Anytime you're engaged in a transaction, whether investing in or acquiring another company, it's important to understand the industry they're in. That's because each industry has unique cyber- and data-security concerns, says Moore & Van Allen Co-head of Commercial & Technology Transactions Todd Taylor.
For instance, if you're in health care you're likely going to have protected health information that's subject to HIPPA laws, as well as several data security issues that you must comply with. Financial services companies are going to be subject to Gramm-Leach-Bliley, which has several detailed privacy and data security requirements.
"You have to understand the target environment that they're operating in, the kinds of data that they have access to and the kinds of regulatory regimes that they're subject to because it's really not a one-size-fits-all approach when you're doing any kind of due diligence in an M&A or an investment transaction," Taylor says. "And the kinds of steps that you're going to take are very much going to differ if you're looking at a consumer-focused financial services business versus a back-end manufacturing or distribution company. It's just a different nature of risk, and the amount of due diligence you're going to spend on data security and cyber security issues and privacy issues is going to vary greatly."
Aon Cyber Solutions Managing Director C.J. Dietzman says what he continues to see are soft spots around vulnerability management, data protection, security awareness, authentication controls, restricted access controls, and incident response readiness.
"I see far too many consistent themes around weaknesses and soft spots in those domains, even across industry sectors," he says. "We would strongly encourage organizations that are getting prepared or positioned to go through an acquisition scenario or to be acquired that they consider those."
Aon Mergers and Acquisition Consultant Michael Laskowitz says cyber threats and exposures have become a heightened area of focus for reps and warranties underwriters.
"Twelve months ago, 24 months ago, they'd ask about what coverage was in place, did it have prior acts — that they may dig into it a little bit," he says. "Now it's basically a requirement that they have coverage."
He says underwriters have started dictating that there be an underlying policy and they're also looking for higher coverage amounts.
"It's evolving very quickly in the cyber space," he says. "Even as reps and warranties brokers are going and getting quotes from underwriters, upfront in the quoting process they're providing that kind of feedback. Coverage for pre-closing occurrences, full prior acts coverage, dictating limits, terms, things like that."
Taylor, Dietzman and Laskowitz, along with Aon's Greg Draddy, spoke at the recent Charlotte Smart Business Dealmakers Conference about cyber security in M&A: asking the right questions, protecting data and IP, and making sure your company is ready for dealmaking. Hit play on the video above to catch the full panel discussion.