The Board, M&A, and Cyber Risk Management

(This post originally appeared January 16, 2023 in my Enabling Board Cyber Risk Oversight? blog at The Board, M&A, and Cyber Risk Management )

Introduction

I cited an MIT Sloan Executive Education in a recent blog post, Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy , “Cyber risk is so significant that a responsible board can no longer ignore it or just delegate it to risk management experts. In fact, an organization’s board of directors holds a uniquely vital role in safeguarding data and systems for the future because of their fiduciary responsibility to shareholders and their responsibility to oversee and mitigate business risk.”[1]

Merger and Acquisition (M&A) activity has long been a priority for public and private company boards. As both a tool used in disruption and a common strategic alternative to organic growth, boards have a critical role in M&A activities.?Of course, M&A involves divestitures as well as mergers and acquisitions.?Therefore, board members may find themselves overseeing either buying or selling activity.?

In Deloitte’s 2022 Future of M&A Trends Survey, 92% of respondents indicated that they expect deal volume to increase or stay the same over the next 12 months.[2] ?Cyber risk is an increasingly significant part of M&A activity. Within the digital health subsector in healthcare, some assess market conditions as being ripe for consolidation driven by, among other reasons, the need for funding when VC and PE funds are tight.[3]

About three-quarters of respondents (77%) in an ISC2 study have made recommendations on whether to proceed with an M&A deal based on the strength of the target company’s cybersecurity program.[4]

The Challenge

Lots of things can go wrong in M&A work.?A strong, proactive ECRM program can facilitate M&A activity.?Acquirers can experience a loss of shareholder value due to concerns of earnings dilution, poor fit, or excessive diversification.[5]

After Verizon agreed to acquire Yahoo, Yahoo disclosed two massive data breaches in 2013 and 2014.[6] As a result of the disclosure, the two companies negotiated a reduction of $350 million in the purchase price.[7] Spirit AeroSystems’ 2018 announced that the acquisition of Asco had been pending since 2018 with a delayed closing mainly due to a ransomware attack on Asco. In June 2019, Asco experienced a ransomware attack that forced temporary factory closures, ultimately causing a 25% purchase price reduction of $150 million from the original $604 million.[8] In September 2020, the acquisition was terminated due to the conditions of the deal not being satisfied.[9]

Cyber liability insurance lines have been hardening with rising prices and more exclusions. Complicating matters, Mario Greco, chief executive at insurer Zurich, recently told the Financial Times that cyber-attacks are set to become uninsurable.[10] Eliminating one of your classic risk management alternatives, transference, makes rigorous due diligence around a target organization’s cyber risk management program even more critical.?

Nearly two-thirds of Fourscout’s respondents in its 2019 research study (65%) said their companies experienced regrets in making an M&A deal due to cybersecurity concerns.[11]

What role does ECRM have to play in M&A? A big one, it turns out, especially in healthcare, as one industry example. One of the drivers of healthcare M&A activity is “using data more effectively to improve quality and outcomes, such as through personalized medicine or interoperable data exchange.”[12] And wherever “healthcare” and “data” intersect, data security and privacy considerations are close at hand.

Combined with the SEC’s proposed Disclosure Regarding the Board of Directors’ Cybersecurity Expertise , M&A and cyber risk management make for a sort of triple witching hour regarding directors’ liabilities.

The Solution

A mature ECRM program can facilitate M&A transactions.?A mature ECRM program can ensure that cybersecurity issues will not stand in the way whether your organization is looking to acquire or to be acquired.

Whether your organization is acquiring another organization or whether your organization is the target of an acquisition effort, it is essential to have your cyber risk management house in order. A sufficient ECRM program can ensure that M & A negotiations are successful. Your organization may be subjected to a rigorous cybersecurity due diligence review as a seller. To maintain your sales price and, potentially, shareholder value, you want to show a strong ECRM position, with cyber risks well-understood and managed.

On the other hand, as a buyer, you may be acquiring substantial cyber risk. If you have a strong ECRM position, your organization will be able to conduct more rigorous due diligence on your target, allowing you to factor weaknesses into your purchase price. Most private equity firms I have worked with requested an ECRM assessment as part of their diligence work when considering new portfolio-company investments.

Following are five (5) DOs and DON’Ts to better manage cyber risk management during M&A activities and ensure your cybersecurity and privacy due diligence.

1. Focus on comprehensive risk analysis. Clearwater recently published a white paper highlighting the critical importance of performing rigorous risk analyses as part of M&A due diligence.?Entitled “Let the Buyer Beware: The Need for HIPAA Risk Analysis in Healthcare M&A Transactions "[13] , the paper advises that buyers should determine whether the risk analysis is up to date and if it complies with applicable regulatory requirements.?In the case of healthcare, it must follow the Office for Civil Rights (OCR) Guidance on Risk Analysis Requirements under the HIPAA Security Rule[14] and specifically include representations of compliance with the risk analysis implementation specification of the HIPAA Security Rule.[15]
2. Do not allow cyber risk due diligence to turn into a controls-checklist exercise. I was excited to read the title of a recent post in HealthITSecurity, "3 Strategies for Healthcare Merger, Acquisition Cybersecurity Due Diligence,"[16] and then hugely disappointed when I read the content. It was another “round up the usual controls suspects.” This time it was about the controls du jour—multi-factor authentication (MFA), endpoint detection and response (EDR), backups, user training, etc.?Often, it’s about the threats du jour or the vulnerabilities du jour.?I’m sorry; these items are essential but do not constitute comprehensive risk analysis or rigorous cyber due diligence.
3. Require representations and warranties related to applicable regulatory requirements and industry standards. ?In healthcare, organizations may be subject to CMS regulations, HIPAA requirements, GDPR requirements, and state and local requirements, some healthcare organizations (such as an academic medical center) may also be subject to the provisions of the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS).?As Clearwater suggests in its white paper, consult with your attorney as to whether you should require specific representations and warranties from the seller or partner related to their compliance, and ask your attorney how you can seek recourse from the seller in the case that you incur future damages resulting from regulatory actions or lawsuits.[17]
4. Examine the target’s ECRM Framework and Strategy. In Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy , I highlight two foundational, practical, tangible, actionable steps organizations should take and the board should oversee when it comes to establishing a solid enterprise cyber risk management (ECRM) program. After ECRM governance is in place, the second step is to develop and document the organization’s ECRM Framework and Strategy.?The absence of formal ECRM documentation and related policies and procedures in a target is a red flag.
5. Rely on cyber security and regulatory compliance experts. ?According to a Forescout research study, only 37% of the almost 2,800 surveyed strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition.[18] Chicago-based CommonSpirit Health dealt with a weeks-long fallout from a?ransomware attack .?In a Becker’s IT Health article that discussed the attack on CommonSpirit, a?merger ?of Dignity Health and Catholic Health Initiatives in 2019, a senior health IT executive advised, “Form partnerships with trusted security firms that can perform these types of assessments to assist you….”[19] .?Inheriting another organization's inherent exposures represents an overall risk that can be mitigated by engaging cyber risk management experts. Buyer beware since ECRM consultants and service providers are not currently regulated or evaluated by a reliable, objective third party. Anyone can call themselves a “cyber risk management expert.” Therefore, it is incumbent on your organization to exercise due diligence before contracting with a cyber risk management consultant or service provider. Refer to Appendix A, What to Look for in an ECRM Company and Solution in Stop the Cyber Bleeding, to learn more about how to evaluate an ECRM company.[20]

Summary

According to a 2019 ISC2 survey of 250 M&A-knowledgeable individuals, when acquiring a company, the buyer also receives its cybersecurity capabilities – and all the implications associated with the quality of the cybersecurity program. For this reason, nearly all study participants (95%) consider cybersecurity a tangible asset.[21] ?As a result, it’s possible that an acquisition may improve your cyber risk management posture.

But Buyer Beware! Conduct rigorous cyber risk management due diligence and protect yourself with reps and warranties. Stringent due diligence will assist in better managing risks, improving the quality of decisions, improving your overall M&A success rate, and strengthening your negotiating position.

Questions Management and Board Should Ask and Discuss

1.????How does our M&A strategy align with our overall ECRM strategy?

2.????How will our cyber risk management due diligence findings affect our valuation methodology?

3.????What are the strengths and weaknesses of our own ECRM program??Will a target or merger partner improve our ECRM posture?

4.????Does the target organization meet all applicable privacy, security, and breach notification regulatory requirements and industry standards?

5.????What are the most critical aspects of information technology (IT) and cyber risk management integration that the C-suite and board need to monitor? Is the integration well understood and achievable?

6.????What specific cyber risk metrics and indicators will be used to measure the deal’s success at the end of the first year?

7.????As a seller, are you likely to lose negotiating leverage or enterprise value due to a weak cyber risk management program?

Endnotes

[1] MIT Sloan Executive Education. "3 Questions: Why cybersecurity is on the agenda for corporate boards of directors." November 30, 2022. Available at https://news.mit.edu/2022/cybersecurity-corporate-boards-directors-1130

[2] Deloitte. "2022 M&A Trends Survey: The future of M&A." January 2022. Available at https://www2.deloitte.com/us/en/pages/mergers-and-acquisitions/articles/m-a-trends-report.html

[3] Land, Heather. "2023 forecast: Why digital health is ripe for a new wave of M&A, including more 'disruptive' deals." December 21, 2022. Available at https://www.fiercehealthcare.com/digital-health/2023-forecast-why-digital-health-ripe-ma-including-more-disruptive-deals

[4] ISC2. "Cybersecurity Assessments in Mergers and Acquisitions." September 20, 2019. Available at https://www.isc2.org/-/media/E6C334079C1F48E4974368CCA4C18D18.ashx

[5] Kengelbach, Jens et al. Boston Consulting Group, “The 2019 M&A Report: Downturns Are a Better Time for Deal Hunting.” September 25, 2019. Available at https://web-assets.bcg.com/img-src/BCG-Downturns-Are-a-Better-Time-for-Deal-Hunting-September-2019_tcm9-230008.pdf

[6] Mike Snider. USA Today. “Verizon shaves $350 million from Yahoo price.” February 21, 2017. Available at https://www.usatoday.com/story/tech/news/2017/02/21/verizon-shaves-350-million-yahoo-price/98188452/

[7] Mike Snider. USA Today. “Verizon shaves $350 million from Yahoo price.” February 21, 2017. Available at https://www.usatoday.com/story/tech/news/2017/02/21/verizon-shaves-350-million-yahoo-price/98188452/

[8] Gruzeev, Rob. TechCrunch. "It’s time to better identify the cost of cybersecurity risks in M&A deals." September 10, 2020. Available at https://techcrunch.com/2020/09/10/its-time-to-better-identify-the-cost-of-cybersecurity-risks-in-ma-deals/

[9] Shaikh, Niloofer. Seeking Alpha. "Spirit AeroSystems’ acquisition of Asco." September 25, 2020. Available at https://seekingalpha.com/news/3617313-spirit-aerosystems-cancels-acquisition-of-asco-industries

[10] Smith, Ian. Financial Times. "Cyber attacks set to become ‘uninsurable’, says Zurich chief." December 26, 2022. Available at https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

[11] Forescout. "The role of cybersecurity in mergers and acquisitions diligence." 2019. Available at https://www.forescout.com/resources/cybersecurity-in-merger-and-acquisition-report/ ?

[12] Keith Anderson, Robert Belfort, Fatema Zanzi. “Mapping the healthcare M&A landscape.” Manatt, Phelps & Phillips, LLP. March 22, 2019. Available at https://www.jdsupra.com/legalnews/mapping-the-healthcare-m-a-landscape-21018/

[13] Clearwater. "White Paper: Let the Buyer Beware: The Need for HIPAA Risk Analysis in Healthcare M&A Transactions." December 2022. Available at https://f.hubspotusercontent40.net/hubfs/2783949/Let%20the%20Buyer%20Beware_The%20Need%20for%20HIPAA%20Risk%20Analysis%20in%20Healthcare%20M&A%20Transactions.pdf

[14] Guidance on Risk Analysis Requirements under the HIPAA Security Rule. OCR/HHS. July 14, 2010. Available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

[15] 45 CFR § 164.308(a)(1)(ii)(A). Risk Analysis implementation specification. Electronic Code of Federal Regulations. (Security Standards for the Protection of Electronic Protected Health Information, Administrative Safeguards). Available at https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C#164.308

[16] McKeon, Jill. HealthITSecurity. "3 Strategies for Healthcare Merger, Acquisition Cybersecurity Due Diligence." December 6, 2022. Available at https://healthitsecurity.com/features/3-strategies-for-healthcare-merger-acquisition-cybersecurity-due-diligence

[17] Clearwater. "White Paper: Let the Buyer Beware: The Need for HIPAA Risk Analysis in Healthcare M&A Transactions." December 2022. Available at https://f.hubspotusercontent40.net/hubfs/2783949/Let%20the%20Buyer%20Beware_The%20Need%20for%20HIPAA%20Risk%20Analysis%20in%20Healthcare%20M&A%20Transactions.pdf

[18] Forescout. "The role of cybersecurity in mergers and acquisitions diligence." 2019. Available at https://www.forescout.com/resources/cybersecurity-in-merger-and-acquisition-report/ ?

[19] Diaz, Naomi. Becker's Health IT. "Why healthcare mergers and acquisitions are a cybersecurity risk." November 17, 2022. Available at https://www.beckershospitalreview.com/cybersecurity/why-healthcare-mergers-and-acquisitions-are-a-cybersecurity-risk.html

[20] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[21] ISC2. "Cybersecurity Assessments in Mergers and Acquisitions." September 20, 2019. Available at https://www.isc2.org/-/media/E6C334079C1F48E4974368CCA4C18D18.ashx