5 Cybersecurity Diligence Mistakes That May Prove Costly

When Marissa Mayer took the helm as chief executive of Yahoo!, she inherited a flailing brand. As customers were flocking to competitors, the company was secretly recovering from a 2010 foreign-military attack that exposed private information of 500M Yahoo! users, a breach Google had publicly admitted to but Yahoo! chose not to disclose. In addition, the 2013 Edward Snowden (the former National Security Agency contractor) leaks revealed such nation-state hacks and spying incidents were not uncommon at Yahoo!.

In response, Alex Stamos, Yahoo!’s next chief information security officer, pushed for the adoption of more thorough security measures. His plans included end-to-end encryption for everything user associated; and an engineering team deployed to develop more secure code, hunt down criminal activity, and collaborate with other companies to pinpoint potential threats. Tasked with reporting any gaps, designated “red teams” even hacked into Yahoo!’s system.

The problem: In the name of improved user experiences and to stop the customer exodus, Ms. Mayer held back some funds to address security risks. Further, she stalled needed updates, and Mr. Stamos’ passionate and dedicated cybersecurity team was internally dubbed the “Paranoids.”

Thorough Due Diligence Means You Get What You Pay For

Fast forward to 2016. Yahoo!’s web services were still flailing despite Ms. Mayer’s aesthetic and user experience improvements. Even so, Verizon sought to acquire the brand to turn it around. Still hiding the hacks and the brands’ less than thorough recovery and prevention response, Yahoo! agreed to a $4.8B Verizon acquisition; that is, until due-diligence uncovered evidence of Yahoo!’s cybersecurity gaps and past breaches. Suddenly the deal didn’t seem as valuable to Verizon and renegotiation was on the table.

Weak Due Diligence Comes with a Hefty Price Tag

Verizon did the work to identify security liabilities that could have rendered the deal worthless, and at least introduced the new information into re-negotiating a sale price. But, many other brands haven’t been so lucky.

In July of 2013, Neiman Marcus experienced a cyber incident in which malware was injected into their customer payment processing system, allowing thieves to access 350,000 customer payment cards. Unaware of the still ongoing breach, Neiman Marcus closed an acquisition with a group led by Ares Management and a Canadian pension plan. The result: the now acquired Neiman Marcus brand shelled out $1,600,000 to satisfy victim demands.

Expert Due Diligence Uncovers Fine-Print Liabilities

What could have prevented such costly acquisition faux pas? Here are five common diligence mistakes that can damage your next acquisition, and how to prevent them:

Mistake #1 – Purchasing software without the code’s ownership.

Anytime you acquire a company where intangible assets, like proprietary code, comprises some or all the value, it’s important to know exactly what you’re buying. In the case of an open-source system, for example, the potential for productivity and relevancy may be high, but the fact that many contributed and even own parts, may mean a higher risk of licensing liabilities — and a potentially less valuable deal in the long run — but only if not managed correctly.

Consider Cisco. In the early 2000s, it acquired open-source code in Linksys. Before doing so, the brand failed to assess exactly what part of certain programs they actually owned as part of the $500M acquisition. Starting in May 2006, they distributed copies of Firmware in Cisco products, including their most popular wireless router. The problem: portions of the Firmware actually belonged to the Free Software Foundation (FSF). The result was a surprise lawsuit that cost the firm lawyer fees, an out-of-court settlement, and years of cleanup.

For a better outcome, Cisco should have performed a pre-acquisition code review to learn who owned what portions of the code. In doing so, they would have opened up more attractive options such as:

 – collaborating with FSF for a stronger partnership and less public embarrassment;

 – re-value the acquisition price to reflect a weaker ownership of the code; and/or,

 – choosing not to close the acquisition at all.

Mistake #2 – Purchasing an unknown or undisclosed breach.

Yahoo!’s leadership team didn’t allocate sufficient funds for encryption measures and investigative teams to prevent cybersecurity risks. You want to know about this type of behavior before closing a deal. With proper understanding of a brand’s attitude toward risk management, acquiring brands can get an idea of whether a breach is likely to have occurred.

To gain some insight, begin by assessing the management team’s understanding of cyber-related liabilities, regulations, and enforcement environments. The deeper the leadership’s understanding, the more likely they are to take prevention and required disclosures seriously.

Then, dig deeper. Enact questionnaires and inspect supporting material to learn about administrative, technical, and physical security codes at key points of the organization. Those departments that don’t take active ownership over prevention measures — including funding allocation, data-protection controls, monitoring and logging, third-party access, privileged account use, Malware / AV implementation, and overall vulnerability management — have a higher likelihood of having experienced a breach.

For further anecdotal evidence, consider risks which may be hiding in the cloud file-sharing services and mobile devices employees use. The extent to which employees adhere to security-measures can often times correlate to likelihood of past breaches.

Lastly, make sure even third-party vendors have data security insurance coverage, and documented prevention and supervision agreements. These measures show greater conscientiousness — which likely translates into fewer liabilities for the acquirer.

Mistake #3 – Purchasing high-liability contracts with customers.

Startups will often work harder and offer more in order to make valuable sales, including agreeing to cover more liabilities in customer contracts. For this reason, acquiring companies should go over customer contracts with a fine-tooth-comb, keeping in mind that a “Trojan horse” could be hiding within.

GE’s general counsel Buck De Wolf explains that the brand has purchased as many as 14 companies since 2014, among them several small software firms. His experience has taught him to look for over-the-top promises to customers about how the acquired company will cover data-breach liabilities. Look for healthy limitations on warranties, termination periods of contracts, exemptions, and vague language that could lead to unforeseen liabilities. Be prepared to “update” contracts with customers ideally before acquiring the new brand or consider renegotiating your acquisition closing price to reflect potential risk.

Mistake #4 – Failing to protect exposed data during the acquisition process.

A well-documented data protection plan to cover the acquisition period helps the buyer and the seller stay compliant with data protection laws. Then, it works to prevent breaches that could devalue an otherwise promising deal.

As part of your documentation, remember to record all of the following:

– what data exists

– where it is stored

– how it is processed and transmitted

– what data will be transferred

– encryption policies

– the exfiltration technology used and prevention policies surrounding them

– who has access to sensitive data during the due diligence stage

– what data is exposed to what parties

– who will have direct access to data as it is being transferred from the seller to the buyer

Then, follow the plan carefully. Remember, during and even following the transfer stage, it is often necessary to prove to data-protection authorities that all measures have been taken to protect data in-transfer and only those teams involved in the transfer and integration had access to it. Failure to comply could mean penalties, ultimately hurting the value of the acquired company.

Mistake #5 – Failing to have a breach prevention and response plan in place.

In 2016, the Indiana hospital system paid out $55,000 in ransom to retrieve sensitive files after a SamSam ransomware hack. Hackers used a third-party-vendor name and password to steal the files from the well-established and protected system designed to comply with HIPAA.

Likewise, SamSam recently hit Colorado’s Department of Transportation, shutting down operations for days as investigators backtracked to figure out what was affected. These types of breaches have the potential to devalue newly acquired brands as money is shelled out for investigations, containment, brand-reputation damage, ransom, lawsuits, and fines.

If well-established and vetted data protection systems are this vulnerable, imagine the vulnerability that exists for data in transition. The immediate post-acquisition period is a vulnerable time for data that’s still being integrated into the new system — an event that sometimes takes years. During this time, the data is exposed to more people than normal, creating greater chance of a breach. As such, brands have a lot to lose and must document and enact protection plans before an acquisition closing to prevent potential losses.

Thorough Due Diligence Begins with One Step

Despite a leading team and resources, Verizon’s own RISK team made some mistakes when assessing their acquisition of Yahoo!. Clearly, due-diligence mistakes are easy to make, even for the most experienced of brands, and those mistakes can often prove costly.

Unlike Verizon, you may not have a leading in-house risk assessment team to help you prevent these mistakes. But, you do have the resources you need at your fingertips. You have partnership options.

Give us a call so we can help you protect your next acquisitions long-term value.

RETURN TO INSIGHTS