The COVID-19 pandemic has had many impacts on M&A activity and IT due diligence. The pace of deals has slowed, and some transactions that were in-process at the start of the outbreak have been canceled.

Two main issues are currently affecting the smaller deals that often involve companies with higher levels of technology and compliance risk.

The first is the current impracticality of business travel. The CEO of the travel website Kayak says a business travel recovery has “a long way to go” and believes business travel may never return to pre-pandemic levels. This means that the opportunity for a site visit, usually a vital component of the IT due diligence process, may not exist. Even if a site visit is possible, the employees at many companies are working remotely.

The second is the anecdotal evidence that many deals happening now involve companies in financial distress being acquired by competitors. Therefore, the deals are time-sensitive, and due diligence will need to be focused and abbreviated.

Though not ideal, there are ways to address both of these issues.

Without a site visit, you’ll have to accept the fact that you won’t get the benefits of developing rapport with the target company’s staff. You also won’t be able to easily adapt your IT due diligence based on what you see on-site by walking through the workspace, server rooms, etc.

The widespread availability of videoconferencing software can help. Instead of in-person discussions occurring at a relatively leisurely pace, you’ll need to have more in-depth conversations over Zoom, etc.

To replace walkthroughs, consider working with your contact at the target to use a technology like FaceTime to do a virtual inspection of the facilities. This is not the preferred approach, and you’ll be at the mercy of the person you’re working with to show you everything relevant, but it’s better than nothing.

Another ramification of this approach is that there will most likely need to be greater transparency about the process with the staff at the target. It’s typical to develop a cover story about the reason for a site visit (“considering a partnership” or “auditing our security”), but this may not be feasible with a remote approach that ends up being so probing in such a short amount of time.

When it comes to the potentially abbreviated timeline, you’ll be forced to focus on the high-risk areas of the company. You may only have only a day or two for IT due diligence. These items will be specific to each transaction, but here are some typical focus areas:

Products and Services

You’ll need to understand the goal of the acquisition. Is it to add new products or services to the acquirer’s offerings, or is it to acquire the target’s customers and move them to the purchaser’s service? Are the target’s products and services compatible with the acquirer’s? Are there features that would need to be added to the acquirer’s products to maintain customer satisfaction? Does the acquirer have in-house expertise in the technology, allowing for synergies and reducing the risk of departing employees at the target?

Security

Has the company ever been the victim of a cyberattack or data breach? If so, what was done to address any associated vulnerabilities going forward? Is cyber insurance in place? If so, was the prior incident disclosed in the policy application? If not disclosed, the policy may not provide the desired level of protection. Does the target’s IT staff seem to have a good awareness of security best practices? If the target is a healthcare company in the US, have they performed a proper HIPAA risk analysis? If the target deals with customers from the European Union, how have they addressed requirements under the GDPR?

Source Code Review

A brief source code review may be the only option, so the person performing the IT due diligence will have to rely as much on how the code is explained by the developers as on any detailed review by themselves or a third-party expert. Do the developers seem to have a good handle on the organization of the code? Are you confident they are the ones who originally wrote it?

Intellectual Property Ownership / Non-competes

This is one of the most important things to investigate. Was any software represented as being owned by the target developed by contractors or consultants? If so, review copies of any associated agreements to be sure the target company properly structured the relationship to retain ownership of the developments. Have the employees signed non-compete agreements? A fast-paced acquisition may well create concern among the target’s employees, and some may leave. Are there any restrictions on employee competition?

Software Licensing

Software licensing is a common high-risk area. Focus on any expensive tools being used, such as enterprise-class databases and server operating systems. If these are not correctly licensed, other licensing concerns are probably lurking at the target.

It will be impossible for such limited IT due diligence to identify every risk. The acquiring company should consider adding items not always part of the representations and warranties section of the purchase agreement to cover IP ownership, security best practices, absence of past cyberattacks, etc.

Although a remote, abbreviated IT due diligence process is not ideal, it may be unavoidable during the COVID-19 pandemic. A thoughtful, prioritized approach provides the best chance to quickly identify any areas that could threaten the long-term` success of the transaction.

The 2020 edition of the IT Due Diligence Guide has been released.

An October 2019 Deloitte survey conducted by OnResearch asked 750 US-based corporate executives what their primary M&A strategy was expected to be over the next 12 months. The top response was, “Seeking deals that will help us acquire new (to us) technology.” As this is written in June 2020, with the world beginning to “reopen” from COVID-19, it’s expected that M&A activity derailed by the pandemic will resume.

Those deals will likely focus on smaller targets with niche services and technologies. Unfortunately, those are the companies that are most likely to present risks that threaten to reduce the value of the acquisition.

There are several reasons.

Hackers are now more carefully targeting businesses, especially with ransomware. Cyberattacks against companies are up 13% year-over-year. Attacks that shut down city governments and large company networks frequently make the news, but you’ll never hear about the many successful hacks against smaller companies, governments, and organizations. 58% of ransomware victims paid a ransom last year.

At the same time, companies of all sizes are struggling to hire qualified IT security staff and find the resources needed to protect against cyberattacks. When larger companies find it challenging to establish proper IT security practices, smaller organizations are likely operating at even higher risk levels.

Another trend impacting companies of all sizes is the rise of new data security regulations around the world. While the EU’s GDPR (General Data Protection Regulation) has received much attention, individual countries and American states have added overlapping and sometimes conflicting data and IT security laws. In some cases, these laws apply to citizens of the regulating government, so any company storing or processing data for those citizens, regardless of where the company is located, may be required to follow the laws. Many smaller companies are not aware of the existence of these laws, let alone in compliance with them. These regulations can have a material impact on a company’s business model or need for future IT investment.

Of course, these developments don’t reduce the need for the traditional IT due diligence focus on IT staff, product plans, system scalability, software licensing, etc.

In the 2020 edition, the IT Due Diligence Guide has been further expanded and reorganized to address current IT security and operational concepts. Due diligence requests have been added and explanations have been revised.

Using the IT Due Diligence Guide and the related tools included with the book, both seasoned due diligence professionals and those working on behalf of the infrequent investor can uncover the technology risks and opportunities in any company.

Background

In January 2018, a group of computer chip makers and software publishers alerted the world to the Meltdown and Spectre vulnerabilities.

Meltdown affects computing devices regardless of the operating system. It exploits an optimization feature in many Intel chips known as “out-of-order execution.” The outcome is that malware on a computer powered by an affected chip can read the physical and kernel memory of the device. This memory can, for example, contain unencrypted passwords that were recently used.

You can read a detailed, technical explanation of Meltdown here:

https://meltdownattack.com/meltdown.pdf

Spectre also affects processors from Intel, as well as AMD and ARM. Spectre exploits a chip concept called “speculative execution.” In order to improve performance, many chips guess the next operation to be performed and run it before being specifically instructed to. Spectre encourages the chip to run an incorrect “guess” and then reads memory from a cache that is not affected when the correct instruction is eventually run.

You can read a detailed, technical explanation of Spectre here:

https://spectreattack.com/spectre.pdf

Recent Activity

Since the January announcement:

• Additional variants of both Meltdown and Spectre have been discovered.
• Vendors have since made various microcode (updates to processors behavior and performance), BIOS and software patches available and continue to do so.
• These updates have in some cases impacted computer performance to a noticeable degree.
• Malware creators have attempted to exploit the vulnerabilities.
• Some malware creators have decided that it is easier to exploit the concern around Meltdown and Spectre than the vulnerabilities themselves, and are circulating “patches” that actually distribute malware.

Meltdown, Spectre and IT Due Diligence

One of the most important things any organization can do to improve cybersecurity is to stay up to date with all relevant operating system and software patches. Many breaches and other cybersecurity incidents can occur only when known vulnerabilities are not patched.

When evaluating a company’s technology expertise during IT due diligence, a review of the process for monitoring and deploying patches is very enlightening. Many organizations are far too casual in their approach. This is not acceptable when it comes to Meltdown and Spectre.

Even though exploiting these chip vulnerabilities is difficult, the risk of exposing critically important information is too great to ignore. In all but the most exceptional cases, any performance penalty related to the patches should be an acceptable price to pay for the assurance of security.

During IT due diligence, ask the staff at the target company what they’ve done so far to mitigate Meltdown and Spectre. In the worst case scenario, they may not know what you’re talking about. If so, given the fact that this is one of the most well-publicized and potentially dangerous IT security risks ever, you should be concerned that other basic but less obvious security risks have not been addressed.

In a perfect world, the response you receive would be that the staff at the target company heard about the issue when it was announced, have been monitoring the latest developments with their relevant vendors and have implemented all patches that have been released. This should include chips, operating systems, and software such as browsers (which have been shown to be able to host a Spectre attack via JavaScript). Browsers may need certain configuration changes to provide protection.

Ideally, the target company would maintain written policies and procedures that describe the patching process. This should include how they are identified as necessary, how they are tested before being applied to production systems and how the current patch status of each device is tracked.

In addition, even though antivirus and antimalware software cannot detect Meltdown and Spectre attacks, they can protect against malware attempts to install software that can launch an attack. And it’s always a best practice to deploy up-to-date antimalware software.

If the target company is using cloud providers such as Amazon Web Services or Microsoft Azure, those vendors have announced that they have patched their systems against these vulnerabilities.
The best general source for Meltdown and Spectre information is https://meltdownattack.com/ which is maintained by Graz University in Austria, one of the discoverers of the two vulnerabilities. This site includes the latest updates, links to the original technical papers describing the exploits, a FAQ, and advisories from major vendors. This is a good resource to review during IT due diligence, once a target company’s major vendors have been identified.

Conclusion

Meltdown and Spectre are some of the most serious IT security risks ever identified. It will be many years before the processors that are impacted have been replaced by more secure versions. A target company’s reaction to Meltdown and Spectre provides a good opportunity to evaluate the overall technical proficiency on the organization during IT due diligence.

On February 21, 2018, the US Securities and Exchange Commission (SEC) issued interpretive guidance related to cybersecurity risk and incident disclosures.

See the full document here:

https://www.sec.gov/rules/interp/2018/33-10459.pdf

In addition to creating new requirements for public companies in the US, this action points to new, important areas of investigation when performing IT due diligence on these companies.

Background

In 2011, the SEC’s Division of Corporation Finance issued guidance related to public company disclosure obligations regarding cybersecurity risks and incidents. This guidance informed companies that although there were no specific cybersecurity risk and incident disclosure requirements in place, they might be obligated to disclose them under existing regulations. In response, many public companies began to disclose cybersecurity information in required SEC reporting documents.

Given the increasing severity and size of cybersecurity incidents at large companies around the world since 2011, the SEC believed it was important to provide further interpretive guidance, which resulted in the February 2018 release.

Key Points in the 2018 Guidance

Periodic and Current Reporting

Annual reports (10-K) and quarterly reports (10-Q) must provide “timely and ongoing information” regarding “material cybersecurity risks and incidents that trigger disclosure obligations.”

Current reports (8-K and 6-K) should be used to promptly disclose the existence and costs of cybersecurity incidents.

The SEC is not suggesting that companies provide detailed technical information in cybersecurity disclosures, especially when that information could create greater cybersecurity risk.

Companies should review and correct prior reporting that did not adequately disclose cybersecurity risks and incidents.

Registration Statements

Securities registration statements should be reviewed for proper disclosure of cybersecurity risks.

The SEC specifically indicates that cybersecurity risks associated with acquisitions must be considered.

The following factors should be considered when determining whether disclosure is appropriate:

• The existence of prior cybersecurity incidents
• The probability and potential magnitude of future incidents
• The adequacy and costs (including insurance coverage) of the company’s efforts to reduce cybersecurity risks
• Risks related to company’s industry
• Risks and past incidents involving the company’s suppliers and service providers
• The potential for damage to the company’s reputation
• Regulations that affect the company’s efforts and requirements
• Litigation and other remediation costs associated with past cybersecurity incidents

To the extent there is cybersecurity risk associated with a company’s operations, the company board’s role in overseeing that risk and the existence of any cybersecurity risk management program should be disclosed.

Importance of Cybersecurity Policies and Procedures

There are already numerous requirements in place for public companies to disclose and for senior officers to certify the completeness and accuracy of risk disclosures. These include the development, maintenance and periodic evaluation of the effectiveness of relevant policies and procedures. The SEC clarified in this release that such requirements cover cybersecurity risks and incidents.

Insider Trading Prohibitions

The SEC clarified that information related to cybersecurity risks and incidents may be considered “nonmaterial public information” and therefore fall under existing laws prohibiting insider trading on such information.

The Impact on IT Due Diligence

The SEC release has a number of impacts on IT due diligence.

When Performing IT Due Diligence on a Public Company

• Evaluate the existence and effectiveness of cybersecurity risk reporting policies and procedures
• Determine if previous cybersecurity incidents have been properly reported and mitigated
• Evaluate whether suppliers and service providers have been properly evaluated for cybersecurity risks (the massive 2013 Target data breach occurred via an HVAC service provider)
• Assess the company’s practices regarding cybersecurity IT due diligence of past and ongoing acquisitions
• Review the adequacy of cybersecurity liability insurance

When Performing IT Due Diligence on a Potential Acquisition of a Public Company

• Thoroughly investigate the history of prior cybersecurity incidents. Will the existence of a significant prior breach impact the acquirer’s ability or cost to obtain cybersecurity insurance? Will a disclosure of prior cybersecurity incidents and expenses be required of the acquirer?
• Is the company currently addressing or mitigating the costs of a cybersecurity incident?
• If the acquirer is using the acquisition to move into a new industry, are there industry-specific cybersecurity risks to identify and disclose?
• Review the cybersecurity history of the company’s suppliers and service providers as they may soon become vendors of the public company

Companies with Public Market Intentions Evaluating their Readiness

• Ensure that cybersecurity risk and disclosure policies and procedures are developed
• Evaluate current supplier and vendor cybersecurity risks
• Fully document past cybersecurity incidents, including the steps taken to mitigate and the related costs
• Obtain or review the adequacy of cybersecurity insurance

Conclusion

As information technology plays a more and more important role in every company, laws and regulations must be updated to keep up. The 2018 SEC guidance is a good example. Public companies should review their current practices related to cybersecurity risk and disclosure to ensure they remain in compliance.

Most business maintain some form of general liability insurance. Increasingly, companies are purchasing specialty policies related to cyber liability and Health Insurance Portability and Accountability Act (HIPAA) insurance. These policies can protect companies against the potentially high cost or mitigating a data breach or other hacking incident.

For several reasons, the applications for such policies can be extraordinarily helpful when performing IT due diligence on a target company. Any application for insurance that has been completed in the past three years should be requested, regardless of whether it was ultimately submitted for coverage or not, and whether the coverage was approved or denied.

First, the answers on the applications themselves are often enlightening in terms of identifying potential risks. After all, the purpose of the policy is to protect against risks, so insurance companies do their best to identify them via the applications.

Companies applying for insurance will typically need to disclose and discuss:

• High-risk data being stored (medical records, credit card information, etc.)
• How many such records are stored, and how and where they are stored
• Whether they are in compliance with industry standards such as PCI and HIPAA
• Security risks related to staffing (hiring practices, background checks, access controls, etc.)
• Whether any security audits have been performed on the company and the results of such audits
• Details on backup and recovery plans
• The presence of written policies and procedures related to security
• Network security protections in place
• History of any data breaches or cyber attacks

Obviously, these answers are useful in IT due diligence. These can be used as the jumping-off point for further conversations and investigation. One should also compare the answers received on the IT due diligence checklist to the answers on the insurance application. If they are different, it’s necessary to understand whether something has changed since the application was completed or if the IT due diligence response was inaccurate or incomplete.

Next, whether the policy was ultimately approved or denied is an informative data point. If the policy was denied, it’s imperative to understand why. If there was a risk deemed to be so substantial as to make the target company uninsurable from a cyber liability standpoint, you must be confident that any related deficiencies have since been remedied. You should also check with the acquiring company’s cyber insurance carrier to understand their application process. Will a recent coverage denial impact the ability to cover the target company if it’s acquired?

Finally, the answers on the insurance application any cyber liability coverage in place for the target company should be compared to the information uncovered during IT due diligence. Many insurance carriers write the policy on the condition that the information on the application is accurate and that the insured is following industry best practices related to IT security. If IT due diligence determines that either of these conditions is untrue, then the coverage should be considered questionable and the legal due diligence team should be alerted and consulted.

Many aspects of technology due diligence described in the IT Due Diligence Guide lend themselves to a "belt and suspenders" approach – gather information from various sources and look for discrepancies that help to identify and mitigate IT risks. Reviewing cyber liability insurance policy applications can be a great resource for comparative information in this process.