[The following post is contributed by Prajoy Dutta, a third year B.A.,LL.B (Hons.) student at Institute of Law, Nirma University, Ahmedabad and Srinivas Raman, a fourth year B.A.,LL.B (Business Law Hons.) student at National Law University, Jodhpur]
In the rapidly expanding mergers and acquisitions (“M&A”) environment, companies often overlook the finer aspects of due diligence in their zeal to complete the transaction. However, these overlooked aspects tend to be reasons behind deal failures. It is because companies underestimate the importance of thorough due diligence on the target and take several vital things for granted at the time of closing.
One such aspect that has become extremely vital in today's business atmosphere is cyber security. Cyber due diligence is a relatively new area of due diligence which has largely emerged as a result of technological advancements and increasing data and privacy threats. Due to the onslaught of globalization and technology, almost all formal sectors today are dependent on technology, connectivity and digital networks to varying degrees. While sectors such as media, information, telecom, software and technology services are enabled by technology, various other sectors such as marketing, banking, education, transport and medical have grown exponentially by incorporating technology as a driver to increase their performance and efficiency.
However, cyber due diligence remains an un-prioritized and often ignored area in most deals in India and other developing countries. This post seeks to shed light on the importance and scope of cyber due diligence in India by presenting the main risks and consequential impact on M&A deals in India. It also suggests certain strategies to mitigate cyber risks through a study of international best practices.
Risks Due to a Lack of Cyber Security Due Diligence
Threats that arise out of cyber-attacks appear in several forms. Many such threats pose serious direct and indirect financial risks to companies, a pertinent example being how the emergence of ransomware has highlighted the ease with which cyber criminals can halt business operations for days or weeks at a time, resulting in unrecoverable loss of revenue. However, what are the initial threats that result in financial risks? These can broadly be divided into two major categories i.e. electronically stored information (ESI) data breaches and loss of deal value. ESI breach risks can be explained by further dividing them into intellectual property (IP) loss, reputation and brand impact, and remediation costs. Other hidden costs may include value of lost contracts, lost value of customer relationships and insurance premium increases.
ESI and Data Storage Breaches
The lack of focus on cybersecurity due diligence in Indian M&A transactions can lead to serious impacts on ESI and data that is stored on online databases such as the cloud. ESI refers to any data that is created, altered, communicated and stored in digital form. Examples of ESI could range from emails exchanged on the company’s servers to confidential information about the company’s IP and trade secrets. The two major ramifications that arise from an ESI breach are both immediate, such as a loss of IP and long term, such as a loss in brand and customer reputation.
Loss of Confidential Intellectual Property
Surprising as it may seem, despite its widespread ramifications, cases involving IP loss due to cyber-attacks have largely remained in the shadows. It is important to note, however, that IP theft has ramifications that could metastasize over months and years. The effect of an IP loss could include forfeiting the “first to market advantage, a loss in profitability, and in the worst case – losing entire lines of business to competitors or counterfeiters”. In almost all cases, the theft involves stealing of important corporate secrets such as trade secrets, proprietary business information and even merger plans rather than publicly available information such as patents and trademarks.
Loss of brand reputation
An equally important risk that must be discussed is a company’s loss of reputation in the event of a data breach. The risk is greater for publicly traded companies since reputation and investor sentiment are key factors in determining the company’s share price on the market. Perhaps the greatest risk lies with companies that rely on user data such e-commerce companies or social media networks. In the contemporary digital age, the security of user’s personal information is closely entwined with the right to privacy and it is expected that every business organisation should recognize and protect these rights. This protection however, should not be limited only to users but also to business partners, employees and all other stakeholders. The protection of sensitive information is critical to an organization’s ability to conduct business. A reputation for strict focus on information security would not only make an organisation a trusted business partner, it could also result in a significantly higher price of acquisition by an acquiring company.
Role of Cyber Diligence in M&A Transactions
Typically, the primary aim of due diligence over a target is to help the acquirer determine a fair price to pay for acquisition. The price so arrived at is inversely proportional to the quantum of risks uncovered.
The lack of cyber due diligence does not merely impact the pricing of the target company; it also has the potential to seriously hamper envisaged synergies at the post-merger integration stage. Integrating the electronic network and data of the target post - acquisition to the network of the acquiring company may be extremely problematic if the target’s network infrastructure is weak or flawed. These issues may dilute the benefits of other synergies by adding to further costs in building and revamping cyber infrastructure, often making the transaction counter-productive or resulting in failure.
The Consequential Impact on M&A in the Indian Market
The potential impact on Indian M&A looks grim given the substantial amount companies are spending in solving post data breach problems. Indian companies have especially faced the brunt of not incorporating cybersecurity checks into their due diligence process. A 2016 data breach study by the Ponemon Institute that focuses on the costs of data breaches in India, reveals some important and worrying numbers. The average per capita cost of a data breach increased from Rs. 3,396 in 2015 to Rs. 3704 in 2016. The average total organizational cost of the data breach increased from Rs. 88.5 million in 2015 to Rs. 97.3 million. Malicious or criminal cyber-attacks resulted in a total cost of Rs. 4,596 million this year, system glitches cost Rs. 2953 million and negligence or human error cost Rs. 3,301 million. Financial institutions, services, industrial and technology companies are the industries with higher data breach costs.A cursory analysis of these figures reveals the loss an acquiring company may have to face due to lapses in the target company’s cybersecurity framework. All in all, none of the figures reveal a very promising picture for successful M&A deals in the Indian market and it is high time that cybersecurity due diligence took a major role in due diligence processes in Indian M&A transactions.
Lessons learnt from International Best Practices
In order to safeguard against cyber threats, malware and other data protection and security related problems, companies across the world have, in recent years started adopting certain mitigation practices. While conducting due diligence of the target company, a potential acquirer should check inter alia whether the following measures have been adopted and the extent of liability covered by them:
1. Cyber security insurance:
One of the best ways of mitigating risks associated with cyber security is to purchase cyber insurance for the organization. Typically, internet based risks, technology infrastructure and other data related risks are outside the ambit of traditional commercial insurance products. Hence, there is a need for a specialized product which can safeguard the organization against cyber risks. Cyber insurance offers several benefits; it provides inter alia first- party coverage against losses arising out of hacking, malware infection, theft/ destruction of confidential data, etc. in addition to other allied services such as timely security-audits, providing investigation services post cyber-attacks, etc. It also provides a unique funding mechanism, which helps businesses affected by cyber-attacks recuperate from major losses and resume day-to-day operations in a smooth manner.
Although cyber insurance is becoming the norm in most jurisdictions having a mature market, it is not the case in India as the market for cyber insurance products is not large as compared to other insurance products. In the Indian market, only a handful of players such as HDFC Ergo, Tata AIG and ICICI Lombard offer cyber insurance services. However, due to the high premiums charged by these service providers, only a handful of large companies are able to afford them, leaving most of the small and medium sized businesses vulnerable to cyber attacks. Moreover, there is a general perception among Indian companies that such expenditures are unnecessary. This is the result of a lack of awareness and foresight which in the long run will prove catastrophic for technology dependent companies.
2. Security Program Assessment (SPA):
Evaluating digital resilience of the target company is a wise decision. Digital resilience is a highly valued intangible asset which is factored into the price of the transaction. A properly conducted SPA discloses a comprehensive report indicating all potential cyber risks which a company faces and also helps devising mitigation strategies. It also detects areas which need further protection. Having an updated SPA report at the time of acquisition increases the price of the target company as the risks faced by the acquirer are significantly lowered. In the present scenario, most companies in India do not undertake SPA, mainly due to lack of awareness of the risks they face and the benefits which they could gain from taking such measures.
It is high time that Indian companies woke up to realize the importance of cyber due diligence. Given the increasing trend of multi-sectoral M&A activity, Indian companies would do well to follow the norms of matured markets and adopt precautionary and risk mitigating strategies to protect their organization’s data from cyber threats and hackers.
- Prajoy Dutta & Srinivas Raman
 James A Sherer, et. al., Merger and Acquisition Due Diligence Part II- The Devil in the Details, 22 Rich. J.L. & Tech. 1 (2015-2016).
 Rachel Louise Enseign, Cybersecurity Due Diligence Key in M&A Deals, Wall Street Journal Blog, available at http://blogs.wsj.com/riskandcompliance/2014/04/24/cybersecurity-due-diligence-key-in-ma-deals/.
 The global average cost of a data breach in 2015 was $3.79 million. For more information on related direct and indirect financial risks, refer the FireEye White Paper titled The Benefits of Cybersecurity Due Diligence in Mergers and Acquisitions available at https://www2.fireeye.com/rs/848-DID-242/images/wp-benefits-of-cyber-security.pdf.
 A ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
The Benefits of Cybersecurity Due Diligence in Mergers and Acquisitions, FireEye, available at https://www2.fireeye.com/rs/848-DID-242/images/wp-benefits-of-cyber-security.pdf.
 See note 12 below.
 For a pertinent example, refer to the Forbes article on Target Corp’s major data breach, available at http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#169b1ad06bd1. See also, The Biggest Data Breaches in 2016, so far, available at https://www.identityforce.com/blog/2016-data-breaches.
 Definition sourced from http://searchcompliance.techtarget.com/definition/electronically-stored-information-ESI.
 John Gelinee, J. Donald Fancher, Emily Mossburg, The Hidden Costs of an IP Breach, Cyber theft and the loss of Intellectual Property, Deloitte University Press (July 25, 2016), available at http://dupress.com/articles/loss-of-intellectual-property-ip-breach/.
 As stated by Vince de Palma, President and CEO of Shred-it, an information security services provider, available at https://www.shredit.com/en-us/business-brand-reputation-loss-due-to-a-security-breach.
 The Ponemon Institute is an independent research institution based in the USA that focuses on privacy, data protection and information security policy.
 Tanya C. Fuhrman-Wenman, Cyber Insurance in International Mergers and Acquisitions, Denver Law Review (2016)
 Indian Perspective of Cyber Liability Insurance, available at http://www.infosecmaestros.com/blog/indian-perspective-of-cyber-liability-insurance.
 Zeta Dooly, Seamus Galvin, Jamie Power, et. al., IPACSO: Towards Developing an Innovation Framework for ICT Innovators in the Privacy and CyberSecurity Markets, 470 , pp.148-158 (2014), available at http://link.springer.com/chapter/10.1007/978-3-319-12574-9_13 (last viewed on 28.08.16). See also, Cyber Security, available at https://www.fireeye.com/blog/products-and-services/2016/04/cyber_security_the.html.2