Could Security Concerns Scuttle M&A and Investment Deals?

April 6, 2015 – In The News
Dark Reading

Scott L. Vernick was quoted in the Dark Reading article, “Could Security Concerns Scuttle M&A and Investment Deals?” Full text can be found in the April 6, 2015, issue, but a synopsis is below.

Last week’s breach of a communication software startup offered a glimpse as to why information security is not just a big consideration for business partners and customers, but for potential investors and acquiring companies as well.

The breach occurred just after the company was raising up to $160 million in investments.

It is unclear whether the company discovered the breach or if new investors were told of it before they agreed to the deal, but one thing that is for sure is that as large-scale breaches continue to gain awareness in the board room, mergers and acquisitions and other investment deals may begin to include security contingencies to cover investors.

“I could foresee a situation in which, number one, a deal might go through, but one of the terms is that certain upgrades and certain measures be taken from a data security perspective between the time of signing and closing,” says Scott Vernick, a noted privacy attorney. “And, two, I could see closing contingent upon there being no material adverse changes, just like anything else. I could also see certain holdbacks from the purchase price if the buyer determines that you've got to spend $5 million or $10 million or whatever it is to bring someone up to best practices or a more robust security environment.”

According to Vernick, though security evaluations add yet another layer of complexity to the due diligence process, it is something that should not be optional in the M&A vetting process.

“If I was sitting on a board, now in addition to asking all the questions you would normally ask, like ‘What's this going to do for us?’ and ‘Where do we see our ROI and how quickly will we realize it?’ the next question is ‘What liability from a data security perspective are we taking on?’” he says. “Because the last thing that you want to do is end up doing a merger or acquisition and then becoming responsible for a whole other set of liabilities because you have no real understanding of what the data security is of the target.”

This requires an organization to understand of data it collects from customers, how it collects it, where the data is stored and for how long as well as who has access to the data, Vernick says.

According to Vernick, it is also important to ensure whoever asks those questions has the proper technical knowledge to ask the right questions and analyze the answers to truly see the associated risk.

“In a typical deal you have due diligence which is done by a combination of in-house resources, outside counsel and an investment banker,” Vernick says. “Now you're going to have to make sure that one of those three or somebody else that you bring on board has the technical skill set to ask the right questions.”

Click here to view the full article.