Today’s companies store all kinds of data in the cloud and on various computers and devices. This includes intellectual property, personnel information, credit card and bank account details. In many cases that data includes sensitive information that could fall prey to cyberattacks and hackers if it’s not kept safe. Those risks are forcing potential buyers of a business to question the acquisition of companies they are considering. The potential buyer of a company dives deeper into their target’s cybersecurity efforts during the due diligence process.
How Much Do Cyberattacks and Data Breaches Cost Companies
While you might think hackers only target larger corporations, cyberattacks and data breaches are on the rise in all sized companies. According to the Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses report, 68 percent of respondents reported a cyber attack in 2018, up 6% from 2017. For incidents that involve customer and employee information, 58 percent of respondents reported these data breaches in their company. That was up 4% from the previous year.
The aftermath of a data privacy breach can be costly. Companies spent on average $1.43 million to replace damaged or stolen IT assets. That is a 33% increase from the year before! The disruption to normal operations cost these companies another $1.56 million on average.
What Data Privacy Breaches Mean During Acquisition Due Diligence
Any buyer would want to avoid these costly and common incidents. This is why evaluating a company’s cybersecurity and data privacy efforts during due diligence is so critical. Uncovering weak cybersecurity strategies may not kill a deal, but it will give buyers a better idea of the cost to shore up a company’s digital assets. A buyer has to consider that once the sale is done it could lower the actual value of the target, and the purchase price.
Here are some of the key tasks that are required to have your acquisition attorney, your top-level executives, such as your CIO and CFO, properly evaluate cybersecurity efforts and assets before any deal is closed.
Know What Data the Company Stores
Companies own a tremendous amount of electronic records. These are digital documents and audio recordings to anything else that’s stored on computers, laptops and in the cloud. Some of it is maintained in-house, but often IT consulting firms, independent contractors and other third parties may be storing the information.
During due diligence, it’s critical to create a complete list of every digital asset a company holds. Both internally and externally—before moving to the next steps to ensure that the proper protections are in place.
Assess the Company’s Digital Holdings
With an in-depth assessment of the company’s digital holdings, it’s time to look at its efforts to keep those assets safe. Cybersecurity audits should be done annually. This will provide an outline of all the company’s cybersecurity programs and highlight any vulnerable areas.
Review the company’s programs to determine if they reflect the rapidly changing technology landscape. Strong cybersecurity programs must be regularly updated to keep up with digital advancements and hackers.
Look at a Company’s Response to Previous Cyber Threats
There might be no better way to assess a company’s cybersecurity efforts than studying how they responded to a previous threat or attack. How was data breached? How quickly did they respond both internally and externally? What information was stolen or lost? What changes were made after the cyberattack?
The answers can help potential purchases of a business assess how seriously a company considers cybersecurity and data privacy, and whether their protocols are effective.
Data privacy isn’t just a good idea, it’s required. A variety of state and federal laws mandate that small, mid-sized businesses and of course corporations comply with cybersecurity regulations. California’s new data privacy law will go into effect soon. At the same time, foreign governments are shoring up protections for their citizens. As of May 2018, The European Union’s General Data Protection Regulation, set rules for how companies handle personal information.
During due diligence, companies must be able to demonstrate that they meet all required cybersecurity regulations. This includes their location, the customers they serve and their industry.
A lawyer who is well-versed in the issues of acquisition due diligence can streamline the process and identify legal ramifications of decisions made along the way. During due diligence, experienced lawyers can quickly uncover the opportunities and liabilities of a target company so buyers know they’re not only getting the best value. They must also protect themselves from problems and lawsuits related to data breaches and cyberattacks in the future.