, there was a 70 per cent increase in the last year in phishing as a means of harvesting user credentials. Obtaining these credentials allows threat actors to gain access to and compromise the network, resulting in data breaches, identity theft and ransomware. Ahmad notes that cybercriminals are making increased use of business profile pages and social media pages to deceive employees and make it look that the attack is a legitimate request.

As a checklist, Ahmad says at a minimum, buyers and sellers should:

  • Understand the data and other technological assets in the transaction, specifically the type of data and its level of sensitivity, whether data is encrypted or anonymized, how and where the data is stored and who has access to the data
  • Figure out to what extent the buyer’s and seller’s systems are compatible and what expenditure is required to synchronize them
  • Closely consider the target’s cybersecurity posture and determine whether it is robust
  • Determine whether any existing cyber insurance policies are broad enough to cover the different consequences that could flow from a breach, and consider if negotiating is necessary after closing
  • Confirm what measures the sellers’ suppliers, contractors, subsidiaries, or third parties have taken to strengthen their cyber defences, and their capacity to effectively respond remotely where cyber events occur
  • Identify what data privacy laws apply to the seller and its subsidiaries and assess whether their policies comply with the relevant legislation.
  • Request information of any data breaches the seller, its subsidiaries or third-party affiliates have suffered.

Ahmad adds that during the transaction process, there may be additional sensitivity and attention to the sellers’ data between the time when the M&A becomes public and closing.

“It is important to proactively assess and monitor how deal information will be shared and transferred, who will control the data transfer process, and whether the target has adequate remote capabilities to perform all measures securely.”