Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Data Privacy and Cybersecurity
Due Diligence in M&A Deals Identifying Vulnerabilities, Drafting Data-Related Provisions in
M&A Agreements, Post-Acquisition Data Integration Considerations
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, SEPTEMBER 22, 2015
Roberta D. Anderson, Partner, K&L Gates, Pittsburgh
Alan Brill, Senior Managing Director, Kroll Cyber Security & Investigations, Secaucus, N.J.
Gerard M. Stegmaier, Partner, Goodwin Procter, Washington, D.C.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-888-450-9970 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
©2013 Goodwin Procter LLP
Privacy & Data Security
in
M&A Transactions
Gerard M. Stegmaier
Partner
6
7
Goodwin Procter LLP
Fiduciary Duties of Directors
8
Goodwin Procter LLP
Class Action Lawsuits
9
Goodwin Procter LLP
Employee Privacy
10
Goodwin Procter LLP
Due Diligence
The process of asking questions and assessing and
quantifying risk in order to allocate it intentionally.
11
Goodwin Procter LLP
Principal Risk Areas
• Liability
• Reputation
• Integration
12
Goodwin Procter LLP
Managing Risk
• Identify Risk
• Shift Risk
• Mitigate Risk
• Accept Risk
13 13
Goodwin Procter LLP
Asset Acquisitions: Common Features
• Buyer purchases some or all assets of the
Target
• Neither ownership nor existence of Target is
affected (i.e., Target shareholders continue to
own their stock)
14
Goodwin Procter LLP
Stock Acquisitions: Common Features
• Buyer purchases stock of the Target from the
Target’s shareholders
• All of the assets and liabilities of the Target
remain with the Target (which is owned by Buyer
post-closing)
• Because liabilities are acquired as well, due
diligence and contractual protections should be
more comprehensive, BUT fewer third party
consents will be likely
15
Goodwin Procter LLP
Merger
• One company is merged with and into
another, which is the Survivor
• All assets and liabilities of the merged
company succeed to, and are held by, the
Survivor
16
Goodwin Procter LLP
Common Merger Types
• Direct merger
• Forward
triangular
merger
• Reverse
triangular
merger 17
Goodwin Procter LLP
Common Negotiation Considerations
• Knowledge
• Materiality
• Laws
• Personal Information
• Remedies
18
Goodwin Procter LLP
8 Questions for Privacy Pros in
Transactions
• What is the relationship between the diligence information sought and the transaction (both now and in the future)?
• Do I know what the deal is about and what my clients care about (or should care about)?
• Am I being a problem “solver” rather than a problem “spotter” or “administrator”?
• Is “privacy” material in this deal? How? Do I know why this matters?
19
Goodwin Procter LLP
8 Questions for Privacy Pros in
Transactions
• What effect do qualifiers such as “knowledge” or “MAE” have on diligence? On the seller’s representations and risk allocations?
• Should identified issues or risks be included on disclosure schedules?
• What tools are available to manage privacy risks to help the parties complete a transaction? Escrows?
• What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned?
20
Goodwin Procter LLP
GERARD M. STEGMAIER, ESQ. , PARTNER
Contact Information:
901 New York Avenue, NW
Washington, DC 20001
202.346.4202
@1sand0sLawyer
21
22 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Data Privacy and Cyber Security
Due Diligence in M&A Deals
Alan Brill, CISSP, CFE, CIPP/US, FAAFS
September 22, 2015
23 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
The Problem: Why has “Cyber”
Become So Important?
A Quick Introduction…
1
24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
When you or your client wants to……
Expand into a new business area
Increase market share
Neutralize competition
Improve technology and systems
Acquire a new customer base or BI data
WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN?
25 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
You Want to Know (BEFORE, not After….)
September, 2013 February, 2014
26 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
You Want to Know (BEFORE, not After….)
August, 2014 September, 2014
27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
What’s the Cyber Risk in an M&A Transaction
Theft of intellectual property and trade secrets?
Loss of sensitive business information and
strategies?
Loss of customer / employee data and damages to
reputation and employee / consumer confidence?
Litigation and compliance risks?
Remedial expenditures?
Loss of shareholder value?
(Not counting compromise of data on the deal
itself!)
28 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Kroll’s Experience and Advice 2
29 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Kroll’s Approach to the M&A Cyber Challenge
At all stages of the deal process, there is a continuum of cyber-risk management need.
Phase 1: Target risk evaluation
− Identify key InfoSec risk facing business
− Set up team to review data and processes
Phase 2: Deal and response diligence
− Deal diligence on key players and assets
− Technical response review of assurances
• Phase 3: Pre closing network diligence
− Endpoint Threat Monitoring and analysis
− Security controls review
• Phase 4: Post purchase implementation
− Incident response planning incident
− Table top exercise (TTX)
30 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 1. Target Evaluation
Identify the InfoSec risks facing the target
Data risks
Regulatory risk
Develop the data security team involvement
Identification of integration issues and
constraints
Define roles with transaction team
Implement secure communications approach
Identify outside expertise needs
31 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 2: Pre-Signature
Development of diligence approach
Kroll diligence workup on key players
and corporate assets
Assistance to review technical InfoSec
reporting on pre-signing actions:
Covenants, representations, and warranties
Licenses, vendors, business associates
Indemnification, limits, and basket
Divestment triggers
Avoidance of “knowledge” qualifiers
Use of “Material Adverse Security Effect”
32 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 3: Pre-Closing
• Endpoint Threat Monitoring and Analysis
−Used to understand how the enterprise controls
unknown software inside its environment
o Not just looking for known malware
−Review all binaries and processes that exhibit
behavior similar to malware: location, signature,
network connections, persistence
−Review all running binaries and processes
−Corroborate patching processes and find
significant vulnerabilities
o A two week process……
33 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 3: Pre-Closing
• Security Controls Review
−Determine whether the target
is actually implementing key
measures to protect against
persistent targeted attacks
−Review the governance and
structure of the target’s
InfoSec response
34 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 4: Post-Closing
Integration TTX
Review information response plan
ID and brief changes
Interview key stakeholders
Develop scenarios
Deliver TTX with old and new teams
35 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
In Summary…
It is a brave new world, and cyber risks present an
emerging risk to value and liability in mergers,
acquisitions and investment transactions
You will never invest in a house without an
appropriate inspection
Information security involvement as part of the
deal team is key
Technical solutions designed to identify and report
on InfoSec risks in a relevant way, and that
provides value through each phase of the
transaction, is of significant value in due diligence
36 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Alan Brill, CISSP, CFE,
CIPP/US, FAAFS
Senior Managing Director
Kroll Cyber Security &
Investigations
T +1-319-8026
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Roberta D. Anderson
@RobertaEsq
September 22, 2015
Data Privacy and Cybersecurity Due Diligence in M&A Deals—
The Importance of Insurance Coverage
AGENDA
The Importance Of Timing
What To Look For In An Insurance Audit
Potential Coverage Under “Legacy” Policies
Limitations Of “Legacy” Insurance Policies
Cutting Edge “Cyber” Insurance
M&A Insurance Provisions
A Word About Vendor Contracts
38
© Copyright 2013 by K&L Gates LLP. All rights reserved.
THE IMPORTANCE OF TIMING
39
THE IMPORTANCE OF TIMING
Advanced Attacks Go Undiscovered For A Median 229 Days
A Merger/Acquisition May Close Before The Attack Is Discovered
Resulting In Substantial Post-Closing Liability
40
© Copyright 2013 by K&L Gates LLP. All rights reserved.
WHAT TO LOOK FOR IN AN INSURANCE AUDIT
41
© Copyright 2013 by K&L Gates LLP. All rights reserved.
POTENTIAL COVERAGE UNDER “LEGACY” POLICIES
42
Directors’ and Officers’ (D&O)
Errors and Omissions (E&O)/Professional Liability
Employment Practices Liability (EPL)
Fiduciary Liability
Crime
Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d
821 (6th Cir. 2012) (DSW covered for expenses for customer
communications, public relations, lawsuits, regulatory defense costs, and
fines imposed by Visa and Mastercard under the computer fraud rider of its
blanket crime policy)
Property?
Commercial General Liability (CGL)?
43
POTENTIAL COVERAGE UNDER “LEGACY” POLICIES
Coverage B provides coverage for damages because of “personal and
advertising injury”
“Personal and Advertising Injury” is defined in part as injury
arising out of “[o]ral or written publication,
in any manner, of material that violates a person’s
right of privacy”
What is a “Person’s Right of Privacy”?
What is a “Publication”?
44
POTENTIAL COVERAGE UNDER “LEGACY” POLICIES
© Copyright 2013 by K&L Gates LLP. All rights reserved.
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
45
ISO states that “when this endorsement is
attached, it will result in a reduction of
coverage due to the deletion of an
exception with respect to damages
because of bodily injury arising out of loss
of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate
electronic data.”
46
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
47
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
cv
cv
48
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
© Copyright 2013 by K&L Gates LLP. All rights reserved.
CUTTING EDGE “CYBER” INSURANCE
49
klgates.com back 50
Privacy And Network Security
Provides coverage for liability (defense and indemnity) arising out of data
breaches, transmission of malicious code, denial of third-party access to the
insured’s network, and other network security threats
Regulatory Liability
Provides coverage to deal with regulators and liability arising out of
administrative or regulatory investigations, proceedings, fines and penalties
Crisis Management
Provides coverage for forensics experts to determine the cause of the breach,
notify individuals whose PII may have been compromised, call centers, ID theft
monitoring, PR and other crisis management activities
Media Liability
Provides coverage for liability (defense and indemnity) for claims alleging
invasion of privacy, libel, slander, defamation, infringement of IP rights (not
patent), and other web-based acts (e.g., improper deep-linking)
CUTTING EDGE “CYBER” INSURANCE
51
Network Interruption And Extra Expense (and CBI)
Coverage lost business income and extra expense caused by malicious code,
DDoS attacks, unauthorized access to, or theft of, information, and other
security threats to networks (e.g., a website goes down and orders cannot be
taken).
Information Asset Coverage
Coverage for damage to or theft of the insured’s own systems and hardware,
and may cover the cost of restoring or recreating stolen or corrupted data.
Extortion
Coverage for losses resulting from extortion (payments of an extortionist’s
demand to prevent network loss or implementation of a threat).
52
Emerging Market For First-Party Property Damage
Emerging Market For Third-Party Bodily Injury and Property Damage Coverage
CUTTING EDGE “CYBER” INSURANCE
53
Defense And Indemnity For
Claims
Regulatory Defense, Fines And Penalties
Crisis Management
CUTTING EDGE “CYBER” INSURANCE
54
55
BEWARE THE
FINE
56
© Copyright 2013 by K&L Gates LLP. All rights reserved.
M&A INSURANCE PROVISIONS
57
58
M&A INSURANCE PROVISIONS
59
M&A INSURANCE PROVISIONS
60
*****
M&A INSURANCE PROVISIONS
© Copyright 2013 by K&L Gates LLP. All rights reserved.
A WORD ABOUT VENDOR CONTRACTS
61
A WORD ABOUT VENDOR CONTRACTS
■ Be specific
■ Who is responsible for securing stored data? Data in motion?
■ Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security
Controls http://www.sans.org/critical-security-controls
■ Who has access – and to which parts –to various parts of the organizations
network?
■ What are the required cybersecurity standards?
■ Dovetail Vendor Contracts With Insurance Contracts
62
63
Linkedin: robertaandersonesq
Twitter: @RobertaEsq
Insurance Thought Leadership