Managing Data Privacy and Cybersecurity Risks in...
Transcript of Managing Data Privacy and Cybersecurity Risks in...
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Managing Data Privacy and Cybersecurity Risks
in M&A Deals: Pre-Planning, Due Diligence
and Risk Allocation Strategies Minimizing Impact of Cybersecurity Vulnerabilities on Transaction Value
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
THURSDAY, MAY 4, 2017
Jennifer C. Archie, Partner, Latham & Watkins, Washington, D.C.
Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J.
Gerard M. Stegmaier, Partner, Reed Smith, Washington, D.C.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-888-450-9970 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in the United Kingdom,
France, Italy and Singapore and as affiliated partnerships conducting the practice in Hong Kong and Japan. The Law Office of Salman M. Al-Sudairi is Latham & Watkins’ associated office in the Kingdom of Saudi Arabia.
© Copyright 2015 Latham & Watkins. All Rights Reserved.
Managing Data Privacy and
Cybersecurity Risks in M&A Deals
Jennifer C. Archie, Latham & Watkins
Gerard M. Stegmaier, Reed Smith
What is due diligence?
• The process of obtaining, reviewing and analyzing information
concerning a business enterprise.
• We perform diligence for either buyers, sellers, or institutional
investors / underwriters.
• Buy-side due diligence is much more common.
• Vendor due diligence reports (more common in Europe) are
sometimes provided to potential buyers or bidders.
• We may perform sell-side diligence to ensure that our clients’
representations and warranties and related schedules are
correct and to understand issues that may affect contract
negotiations
6
Objectives
Identify structural and business characteristics of the target that
might:
• Affect the decision of our client to complete the transaction (deal
killers);
• Affect the price the client is willing to pay;
• Affect the structure of the transaction.
Provide information that affects the purchase agreement:
• Representations and warranties
• Covenants
• Closing conditions
• Indemnification
Provide information that informs post-closing management and
mitigation of risk, liability or expense
7
Understanding the Privacy/Cyber Specialist’s Role Within the Overall Deal Flow
Process
• Review of documents provided by Seller (or in SEC filings for public
targets)
• Initial and supplemental written requests and interrogatories
• Diligence calls with Seller
• Database searches, where appropriate (e.g., liens, IP registrations)
• Coordinate with other work streams (e.g. accountants, environmental or
benefits consultants and other counsel)
• Expert stealth or direct assessments
Work Product / Output
• Regular oral updates, and “Red flags” memo/summary
• Formal due diligence memo
• Executive summary
• Detailed contract summaries and other exhibits, where appropriate
• Potential calls with financing sources
8
Things deal teams need to identify include:
• Anything that extends the time to close the transactions or
accomplish full separation (i.e. need for transition services,
approvals, third party consents, or major IT integration barriers)
• Material liabilities (i.e. litigation, government investigations,
unfunded or budgeted capital or personnel expense needed to
mitigate data-related compliance or liabilities)
• Reputational issues (i.e. material public investigations or data
breaches)
• Terms of material contracts (does risk allocation align correctly;
is PCI or other data security standard conformance promised
but lacking?)
9
Getting Started
First Rule: Understand the Deal Process
• Auction or proprietary? If auction, which level?
• Deal process will inform the amount and type of info available
• Coordinate to make sure that diligence efforts are consistent with larger
deal strategy
Diligence Request Lists or Letters
• Generally start with trusted forms precedents involving targets in same
industry
• Tailor to client’s needs and what is already know about target.
• Short form or longer and more comprehensive request letter?
• Materiality thresholds?
• Applicable time period?
• Tailor requests to reflect any information already provided
• Seek relevant specialist input
• Consider outside expert investigation (stealth or direct access to target)
10
Eight key questions to orient the Cyber diligence
1. What types of information or computer systems and operations are
most important to the business? (Customer data? Intellectual
Property/Trade Secrets? Operational systems delivering core services
to customers? Corporate email and other systems?)
2. What sensitive types of data does the target handle or hold relating to
natural persons (which data elements in particular)?
3. Where is sensitive information stored?
4. How is it protected in transit, at rest, and in motion?
5. What are the most concerning threats to information, networks, or
systems?
6. Have there been prior incidents?
7. What is the cybersecurity budget?
8. What are the recovery plans if critical information or systems become
unavailable?
11
Key Process Considerations
• Who asks these questions on behalf of the buyer or
underwriters, at what stage in the process, in what settings, and
with what time allowances?
• What is the role of privilege?
• Special topics
• Cardholder data: breach-related risks and liabilities; PCI compliance
• IP Assets and APT or Insider Threats
• Regulatory investigations and outcomes
12
8 Questions for Privacy Pros in Transactions
1. What is the relationship between the diligence information sought and the transaction (both now and in the future)?
2. Do I know what the deal is about and what my clients care about (or should care about)?
3. Am I being a problem “solver” rather than a problem “spotter” or “administrator”?
4. Is “privacy” material in this deal? How? Do I know why this matters?
5. What effect do qualifiers such as “knowledge” or “MAE” have on diligence? On the seller’s representations and risk allocations?
6. Should identified issues or risks be included on disclosure schedules?
7. What tools are available to manage data risks to help the parties complete a transaction? Escrows?
8. What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned?
13
Rolling it up into a final analysis and recommendations
• Did diligence identify Material risks, liabilities, contingencies in the
context of the overall proposed transaction?
• What is the level of confidence in the facts or issues that were described
in the final diligence read-out’s and reports? i.e., should the buyer have
confidence that assurances and representations to no incidents,
compliance with laws, etc. are reliable?
• What gaps in readiness, incident investigation or response, or
compliance need to be addressed in agreement and schedules?
Seller’s pre-closing behaviors? Post-closing?
• What is the role of cyber insurance in mitigating identified expense, loss,
or risk?
14
Contacts
Jennifer Archie, Partner
Latham & Watkins
T +1.202.637.2205
Jennifer Archie, Partner
Gerard M. Stegmaier, Partner
Reed Smith
T +1 202 414 9293
15
16 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Data Privacy and Cyber Security
Due Diligence in M&A Deals
Alan Brill, CISSP, CFE, CIPP/US, FAAFS
May 4, 2017
17 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
The Problem: Why has “Cyber”
Become So Important?
A Quick Introduction…
1
18 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
When you or your client want to……
Expand into a new business geography
Increase market share
Neutralize competition
Improve technology and systems
Acquire a new customer base or BI data
WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN?
19 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
What’s the Cyber Risk in an M&A Transaction
Theft of intellectual property and trade secrets?
Loss of sensitive business information and
strategies?
Loss of customer / employee data and damages to
reputation and employee / consumer confidence?
Litigation and compliance risks?
Remedial expenditures?
Loss of shareholder value?
(Not counting compromise of data on the deal
itself!)
20 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Kroll’s Experience and Advice 2
21 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Kroll’s Approach to the M&A Cyber Challenge
At all stages of the deal process, there is a continuum of cyber-risk management need.
Phase 1: Target risk evaluation
− Identify key InfoSec risk facing business
− Set up team to review data and processes
Phase 2: Deal and response diligence
− Deal diligence on key players and assets
− Technical response review of assurances
• Phase 3: Pre closing network diligence
− Endpoint Threat Monitoring and analysis
− Security controls review
• Phase 4: Post purchase implementation
− Incident response planning incident
− Table top exercise (TTX)
22 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 1. Target Evaluation
Identify the InfoSec risks facing the target
Data risks
Regulatory risk
Develop the data security team involvement
Identification of integration issues and
constraints
Define roles with transaction team
Implement secure communications approach
Identify outside expertise needs
23 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 2: Pre-Signature
Development of diligence approach
Kroll diligence workup on key players
and corporate assets
Assistance to review technical InfoSec
reporting on pre-signing actions:
Covenants, representations, and warranties
Licenses, vendors, business associates
Indemnification, limits, and basket
Divestment triggers
Avoidance of “knowledge” qualifiers
Use of “Material Adverse Security Effect”
24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 3: Pre-Closing
• Endpoint Threat Monitoring and Analysis
−Used to understand how the enterprise controls
unknown software inside its environment
o Not just looking for known malware
−Review all binaries and processes that exhibit
behavior similar to malware: location, signature,
network connections, persistence
−Review all running binaries and processes
−Corroborate patching processes and find
significant vulnerabilities
o A two week process……
25 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 3: Pre-Closing
• Security Controls Review
−Determine whether the target
is actually implementing key
measures to protect against
persistent targeted attacks
−Review the governance and
structure of the target’s
InfoSec response
26 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 4: Post-Closing
Integration TTX
Review information response plan
ID and brief changes
Interview key stakeholders
Develop scenarios
Deliver TTX with old and new teams
27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
In Summary…
It is a brave new world, and cyber risks present an
emerging risk to value and liability in mergers,
acquisitions and investment transactions
You will never invest in a house without an
appropriate inspection
Information security involvement as part of the
deal team is key
Technical solutions designed to identify and report
on InfoSec risks in a relevant way, and that
provides value through each phase of the
transaction, is of significant value in due diligence
28 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Alan Brill, CISSP, CFE,
CIPP/US, FAAFS
Senior Managing Director
Kroll Cyber Security &
Investigations
T +1-319-8026