WIXLIB

Assessing the risksWhether a target needs a network overhaul or couldface legal action over a breach, the potential costsof security problems can be immense.The practical concerns related to securityproblems at a target – such as the costof fixing them and the implications forintegration – are often the most pressing,according to our respondents. Exactlyhalf of them said the cost of correctingexisting problems topped their list ofworries and 43% said future integrationissues concerned them most.The amount companies need to spendto close loopholes or overhaul networkscan vary widely, depending on the size ofthe firm and the scale of the problem. Butthe cost can easily run into the hundredsof thousands of dollars, even for a midmarket company – and that’s not countingWhen it comes to cybersecurity issues at a target firm,what are your top concerns? (Select up to two)Cost of correcting existing problems50%Potential complications for post-merger integration43%Occurrence of frequent or recent data breaches37%Threats to customer data37%Threats to business data33%8potential legal costs down the line. “Datasecurity is no small thing to deal with,”said a managing director at a PE firm withinvestments in over 20 countries. “Thereis the cost of correcting the existingproblems, and then the firm could haveunresolved litigation or lawsuits that couldsurface after the deal has closed.”More than a third of respondents (37%)said they are highly concerned about theoccurrence of frequent or recent databreaches. According to West Monroesenior director John Stiffler, looking at atarget’s incident history provides valuableinsight into its overall security posture. “Oneof the first things we do in the diligenceprocess is to ask the potential acquisitionabout past breaches,” Stiffler said.Almost equally important is to look atthe remedial action taken by the firmin response. In some cases, the “battlescars” of going through a breach canactually make a company strengthen itssecurity policies, Stiffler said.Thirty-seven percent of respondents saidthey especially worried about threats tocustomer data, while 33% said threatsto business data concerned them. Manyexecutives are well aware of the costs thataccompany breaches, which become morelikely if specific threats to corporate data arepresent. In the 2007 breach of HeartlandPayment Systems, for instance, the costin fines and legal expenses alone reachedUS 150m, CEO Robert Carr said in 2014.

The bottom lineA proper due diligence must look at thefull gamut of risks: breach history, specificdata threats, problems for integration,and the cost of potential fixes.Compliance in focusAs privacy laws evolve quickly around theworld, compliance issues are the mostcommon and important problem uncoveredat deal targets, our respondents said.Seventy percent named them as one ofthe most frequent data security issues and30% called them the most important.In the US, three federal agencies takeresponsibility for policing data privacy:the Federal Trade Commission (FTC), theSecurities and Exchange Commission(SEC), and now the Consumer FinancialProtection Bureau (CFPB) as well. In a2015 case, the US Court of Appeals forthe Third Circuit ruled that the FTC couldhold companies responsible for weak datasecurity practices that lead to breaches.In an even more surprising case, the CFPBannounced a settlement in March 2016with payments startup Dwolla over privacyconcerns – despite the fact that Dwollahad not even experienced a breach.The scope of oversight appearsto be growing in proportion to thescale of data being collected by mostcompanies – and that scale is on therise. “We have seen an increase incompliance issues due to the vastamounts of data within enterprisesystems,” said a finance director at asoftware firm that makes fewer thanfive acquisitions a year. “Managingcompliance effectively is a top concern,and most companies are seen as beingin a weak position due to the magnitudeof the data and the complexities ofnewer technologies.”What are the most common and important types of cybersecurity problems uncovered at a deal target? (Select up to threemost common and one most important)Most common70%Most lianceproblemsLack ofcomprehensivedata securityarchitectureVulnerabilityto insiderthreats17%13%Inadequatesecurity onmobile devices3%Vulnerable localserver storage3%Lack of datasecurity teamWeak encryption/security byvendorsVulnerablecloud storageWeak employeepassword policyTesting the defenses: Cybersecurity due diligence in M&A9

Infrastructure red flagsBeyond broad agreement about theprominence of compliance issues, opinionwas split among respondents regardingthe most common and troublesomedata security problems at targets. Theconcerns most commonly seen includedthe lack of a comprehensive data securityarchitecture (40%), inadequate securityon mobile devices (33%), and vulnerablelocal server storage (30%).West Monroe’s Matt Sondag explainedthe process of analyzing a company’ssecurity architecture with the analogyof looking at a person’s home security.“When we look at a target’s networksetup, their firewalls, and their overallinfrastructure topology, it’s like lookingat a house,” he said. “We ask: Do youalways lock your doors? Do you alwaysput the alarm on? Do you always shutthe windows? Do you always close thegarage door?”“By checking these issues, we canstart to understand whether they haveprocesses and procedures in place thatwill be there in the future and that willultimately tell us whether a network issecure,” Sondag added.At the same time, an analysis mustlook beyond the overall infrastructure.“Application security, which includesinternal access control, is also key,”Sondag said.In the realm of mobile security, newsafeguards are becoming necessary, suchas the ability to remotely wipe a phoneor laptop. In the event a device is lost orstolen, fines can be reduced if you can provethat sensitive data was deleted.10Insider threatsVulnerability to insider threats, cited by37% of respondents as a common problemfound at targets, is a mounting concern.A 2015 study by IT industry associationCompTIA showed that a slight majorityof security breaches (52%) result fromemployee action, whether malicious orunintentional, as opposed to outsideattackers. “Internal systems that are notfully secured usually create the mostchallenges, since insider risks or threatscan arise in the process,” said the CFOat a mid-cap broadcasting company.Interestingly, in terms of importance,the problem cited second-most byrespondents was the lack of a datasecurity team (17%). The CFO at atelecommunications company saidlocking down technical systems canprove challenging without properly trainedIT personnel. “The lack of a dedicatedteam makes it difficult to ensure adequatespecialization and effectiveness inmanaging security concerns,” he said.The bottom lineThe stickiest problems at deal targetstend to be compliance concerns and aninadequate cybersecurity infrastructure.“Internal systems that are not fullysecured usually create the mostchallenges, since insider risksor threats can arise in the process.”CFO at a mid-cap broadcasting company

781the number of data breaches atcompanies in the US in 2015,according to the Identity TheftResource CenterUS 3.79mthe average cost of a data breachin 2015, according to a surveycommissioned by IBMTesting the defenses: Cybersecurity due diligence in M&A11

PE paying upPrivate equity is taking heed of thepotential for data security issuesat portfolio companies.The rise in cybersecurity concerns at companies ismaking them a hot topic in corporate and private equityboardrooms. As West Monroe’s Matt Sondag explained,this is leading to some rare occurrences.“I recently got a call from a private equity client who saidthat they wanted to do a cybersecurity analysis on fourof their portfolio companies – and that they were goingto pay for it themselves,” Sondag said. “It’s rather uniquefor a PE firm to pay for this, and it means that theyare really concerned about it. Obviously, if there is anyremediation to be done, the portfolio companies will payfor it themselves. But I think private equity firms arebecoming more and more cognizant of the issue.”12

Hitting the escape buttonIf cybersecurity problems are especially severe at an M&A target, they canbe deal-breakers.In 2015, an Italy-based surveillance company called HackingTeam was breached. All it took for the person to break in wasa single password of an unsuspecting engineer. His password?“Passw0rd.” The infiltrator then planted a backdoor into thenetwork, granting him permanent access to the company’ssystems. In the resulting breach, nearly 400GB of sensitivedata was released to the public.The Hacking Team intrusion demonstrates the dangers inherentin something as simple as a weak corporate password policy.Indeed, it can signal the presence of other vulnerabilitieswithin the company that extend beyond cybersecurity. “Aweak corporate password policy may be a sign of biggerissues within the company,” said Sean Curran, director of WestMonroe’s Security & Infrastructure practice. “If basic policiesdon’t exist and aren’t enforced, what other exposures arethere? More serious issues may exist, like unencrypted creditcard data in their databases, and those will be deal killers.”In the majority of cases, cybersecurity issues alone are notenough to cause a buyer to abandon an acquisition: 77% ofour respondents said they have never walked away froma deal for that reason. Some respondents said they wereable to avoid it by investigating a company’s data securityinfrastructure in the targeting phase, before a preliminarypurchase agreement had been signed. A vice president forstrategy at a global medical products firm said they hadadjusted the terms of a deal over cybersecurity concerns,but never cancelled a deal: “We have never walked awayfrom a deal due to data security issues, although one dealprocess suffered turbulence because of security concerns.The deal timelines were affected and the deal value wasalso reduced.”When a company is deciding whether to make an acquisition,security problems can also indicate poor risk management atthe target. “We noticed data security issues at one target firmthat were not negligible and we preferred to walk away fromthe deal,” said a managing director at a PE firm that primarilyuses a buy-and-build strategy. “The volume of issues wasan alarming signal of the risks the organization would face.”The bottom lineCybersecurity risks aren’t ending many deals during thecurrent M&A boom, but they need to be better managed.And if buyers become more selective in their deal criteria,the importance of cybersecurity could rise further.Have you ever walked away from a deal due to datasecurity issues at the target?No23%Yes77%Testing the defenses: Cybersecurity due diligence in M&A13

Good governanceHigh-tech software and qualified personnel are only partof the equation when it comes to effective data security.You’re starting the due diligence processat a potential acquisition and the initialsigns are good. The target uses cuttingedge security tools, such as privilegeidentity management and endpointdetection and response software. Thein-house security team is small (threepeople) but elite – each member hasimmaculate credentials. The team insistsit can handle the security duties even asthe company experiences rapid growth.In fact, they are so confident that theydon’t have all of the firm’s security policieswritten down. Instead, they say, thepolicies are simply etched in their brains.So – just how well protected is thiscompany from cyber attacks? Its data andcomputer systems appear to be secure,but it’s difficult to verify. The reason isthat its security governance is weak.The individual elements of the securityapparatus appear to be strong, and yetthe infrastructure is fragile and vulnerableto sudden change.“In reality, it doesn’t matter how manytools you have and how good or badthey are if you’re not actively managingthe use of them and constantlyadjusting your security program.”Paul Cotter, Senior Data Security Architect, West Monroe14“In reality, it doesn’t matter how manytools you have and how good or bad theyare if you’re not actively managing theuse of them and constantly adjustingyour security program,” said Paul Cotter,a senior data security architect at WestMonroe. “No matter which security toolsyou have in place, the situation is goingto degrade over time.”Review and renewEffective security governance is integralto a high-functioning cybersecuritystrategy. Perhaps the most importantaspect of effective governance is ongoingreview and renewal, since best practicesevolve quickly as technology changes andhackers seek to exploit open loopholes.When scrutinizing a potential M&Atarget’s security governance, severalquestions are important to answer. Firstof all, does the company have adequatepolicies and procedures in place? Then,how well are those policies documented?And finally, does the company activelyreview and manage its policies?“Solid documentation of theinfrastructure is key, since you can’tassess the risk of a system if youdon’t know the details,” Cotter said.“The company needs a commonunderstanding of what the environmentlooks like and how everything islinked together. They also need to knowwhere the security controls are actuallyimplemented, who manages them, andwhether they are actively enforced.”

Relationship guidanceAnother critical aspect of securitygovernance is the management ofvendor relationships – especially ascompanies increasingly turn to managedsecurity service providers (MSSPs)to handle their data protection. Small,tight-knit security teams can be effectivewhen a company has limited needs, butMSSPs are helpful for duties such asaround-the-clock monitoring.For security to be properly managedwith an MSSP, communication betweenthe MSSP and the company needs to beregular and substantive. The performanceof the security provider must also befrequently re-evaluated.Overall, how satisfied have you beenwith the cybersecurity due diligenceconducted for recent deals?“When we see a company leveragingan external vendor, we want to seea lot of documentation on how they’remanaging that relationship, where thehand-off points are, and how specificallyan incident gets escalated,” Cotter said.“If one of these service providers findsa problem, how does it get escalatedto the target’s internal resources?”After a deal is completed, it’s importantto remain vigilant about the acquisition’ssecurity policies – especially if the firm isnot being fully integrated with the acquirer,as with a private equity purchase. Overtime, the security systems vetted duringdue diligence will require periodic checkingand updating.The bottom lineHow a company manages theprocedures and policies for itscybersecurity system – its securitygovernance – is just as important as thesystem’s level of technical sophistication.Evaluating the processThe history of cybersecurity riskessentially goes back as far as theInternet – meaning only about 25 years –and due diligence on data security is aneven younger phenomenon. The processhas advanced significantly as companieshave become more cognizant of therisks that come with vulnerabilities,but problems remain.What, if anything, did you find inadequate about the cybersecurity diligence processfor recent deals? (Select up to two)Not enough time devoted to it3%39%Not enough qualified people involved32%40%Lack of cooperation or knowledge on part of the target29%57%Lack of thoroughness – problems were uncovered after the deal happened29%Somewhat satisfiedHighly satisfiedSomewhat dissatisfiedInadequate preparation on your part25%Testing the defenses: Cybersecurity due diligence in M&A15

The vast majority of respondents inour survey have been highly satisfied(40%) or somewhat satisfied (57%) bythe data security diligence in recent deals.Those who have been somewhat satisfied,however, cite a significant number ofcaveats in their evaluations of the process.A managing director at a privateequity firm that has completed more than200 investments said the “informationreceived was incomplete and the processtook a longer period of time” than theyhad expected, adding that the missinginformation was “not negligible.” In a dealdone by a managing director of a midmarket PE firm, the diligence processoverlooked “issues like identity theftand intrusions in the internal systems.”Out of timeIn terms of specific inadequacies inthe due diligence process, 39% ofrespondents explained that not enoughtime had been devoted to it and 32% saidit lacked a sufficient number of qualifiedpersonnel. “Even the advisers we hiredwere not experts in the field – their marketknowledge was way less than we hadexpected,” said the finance director ata healthcare technology firm.One way to gauge the expertise ofcybersecurity advisers is to look at whatrelated services they offer. For instance,firms that regularly put in place datasecurity fixes in addition to conductingM&A due diligence often have betterawareness of the relevant red flags andbest practices. “We conduct over 120security diligences a year, but a large partof why we bring value to the diligenceprocess is that we’re not just doingdiligences all day long,” said Paul Cotter,16a senior data security architect atWest Monroe. “The people we bringare practitioners who are implementingsolutions in the field.”A potentially more significant problemis a lack of cooperation or knowledgeon the part of a target, cited by 29%of respondents as an inadequacy. “Onerecent target did not possess sufficientknowledge or experience with the things thatwere required for a deal,” said the CFO ata mid-cap telecommunications firm. “Therewere delays in the procedure due to the lackof thoroughness. In spite of the planningdone, the deal faced a lot of problems dueto the target company’s inefficiency.”The bottom lineIt is vital to have an experienced andwell informed team carry out diligenceon data security issues. Otherwise,major problems can be overlooked.“A large part of why we bring valueto the diligence process is that we’renot just doing diligences all day long.The people we bring are practitionerswho are implementing solutions inthe field.”Paul Cotter, Senior Data Security Architect, West Monroe

Limiting liabilitiesTypically, when you buy something likean old house or a used car, you can’t takeout insurance that will reimburse you if youuncover a problem after the purchase goesthrough. But with M&A targets, you can –the prevalence of transaction insurance is onthe rise, including for cybersecurity risks. USinsurer Marsh calculated that policy limits itplaced in 2015 rose by 45% year-over-year,reaching a record level of US 11.2bn.Nearly two-thirds of respondents (63%)said representations & warranty insuranceis among the most important protections inmitigating data security risk, while over half(53%) said closing conditions are vital. Thehead of one private equity firm’s healthcaredivision said representation & warrantypolicies are especially useful because theyare flexible in scope. “The most favorablespecial protections for mitigating datasecurity risks are representations & warrantyinsurance, as this is highly custo

firm’s unique offerings to the private equity market, including its merger and acquisition services. Matt works with private equity and strategic buyers involved in or preparing for investments and acquisitions. He assists buyers with pre-deal IT and operational due diligence, as well as po