Cyber risks and their importance in M&A transactions continue to increase amid the coronavirus crisis. This has become particularly marked as many employees are now working from home, while, cyber criminals are increasingly exploiting the coronavirus crisis to enrich themselves, according to the German Federal Office for Information Security.
The importance of cyber security has been growing for some years for M&A transactions. In addition to data protection compliance, cyber security is increasingly the determining factor in due diligence. In M&A transactions in the digital environment, due diligence of IT systems is essential for determining the purchase price. Since digital companies rarely have long-term business relationships or established business models, functioning IT systems often determine the purchase price.
Cyberattacks on companies can destroy large assets within short periods. Risks identified in the course of a due diligence often lead to purchase price and valuation discounts. In addition, every seller must expect that a buyer will demand to be indemnified against cyber risks revealed in the course of a due diligence and requires the seller to guarantee that no cyber risks exist. Material adverse change clauses (MAC) are another possibility to cover identified cyber risks.
Companies must adapt their cyber security efforts to the altered situation the y are finding themselves in. They must be aware that employees or their computers at home are exposed to extended risks. Those employees are no longer under the physical control of the company, they are also no longer working on the – hopefully, sufficiently – secured employer’s infrastructure. This poses numerous dangers since the employer can no longer monitor the work computers as if they were physically in the company network. In addition, working from home leads to further possibilities to attack, for example due to insufficiently secured home-Wi-Fi.
Cyber security as a legal obligation
Cyber security is a requirement not only for operational risk reasons. Almost all companies (regardless of their sector) are legally obliged to implement appropriate cyber security measures. Very few companies will be subject to the explicit obligations of the specific Federal cyber security law (BSI-Gesetz) for operators of critical infrastructures. However, corresponding requirements result from a large number of other laws, above all Art. 32 of the General Data Protection Regulation (GDPR).
According to Art. 32 GDPR, every entity that processes personal data (that is de facto almost every company) is obliged to implement technical and organisational data security measures appropriate to the respective processing risk. What is to be regarded as appropriate must be determined on the basis of the size of the company, the type of information processed, type of data subjects affected (for example, in the case of special protection requirements for patient data) as well as the processing activities carried out. International corporations or IT companies will have to take much more robust measures than small crafts businesses. As the risks change, for example through employees working from home, the business may need to adapt its security measures to remain compliant.
The implications and criticality of the obligations enshrined in Art. 32 GDPR is made clear by the fact that about two-thirds of all fines, as well as seven of the top 10 (in terms of amount of) fines that have been so far imposed on the basis of the GDPR are attributable to violations of Art. 32 GDPR. This shows on the one hand that companies obviously have considerable deficits in this area and on the other that the supervisory authorities have zoned in on such violations.
Furthermore, corresponding obligations to establish appropriate IT security measures also result from due diligence requirements on the company’s management. This responsibility can only be delegated to a very limited extent.
For service providers, corresponding obligations can also arise from customer contracts. In this regards, companies should now check whether remote work is not excluded by such contracts. In such a case, this circumstance should be immediately clarified with the respective customers.
All businesses will need to ensure they are complying with their GDPR and other legal obligations in relation to cyber security. But when it comes to M&A transactions, these measures will be subject to particular scrutiny through the due diligence process. It is important to ensure that measures are in order before entering the deal process, rather than risk this becoming an issue in the middle of the transaction.
Measures to mitigate work-from-home risks
In the current situation in which most employees are working from home, the following risks should be considered and appropriately taken care of:
- The workstation and its connection to the corporate network must be appropriately secured, for example through multi-factor authentication, encryption technologies and VPN tunnels. In addition, all applications that are not currently required could be blocked. This applies all the more if employees use their private devices.
- Employees should be given instructions on how to work from home, such as not using public Wi-Fi or the obligation to lock their computer when leaving the workplace. To prevent data loss, employees should be encouraged to store any documents only on the company server and not on local computers.
- Guidance on how to configure the home Wi-Fi (for example, with regard to its encryption or the use of a firewall) should be provided via tutorials or other IT support.
- Employees should be made aware of the specific risks arising from the current situation, such as the increased occurrence of phishing attempts and how to deal with such incidents.
- There should be clear instructions for action in the event of any violations with clear notification and reporting lines.
All these measures must be properly and verifiably documented, in case of scrutiny in the future by regulators or a potential buyer.
Finally, companies should consider whether any existing insurance against cybercrime and/or breaches also covers remote working.
Further information on IT security, see here.