What’s (Likely) Missing From Your Cybersecurity M&A Checklist

Cybersecurity due diligence has become an essential element of mergers and acquisition (M&A). The most thorough of due diligence practitioners, such as attorneys and auditors, use checklists. This article discusses a crucial cybersecurity M&A due diligence best practice.

Typically, M&A checklists focus on gathering documents and artifacts for review by subject-matter experts. However, this “document centric” approach often fails to illuminate cybersecurity threats. Examples of activities that typically appear on these lists include:

  • Review past risk assessments
  • Review past data breaches
  • Collect contracts with third parties that host
    business records
  • Locate and review policies and procedures
    related to cybersecurity

What’s common to these documents is that they don’t give an accurate representation of how personal or confidential data is being currently protected. Rather, they show past consensus (policies and procedures) or past events (breaches or incidents).  

Verizon’s acquisition of Yahoo! provides an example of how this approach can negatively impact shareholder value. In 2017, Verizon Communications negotiated a $350M reduction in its asking price for Internet giant Yahoo! This reduction stemmed directly from several data breaches that Yahoo! failed to report to SEC. Verizon was not informed about those breaches until two months after the close of the deal. The financial impact on Yahoo! was devastating across several settlements:

  • $35M fine paid to the SEC
  • $80M awarded to plaintiffs in a securities
    class-action lawsuit
  • $117.5M awarded to plaintiffs in a consumer data
    class-action lawsuit

In total, over $232M of payouts were removed from Yahoo! Shareholder value. In addition, Yahoo! agreed to share the responsibilities for future liabilities with Verizon. While Verizon almost certainly conducted cybersecurity due diligence, relying on “static” documents that only look backward (or are merely aspirational) did not advance its understanding of Yahoo!’s weaknesses. 

Perhaps not surprisingly, these stories have resulted in the publication of more cybersecurity due diligence checklists. However, these updated lists still miss the idea of understanding the complex dynamics of data protection, both from a pure cybersecurity standpoint and from a legal one. What can tell the full story is a data inventory.

A data inventory is a “living” document

A data inventory (sometimes called a records of processing activities or ROPA) is a principle data protection reference system. It can also be thought of as a “living” document. It lists every software application that processes personal or confidential data. An inventory is invaluable because:

  • It serves as a “single source of truth” for the
    location and uses of data
  • It shows how that data at protected in any given
    moment (in transit, in use, at rest)
  • The process of building and maintaining it
    forces awareness of data protection problems

The concept of a data inventory gained currency when the GDPR was passed into law. Article 30 of the Regulation mandates the creation of a records of processing activities and cites information such as the categories of personal data collected/processed, purpose of the data processing, and associated security measures. In practice, however, inventories can be massive, filling hundreds of rows and scores of columns on a spreadsheet or relational data base and containing links to where the data is stored.

The benefit of an inventory for
M&A due diligence includes a deep understanding of:

  • Precisely what data is being collected and
    processed and the legal basis for doing so
  • Where the data is located and who’s responsible
    for maintaining it
  • Which third parties are processing data, what
    they’re doing with it, how they’re protecting it, and with whom they’re sharing

By their nature, an inventory requires a manager who is responsible for keeping it up to date (or “evergreen”) as part of managing the data protection program. That person is also an ideal candidate for interviews by the M&A due diligence team.

While a traditional, static document approach to mergers and acquisitions due diligence may be acceptable in some areas, it is not so for cybersecurity. The nature of risk has changed substantially over the last decade. That risk was primarily from intrusions and data breaches; now, legal exposure for failure to comply with laws such as the GDPR and the CCPA must be considered. Data inventories provide deep insight into the state of an organization’s cybersecurity posture, and their review and assessment offer key items to add to a due diligence checklist.

See how Spirion can help you advance your cybersecurity program. Schedule a customized risk assessment with one of our data security experts to see our data protection solutions in action.