Cyber-attacks and data breaches pose an ever increasing threat to the orderly flow of business. Cybersecurity due diligence represents the first line of defense for buyers and sellers of businesses to proactively assess and manage risks attendant to cyber-attacks and data breaches. Last week, I attended the first annual “Incident Response Forum 2017” in Washington, D.C focused exclusively on cybersecurity. These are the key takeaways that I took from the conference:

  • Cyber risk is now at the same level of importance as financial and legal risk in M&A transactions, especially when the target or prospective business partner is in a technology centric industry.

  • Whenever a company decides to buy or partner with another business, it should set up a dedicated cyber-security due diligence team to assess the other party’s data risks and latent data security issues. That team should be populated with subject matter experts who understand the complex array of regulations and enforcement measures employed by Federal and State authorities. Ideally the cyber-security team should be led by an outside or in-house lawyer.

  • The cyber-security due diligence team should review the target’s policies, procedures, work flow practices and Incident Response Plan to ensure compliance with industry best practices. A critical aspect of this due diligence involves the review of contractual arrangements with vendors to identify indemnification provisions, representations and warranties relating to the protection of confidential information, insurance requirements (some agreements require an obligation by the vendor to retain cyber-risk insurance policy) and the standard of care in a target’s security program. The target’s response to previous cyber incidents or attacks should be evaluated.

  • A review of the target’s retention and personnel policies is a key component of cyber-security due diligence as the most common perpetrators of cyber-attacks come from within the organization, namely junior employees, ex-employees, freelance and temporary employees. The due diligence team should review technology access, permission policies, recruitment, hiring, retention and training programs.

  • A review of technical systems assesses data mapping and data loss protection. Other key issues in the review of technical systems include encryption, wireless precautions, malware defense and anti-virus protection. The most frequent types of cyber-attacks include virus or worm infestation and email-based phishing attacks.

Cybersecurity due diligence is an integral part of all M&A transactions and ideally should be incorporated into the corporate compliance program subject to internal audit and performance metrics.


Timothy McNeill