Mergers and Acquisitions (M&A) are a popular strategy for companies looking to expand their footprint and increase opportunities. The total number of M&A deals from June 1, 2020, to June 30, 2021, was 16,672. That was up from 13,446 in the twelve months prior. There are many reasons for companies to pursue M&A strategies, such as achieving greater economies of scale, attaining greater market share, geographical diversification, or the acquisition of new technology. However, its also important to remember that when you acquire or merge with another company, you get the bad along with the good. Just like any relationship, there is baggage that each party inherits. In terms of security, an acquiring company inherits any existing cybersecurity vulnerabilities, incidents, and resulting liabilities along with the beneficial assets that are being purchased. In a digitally connected world in which cybersecurity incidents continue to garner headlines, a targeted company with a history of not prioritizing its security responsibilities can end up creating problems for the acquiring company. Sometimes that baggage can outweigh any potential perceived benefit.

 

 

Cybersecurity Audits are now a Standard Practice for M&A transactions

M&A transactions can take months or even years to complete. One reason is that it’s essential that the initiator of the deal perform their due diligence to gain a complete understanding of the target organization. You need to know what you are getting into. This includes a cybersecurity audit to identify the security controls and intrinsic vulnerabilities of the target enterprise. An undiscovered data breach can not only cripple the deal but might introduce potential liability that involves both a financial burden and/or reputational damage. Some of the questions that need to be answered in an audit include:

     

        • Does the target company have a documented cybersecurity strategy that is enforced from the top down and across the entire organization?

                • Does the target company have a program in place to train its employees on privacy and security best practices?

              According to a recent (ISC)2 study on M&A and Cybersecurity, study participants unanimously stated that cybersecurity audits have now become standard practice for M&A activity. Survey participants listed cybersecurity considerations as a major factor in determining the viability of a deal. In total, 77% reported making M&A recommendations based on the strength of an existing cybersecurity program.

               

               

              A Poor Cybersecurity History Can Tarnish a Deal

              Just like a poor credit history can come back to haunt someone who is seeking a mortgage or personal loan, a company’s cybersecurity history can negatively hamper M&A interest for years to come. According to the mentioned study, half of the survey respondents agreed that the discovery of previously undisclosed breaches would derail a deal.

              As an example, the acquisition of Yahoo by Verizon back in 2017 for $4.48 billion nearly fell through due to two data-breach incidents that occurred during the negotiations. The first attack involved the personal data of some 500 million users and included unencrypted passwords. Login credentials and personal information were also compromised for nearly 1 billion users in the second attack. In the end, Verizon chose to go ahead with the deal at a reduced purchase price. In the end, it proved a costly inheritance that reduced the intrinsic value garnered by the deal.

              Another example involves the former acquisition of the luxury department store chain Nieman Marcus. On October 25, 2013, a Canadian group completed an acquisition of the retailer. What they didn’t know was that a cyber incident had taken place as early as July 16, 2013, in which malware was injected into the company’s payment-processing system. The incident would eventually compromise the data of 350,000 customer payment cards. Neiman Marcus became aware of the fraudulent use of those payment cards on December 17, 2013. On January 10, 2014, it publicly disclosed the incident. In 2017, it eventually paid $1.6 million to settle a class-action lawsuit filed on behalf of those whose card information was exposed.

               

               

              Cybersecurity Can Be an Acquired Asset

              It is important not to view cybersecurity as a liability in terms of M&A activity. In the mentioned study, 95% of survey respondents considered cybersecurity programs as a tangible asset, while 63% considered security tools to be general assets. Assets include a company’s cybersecurity infrastructure, risk management policies, and training programs. In fact, 82% stated that the stronger a company’s cybersecurity infrastructure is, the higher the assessed value of the organization. With 50% of companies being impacted by ransomware in 2020, according to a Cisco study, it is understandable why a company’s cybersecurity expertise can be highly valuable to many other companies today.

               

              M&A due diligence

               

              What Cybersecurity Due Diligence Involves

              The occurrence of a cybersecurity incident doesn’t necessarily deter a merger or acquisition. The way a company dealt with a cybersecurity incident proves far more important. How the company handled the aftermath of the breach and what they did to fix the vulnerabilities is far more important in the end. If a breach is discovered during an audit or is known to have occurred prior, it is critical to know what data the attackers had access to and what data was viewed or exfiltrated. One must assess how the breach occurred and whether the company performed its duty of care in attempting to prevent such an attack in the first place. A company may be held liable for an attack that it could have prevented had it taken appropriate measures that are deemed to be reasonable.

              The good news is that you don’t need to wait for litigation to define what is reasonable security for your organization. An outside partner can perform a risk assessment using Duty of Care Risk Analysis (DoCRA) to determine that during the M&A evaluation process. HALOCK can fully evaluate the inherent risks of a proposed acquisition and determine the effectiveness of the current security controls, policies, and strategies to secure the target organization’s assets. We can discuss an independent review of your security profile and that of future mergers to help you make informed decisions.

               

              HALOCK Breach Bulletins
              Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.

              Frequently Asked Questions (FAQs) on Reasonable Security

              What Is Reasonable Security?

              Reasonable Security is appropriate cybersecurity protection for your organization. Based on your size, data types, and risk profile, reasonable security can be a legal standard of care and a cybersecurity best practice, both of which show that you took defensible steps to protect information.

               

              Why is “Reasonable” Security Important?

              “Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.

              Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.

              Organizations with reasonable security:

              • Have a better chance of avoiding regulatory action after a breach
              • Are better positioned during litigation and investigations
              • Have more support from cyber insurance carriers and adjusters
              • Instill more confidence with clients, partners, and stakeholders

               

              What Laws Reference “Reasonable Security”?

              In the United States, a variety of state and federal laws require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:

              • California Consumer Privacy Act (CCPA / CPRA)
              • New York SHIELD Act
              • Illinois Personal Information Protection Act (PIPA)
              • Massachusetts 201 CMR 17.00
              • Connecticut Data Privacy Act
              • Gramm-Leach-Bliley Act (GLBA)
              • Federal Trade Commission (FTC) Safeguards Rule
              • General Data Protection Regulation (GDPR) – references “appropriate technical and organizational measures”

              The laws do not specify exactly what controls you should use, but they do typically require some defensible evidence that you assessed and mitigated risk appropriately.

               

              How Do You Demonstrate Reasonable Security?

              The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.

              A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.

              Key elements include:

              1. Risk identification: What data, systems, and processes are impacted?
              2. Threat and vulnerability analysis: What risks are credible and foreseeable?
              3. Impact assessment: What could cause harm to customers, partners, or operations?
              4. Control evaluation: What safeguards are reasonable under current conditions?
              5. Documentation: Written records of your findings, decisions, and mitigations.

              Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.

               

              What Is the Duty of Care Risk Analysis (DoCRA)?

              The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:

              “Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”

              DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.

               

               

              How HALOCK Helps Organizations Demonstrate Reasonable Security

              HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.

              HALOCK assessment helps you to:

              • Identify, quantify, and prioritize cyber risks
              • Select and balance controls with business impact
              • Document a reasonable security posture for regulators, courts, and clients
              • Establish an accountability and continuous improvement process

               

              How Can You Define “Reasonable Security”?

              Reasonable security means implementing safeguards that are:

              Appropriate: Based on your business size, industry, and data sensitivity

              Proportionate: Controls balance protection with business practicality

              Recognized: Align with accepted frameworks (NIST, ISO 27001, CIS, DoCRA)

              Documented: You can prove decisions, policies, and risk management actions

              Adaptive: Regularly reassessed as technology, threats, and operations evolve