Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Data Privacy and Cybersecurity Risks in M&A
Deals: Pre-Planning, Due Diligence, and Risk
Allocation StrategiesMinimizing Impact of Cybersecurity Vulnerabilities on Transaction Value
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, FEBRUARY 5, 2020
Presenting a live 90-minute webinar with interactive Q&A
Alan Brill, CIPP/US, Senior Managing Director, Kroll, Secaucus, N.J.
Kimberly J. Gold, CIPP/US, Partner, Reed Smith, New York
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-877-447-0294 and enter your Conference ID and PIN when prompted.
Otherwise, please send us a chat or e-mail [email protected] immediately
so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the ‘Full Screen’ symbol located on the bottom
right of the slides. To exit full screen, press the Esc button.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the link to the PDF of the slides for today’s program, which is located
to the right of the slides, just above the Q&A box.
• The PDF will open a separate tab/window. Print the slides by clicking on the
printer icon.
FOR LIVE EVENT ONLY
IP, Tech & Data
Data Privacy and Cybersecurity Risks in M&A Deals: Pre-Planning, Due Diligence, and Risk Allocation Strategies
Presented by:
Kimberly J. Gold, Partner, Reed Smith LLP, New York, NY
February 5, 2020
Reed Smith
Kimberly J. Gold
6
Partner
Reed Smith LLP
New York
+1 212 549 4650
Kim's practice focuses on data privacy, digital health, and
complex transactional matters (including M&A, private
equity, and technology transactions). She advises clients
in the life sciences, health care, retail, and technology
industries on corporate governance, privacy compliance,
cybersecurity incident planning and response, research
and big data initiatives, and government investigations.
Kim regularly counsels clients on data privacy and
cybersecurity issues relevant to:
• Federal, state, and global laws (e.g., HIPAA, state
health care privacy laws, GDPR, CCPA, TCPA, and
more);
• Digital transformation and innovation, including research
collaborations, data sharing/analytics, and AI;
• Advertising and marketing;
• Health information technology and telemedicine; and
• Cloud services, mobile apps, and connected devices
Reed Smith
Overview of the M&A process: stages
Early Stages of the Deal
Negotiation and Closing
7
Indication of Interest
Management Meetings
Letter of Intent/Term
Sheet (exclusivity)
Due Diligence
Negotiation/ Execution of Transaction Documents
Interim Period
ClosingPost-
Closing
Reed Smith
What is due diligence?
8
Reed Smith
What is due diligence? (cont’d)
• The process of obtaining, reviewing and analyzing
information concerning a business enterprise.
• We perform diligence for either buyers, sellers, or institutional
investors / underwriters.
• Buy-side due diligence is much more common.
• Vendor due diligence reports are sometimes provided to
potential buyers or bidders.
• We may perform sell-side diligence to ensure that our clients’
representations and warranties and related schedules are
correct and to understand issues that may affect contract
negotiations.
9
Reed Smith
Diligence: objectives
• Identify structural and business characteristics
of the target that might impact the deal
• Provide information that affects the purchase
agreement
• Provide information that informs post-closing
management and mitigation of risk, liability or
expense
10
Reed Smith
Due Diligence: The typical process
11
Submit questionnaires to the target
Document review
Submit supplemental questions depending on review results
Interview responsible representatives of target
Providing detailed memorandum or shorter red flags report
?
Reed Smith
Things deal teams need to identify
• Anything that extends the time to close
the transactions or accomplish full
separation
• Material liabilities
• Reputational issues
• Terms of material contracts
12
Reed Smith
Privacy/Security Questions and Requests
Generally, the goal is to understand:
1. How personal information is collected,
used, stored, disclosed, and otherwise
processed
2. What privacy and security laws the target
or the personal information it collects may
be subject to
3. Any red flag issues (e.g., data breaches,
regulatory investigations)
13
Reed Smith
Sidebar: can the target/seller disclose PI during diligence?
• HIPAA: “. . .sale, transfer, merger, or consolidation of
all or part of the covered entity with another covered
entity, or an entity that following such activity will
become a covered entity and due diligence related to
such activity . . . .” 45 C.F.R. 164.501(iv)
• GDPR: Legitimate interest?
• CCPA: “The business transfers to a third party the
personal information of a consumer as an asset that
is part of a merger, acquisition, bankruptcy, or other
transaction. . . .”
14
Reed Smith
Data room and public facing material review
15
Contracts with Vendors,
Suppliers, and Clients
Business Association Agreements
(BAAs)
Data Processing Agreements
Policies and Procedures
Documentation of Security incidents
Compliance documents
Employee Training
Documents
Any Documents indicating Data
Flows/Data Mapping
Reed Smith
Due Diligence Interview
• Goal: get a deeper understanding of answers to
due diligence questionnaire. For example:
• What are the purposes for collecting and/or processing
personal information?
• Does the target further disclose any personal
information it receives? To whom?
• Follow up on any red flag
or outstanding issues.
16
Reed Smith
Rolling it up into a final analysis and recommendations
• Did diligence identify material risks, liabilities,
contingencies in the context of the overall proposed
transaction?
• What is the level of confidence in the facts or issues
that were described in the final diligence read-out’s
and reports? i.e., should the buyer have confidence
that assurances and representations to no incidents,
compliance with laws, etc. are reliable?
• What gaps in readiness, incident investigation or
response, or compliance need to be addressed in
agreement and schedules? Seller’s pre-closing
behaviors? Post-closing?17
Reed Smith
Allocating data privacy and cybersecurity risks when drafting and negotiating transaction documents
18
Reed Smith
The definitive agreement
Representations and Warranties
Lookback Periods
Definitions
Disclosure Schedules
19
Reed Smith20
Representations and warranties
• What are they?
• Common privacy and security reps &
warranties:
• Compliance with laws
• No data breach, complaint about PI use,
regulatory investigation, etc.
• Lawful rights to use data
• Contracts with third parties
Reed Smith21
Reps & warranties – allocating risk . . .
• Lookback periods
• 5 years? 3 years? 1 year?
• Defined terms
• How specific do you want to get?
• Materiality and knowledge
qualifiers
• Disclosure schedules
• 10b-5 disclosures
Reed Smith22
Indemnity provisions
• Baskets
• Caps
• Special
indemnities
Reed Smith23 Introduction to Smart Contracts
Insurance
• Reps & Warranties
insurance
• What is the role of cyber
insurance in mitigating
identified expense, loss, or
risk?
Reed Smith24 Introduction to Smart Contracts
Other provisions of note
Less common issues for
privacy/cybersecurity but. . .
• Covenants
• Closing conditions
Reed Smith
ABU DHABI
ATHENS
AUSTIN
BEIJING
CENTURY CITY
CHICAGO
DUBAI
FRANKFURT
HONG KONG
HOUSTON
KAZAKHSTAN
LONDON
LOS ANGELES
MIAMI
MUNICH
NEW YORK
PARIS
PHILADELPHIA
PITTSBURGH
PRINCETON
RICHMOND
SAN FRANCISCO
SHANGHAI
SILICON VALLEY
SINGAPORE
TYSONS
WASHINGTON, D.C.
WILMINGTON
reedsmith.com
This document is not intended to provide legal advice to be used in a specific fact situation; the contents are for informational purposes only.
“Reed Smith” refers to Reed Smith LLP and related entities. © Reed Smith LLP 2018
Reed Smith is a dynamic international law firm, dedicated to helping clients move their businesses forward.
Our belief is that by delivering smarter and more creative legal services, we will not only enrich our clients’
experiences with us, but also support them in achieving their business goals.
Our long-standing relationships, international outlook, and collaborative structure make us the go-to partner for the
speedy resolution of complex disputes, transactions, and regulatory matters.
For further information, please visit reedsmith.com
.
25 1/31/2020[Insert > Header and Footer to change footer text]25
Real Risks, Practical Solutions
Alan Brill, Senior Managing Director
Cyber Risk
Data Privacy and Cyber Security
Due Diligence in M&A DealsFebruary 5, 2020
The Problem:
Why has “Cyber”Become So Important?
27
When you or your client want to……
✓Expand into a new business geography
✓ Increase market share
✓Neutralize competition
✓ Improve technology and systems
✓Acquire a new customer base or BI data
WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN?
28
What’s the Cyber Risk in an M&A Transaction
❑Theft of intellectual property and trade secrets?
❑Loss of sensitive business information and strategies?
❑Loss of customer / employee data and damages to reputation and employee / consumer confidence?
❑Litigation and compliance risks?
❑Remedial expenditures?
❑Loss of shareholder value?
❑ (Not counting compromise of data on the deal itself!)
29
Kroll’s Experience and Advice
Lessons Learned in a Changing Technology Environment
30
Kroll’s Approach to the M&A Cyber Challenge
At all stages of the deal process, there is a continuum of cyber-risk management need.
▪ Phase 1: Target risk evaluation
− Identify key InfoSec risk facing business
− Identify key risks arising from business partners and outsourcing
− Set up team to review data and processes
▪ Phase 2: Deal and response diligence
− Deal diligence on key players and assets
− Technical response review of assurances
• Phase 3: Pre closing network diligence
− Endpoint Threat Monitoring and analysis
− Security controls review
• Phase 4: Post purchase implementation
− Incident response planning
− Table top exercise (TTX)
31
Phase 1. Target Evaluation
▪ Identify the InfoSec risks facing the target
▪ Data risks, Regulatory risk, Partner/Outsourcing risks
▪ Incident history
▪ Develop the data security team involvement. Is there a CISO? Chief Privacy Officer?
▪ Identification of integration issues and constraints
▪ Is there existing cyber insurance?
▪ Define roles with transaction team
▪ Implement secure communications approach
▪ Identify outside expertise needs
▪ Are you protecting information relating to the M&A activity?
32
Phase 2: Pre-Signature
▪ Development of diligence approach
▪ Diligence workup on key players and
corporate assets
▪ Coordinate with legal assessment to
identify requirements for additional
analysis including international risks
(e.g. GDPR, CCPA)
33
Phase 3: Pre-Closing
• Consider Endpoint Threat Monitoring and Analysis on Acquired/Integrated Systems−Used to understand how the enterprise controls
unknown software inside its environment o Not just looking for known malware
−Review all binaries and processes that exhibit behavior similar to malware: location, signature, network connections, persistence
−Review all running binaries and processes
−Corroborate patching processes and find significant vulnerabilitieso The objective is to identify risk factors and mitigate
them to the extent possible.
34
Phase 3: Pre-Closing
• Security Controls Review
−Determine whether the target is actually implementing key measures to protect against persistent targeted attacks
−Differentiate actual security practices from standards that turn out to be “aspirational”
−Review the governance and structure of the target’s InfoSec response
35
Phase 4: Post-Closing
▪ Integration TTX
▪ Review incident response plan
▪ ID and brief changes
▪ Interview key stakeholders
▪ Develop scenarios
▪ Deliver TTX with old and new teams
36
In Summary…
▪ It is a brave new world, and cyber risks present an increasing risk to value and liability in mergers, acquisitions and investment transactions
▪ You would never invest in a house without an appropriate inspection
▪ Information security involvement as part of the deal team is key
▪ Technical solutions designed to identify and report on InfoSec risks in a relevant way, and that provides value through each phase of the transaction, is of significant value in due diligence
37
For more information about our global
locations and services, please visit:
www.kroll.com
About Kroll
Kroll is the leading global provider of risk solutions. For more than 45 years, Kroll has helped clients make confident risk management decisions
about people, assets, operations and security through a wide range of investigations, cyber security, due diligence and compliance, physical and
operational security, and data and information management services. For more information, visit www.kroll.com.
About Duff & Phelps
Duff & Phelps is the global advisor that protects, restores and maximizes value for clients in the areas of valuation, corporate finance,
investigations, disputes, cyber security, compliance and regulatory matters, and other governance-related issues. We work with clients across
diverse sectors, mitigating risk to assets, operations and people. With Kroll, a division of Duff & Phelps since 2018, our firm has nearly 3,500
professionals in 28 countries around the world. For more information, visit www.duffandphelps.com.
38