The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Managing Data Privacy and Cybersecurity Risks

in M&A Deals: Pre-Planning, Due Diligence

and Risk Allocation Strategies Minimizing Impact of Cybersecurity Vulnerabilities on Transaction Value

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

THURSDAY, MAY 4, 2017

Jennifer C. Archie, Partner, Latham & Watkins, Washington, D.C.

Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J.

Gerard M. Stegmaier, Partner, Reed Smith, Washington, D.C.

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-888-450-9970 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in the United Kingdom,

France, Italy and Singapore and as affiliated partnerships conducting the practice in Hong Kong and Japan. The Law Office of Salman M. Al-Sudairi is Latham & Watkins’ associated office in the Kingdom of Saudi Arabia.

© Copyright 2015 Latham & Watkins. All Rights Reserved.

Managing Data Privacy and

Cybersecurity Risks in M&A Deals

Jennifer C. Archie, Latham & Watkins

Gerard M. Stegmaier, Reed Smith

What is due diligence?

• The process of obtaining, reviewing and analyzing information

concerning a business enterprise.

• We perform diligence for either buyers, sellers, or institutional

investors / underwriters.

• Buy-side due diligence is much more common.

• Vendor due diligence reports (more common in Europe) are

sometimes provided to potential buyers or bidders.

• We may perform sell-side diligence to ensure that our clients’

representations and warranties and related schedules are

correct and to understand issues that may affect contract

negotiations

6

Objectives

Identify structural and business characteristics of the target that

might:

• Affect the decision of our client to complete the transaction (deal

killers);

• Affect the price the client is willing to pay;

• Affect the structure of the transaction.

Provide information that affects the purchase agreement:

• Representations and warranties

• Covenants

• Closing conditions

• Indemnification

Provide information that informs post-closing management and

mitigation of risk, liability or expense

7

Understanding the Privacy/Cyber Specialist’s Role Within the Overall Deal Flow

Process

• Review of documents provided by Seller (or in SEC filings for public

targets)

• Initial and supplemental written requests and interrogatories

• Diligence calls with Seller

• Database searches, where appropriate (e.g., liens, IP registrations)

• Coordinate with other work streams (e.g. accountants, environmental or

benefits consultants and other counsel)

• Expert stealth or direct assessments

Work Product / Output

• Regular oral updates, and “Red flags” memo/summary

• Formal due diligence memo

• Executive summary

• Detailed contract summaries and other exhibits, where appropriate

• Potential calls with financing sources

8

Things deal teams need to identify include:

• Anything that extends the time to close the transactions or

accomplish full separation (i.e. need for transition services,

approvals, third party consents, or major IT integration barriers)

• Material liabilities (i.e. litigation, government investigations,

unfunded or budgeted capital or personnel expense needed to

mitigate data-related compliance or liabilities)

• Reputational issues (i.e. material public investigations or data

breaches)

• Terms of material contracts (does risk allocation align correctly;

is PCI or other data security standard conformance promised

but lacking?)

9

Getting Started

First Rule: Understand the Deal Process

• Auction or proprietary? If auction, which level?

• Deal process will inform the amount and type of info available

• Coordinate to make sure that diligence efforts are consistent with larger

deal strategy

Diligence Request Lists or Letters

• Generally start with trusted forms precedents involving targets in same

industry

• Tailor to client’s needs and what is already know about target.

• Short form or longer and more comprehensive request letter?

• Materiality thresholds?

• Applicable time period?

• Tailor requests to reflect any information already provided

• Seek relevant specialist input

• Consider outside expert investigation (stealth or direct access to target)

10

Eight key questions to orient the Cyber diligence

1. What types of information or computer systems and operations are

most important to the business? (Customer data? Intellectual

Property/Trade Secrets? Operational systems delivering core services

to customers? Corporate email and other systems?)

2. What sensitive types of data does the target handle or hold relating to

natural persons (which data elements in particular)?

3. Where is sensitive information stored?

4. How is it protected in transit, at rest, and in motion?

5. What are the most concerning threats to information, networks, or

systems?

6. Have there been prior incidents?

7. What is the cybersecurity budget?

8. What are the recovery plans if critical information or systems become

unavailable?

11

Key Process Considerations

• Who asks these questions on behalf of the buyer or

underwriters, at what stage in the process, in what settings, and

with what time allowances?

• What is the role of privilege?

• Special topics

• Cardholder data: breach-related risks and liabilities; PCI compliance

• IP Assets and APT or Insider Threats

• Regulatory investigations and outcomes

12

8 Questions for Privacy Pros in Transactions

1. What is the relationship between the diligence information sought and the transaction (both now and in the future)?

2. Do I know what the deal is about and what my clients care about (or should care about)?

3. Am I being a problem “solver” rather than a problem “spotter” or “administrator”?

4. Is “privacy” material in this deal? How? Do I know why this matters?

5. What effect do qualifiers such as “knowledge” or “MAE” have on diligence? On the seller’s representations and risk allocations?

6. Should identified issues or risks be included on disclosure schedules?

7. What tools are available to manage data risks to help the parties complete a transaction? Escrows?

8. What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned?

13

Rolling it up into a final analysis and recommendations

• Did diligence identify Material risks, liabilities, contingencies in the

context of the overall proposed transaction?

• What is the level of confidence in the facts or issues that were described

in the final diligence read-out’s and reports? i.e., should the buyer have

confidence that assurances and representations to no incidents,

compliance with laws, etc. are reliable?

• What gaps in readiness, incident investigation or response, or

compliance need to be addressed in agreement and schedules?

Seller’s pre-closing behaviors? Post-closing?

• What is the role of cyber insurance in mitigating identified expense, loss,

or risk?

14

Contacts

Jennifer Archie, Partner

Latham & Watkins

T +1.202.637.2205

E jennifer.archie@lw.com

Jennifer Archie, Partner

Gerard M. Stegmaier, Partner

Reed Smith

T +1 202 414 9293

E gstegmaier@reedsmith.com

15

16 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Data Privacy and Cyber Security

Due Diligence in M&A Deals

Alan Brill, CISSP, CFE, CIPP/US, FAAFS

May 4, 2017

17 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

The Problem: Why has “Cyber”

Become So Important?

A Quick Introduction…

1

18 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

When you or your client want to……

Expand into a new business geography

Increase market share

Neutralize competition

Improve technology and systems

Acquire a new customer base or BI data

WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN?

19 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

What’s the Cyber Risk in an M&A Transaction

Theft of intellectual property and trade secrets?

Loss of sensitive business information and

strategies?

Loss of customer / employee data and damages to

reputation and employee / consumer confidence?

Litigation and compliance risks?

Remedial expenditures?

Loss of shareholder value?

(Not counting compromise of data on the deal

itself!)

20 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Kroll’s Experience and Advice 2

21 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Kroll’s Approach to the M&A Cyber Challenge

At all stages of the deal process, there is a continuum of cyber-risk management need.

Phase 1: Target risk evaluation

− Identify key InfoSec risk facing business

− Set up team to review data and processes

Phase 2: Deal and response diligence

− Deal diligence on key players and assets

− Technical response review of assurances

• Phase 3: Pre closing network diligence

− Endpoint Threat Monitoring and analysis

− Security controls review

• Phase 4: Post purchase implementation

− Incident response planning incident

− Table top exercise (TTX)

22 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 1. Target Evaluation

Identify the InfoSec risks facing the target

Data risks

Regulatory risk

Develop the data security team involvement

Identification of integration issues and

constraints

Define roles with transaction team

Implement secure communications approach

Identify outside expertise needs

23 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 2: Pre-Signature

Development of diligence approach

Kroll diligence workup on key players

and corporate assets

Assistance to review technical InfoSec

reporting on pre-signing actions:

Covenants, representations, and warranties

Licenses, vendors, business associates

Indemnification, limits, and basket

Divestment triggers

Avoidance of “knowledge” qualifiers

Use of “Material Adverse Security Effect”

24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing

• Endpoint Threat Monitoring and Analysis

−Used to understand how the enterprise controls

unknown software inside its environment

o Not just looking for known malware

−Review all binaries and processes that exhibit

behavior similar to malware: location, signature,

network connections, persistence

−Review all running binaries and processes

−Corroborate patching processes and find

significant vulnerabilities

o A two week process……

25 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing

• Security Controls Review

−Determine whether the target

is actually implementing key

measures to protect against

persistent targeted attacks

−Review the governance and

structure of the target’s

InfoSec response

26 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 4: Post-Closing

Integration TTX

Review information response plan

ID and brief changes

Interview key stakeholders

Develop scenarios

Deliver TTX with old and new teams

27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

In Summary…

It is a brave new world, and cyber risks present an

emerging risk to value and liability in mergers,

acquisitions and investment transactions

You will never invest in a house without an

appropriate inspection

Information security involvement as part of the

deal team is key

Technical solutions designed to identify and report

on InfoSec risks in a relevant way, and that

provides value through each phase of the

transaction, is of significant value in due diligence

28 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Alan Brill, CISSP, CFE,

CIPP/US, FAAFS

Senior Managing Director

Kroll Cyber Security &

Investigations

abrill@kroll.com

T +1-319-8026