Acquirers Beware: The Moral of Ashley Madison

Hack highlights need for extra M&A due diligence
Acquirers Beware: The Moral of Ashley Madison
REUTERS/Chris Wattie

Hack highlights need for extra M&A due diligence

The Ashley Madison hacking scandal has a lesson for everyone. Be careful what you put your name to. But the high-profile hack has a particular lesson for anyone contemplating a corporate merger or acquisition: Downplay the importance of an information-technology due diligence at your peril.

When a company or investor has a target in its sites, the buyer generally expects to pay for a business due diligence that includes things like reviewing financial projections, contracts, agreements, pension and benefits obligations and tax structures.

But a separate technology diligence that looks under the hood at the robustness of a company’s online systems? Increasingly often but not always. It may be up to the lawyer quarterbacking the deal to lay the issue on the table.

“It’s something for sure I’ll bring up if the client doesn’t,” says Martin Langlois, co-head of the mergers & acquisitions and private equity practice group at Stikeman Elliott LLP. “I think with recent hacks, the awareness is being raised  I don’t think even five years ago it would have been on the forefront of people’s minds.

“But you want to make sure you don’t do an acquisition and find out the next day there’s a problem because there was a weakness.”

IT due diligence can do more than identify those companies at greatest risk of being hacked, he says. It can help detect whether a target’s IT systems in general are slipping slightly below industry norms  something that can affect deal pricing.

“While it may not represent a major risk right now you want to know where they stand compared to their peers, and how much it’s going to cost in order bring their standard up to where you want it to be,” he says.

“So even if there is no immediate concern over a breach, you want to have an idea what the capital requirements are going to be. These things tend not to be cheap.”

In fact, an Ernst & Young study called IT as a driver of M&A Success found almost half of C-suite executives and private equity managers who were surveyed said that, in retrospect, more detailed IT due diligence could have prevented subsequent value erosion.

Martin Kratz, a technology and intellectual property lawyer at Bennett Jones LLP in Calgary, says the basic threshold issue in deciding whether to do a separate IT due diligence process is whether the target company’s data systems represent a potential vulnerability.

For those that take money from the general public, he says, the answer is definitely yes  and an extensive technology due diligence process carried out by specialists is critical.

“That would typically involve interviews with the target’s staff, a review of their internal policies, a review of whether patches to their software – particularly security software – are being consistently applied.

“Another question we like to ask when it’s relevant is the target’s experience with past intrusions, how did they respond, did they learn things from the incident and modify their practices as a result? Has there been resulting litigation and, if so, what’s the progress?”

When the company being acquired has cloud-based systems and data storage – as an increasing number of companies do – an IT due diligence process should include reviewing the cloud service provider’s annual independent security audit, he advises.

Part of the challenge is the cat-and-mouse dynamic between hackers and security experts, which means a new hack can render supposedly safe systems vulnerable in an instant.

But Kratz says potential acquirers can look at the target’s breach-preparedness plan as an indication of its overall cyberhealth. Those with robust structures generally have a cyber-security team with a designated chain of command, as well as response protocols that involve both legal counsel and forensic experts who can quickly pinpoint the vulnerability and steps needed “to stop the hemorrhaging of whatever’s been done.”

At the end of the day, there are no guarantees that anyone’s system in hack-proof, and any buyer hit with a data breach after the deal is closed is likely out of luck in terms of getting compensation.

“No one’s going to give you a representation and warranty in a purchase agreement that the business cannot be hacked,” says Langlois. “Very often what you see is a disclosure representation, where they will say: ‘We’ve disclosed to you what our policies and procedures are with respect to cybersecurity.’ So the recourse to the purchase agreement for these types of things can be difficult.

“As soon as you close a deal, it becomes your problem.”

Sophisticated buyers and private equity firms are already doing extensive IT due diligence that includes an intrusion assessment, penetration testing and a review of data centres, both Kratz and Langlois say.

But occasional or less sophisticated buyers may be tempted to forego the expense of bringing in an IT diligence team.

“That’s human nature,” says Kratz, adding the decision on whether to look separately at cyber-vulnerability will often turn on the overall risk assessment.

Are people spending enough? In general, he says, many are not.

“It isn't an issue that gets the level of attention it should given the prominence of these big breaches now. In my view, [as a lawyer] it’s something that should be on your regular checklist to think about, to talk about, at least so the acquirer has directed their mind to whether this is one of the issues they’re particularly concerned about or not.

“Ashley Madison should remind people that there’s a liability from being exposed to a breach. And that liability should be part of the overall considerations being assessed as part of due diligence in an M&A transaction.”

Lawyer(s)

Martin Langlois Martin P.J. Kratz