Data Privacy and Cybersecurity Risks in M&A

Deals: Pre-Planning, Due Diligence, and Risk

Allocation StrategiesMinimizing Impact of Cybersecurity Vulnerabilities on Transaction Value

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, FEBRUARY 5, 2020

Presenting a live 90-minute webinar with interactive Q&A

Alan Brill, CIPP/US, Senior Managing Director, Kroll, Secaucus, N.J.

Kimberly J. Gold, CIPP/US, Partner, Reed Smith, New York

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-877-447-0294 and enter your Conference ID and PIN when prompted.

Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately

so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the ‘Full Screen’ symbol located on the bottom

right of the slides. To exit full screen, press the Esc button.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the link to the PDF of the slides for today’s program, which is located

to the right of the slides, just above the Q&A box.

• The PDF will open a separate tab/window. Print the slides by clicking on the

printer icon.

FOR LIVE EVENT ONLY

IP, Tech & Data

Data Privacy and Cybersecurity Risks in M&A Deals: Pre-Planning, Due Diligence, and Risk Allocation Strategies

Presented by:

Kimberly J. Gold, Partner, Reed Smith LLP, New York, NY

February 5, 2020

Reed Smith

Kimberly J. Gold

6

Partner

Reed Smith LLP

New York

+1 212 549 4650

kim.gold@reedsmith.com

Kim's practice focuses on data privacy, digital health, and

complex transactional matters (including M&A, private

equity, and technology transactions). She advises clients

in the life sciences, health care, retail, and technology

industries on corporate governance, privacy compliance,

cybersecurity incident planning and response, research

and big data initiatives, and government investigations.

Kim regularly counsels clients on data privacy and

cybersecurity issues relevant to:

• Federal, state, and global laws (e.g., HIPAA, state

health care privacy laws, GDPR, CCPA, TCPA, and

more);

• Digital transformation and innovation, including research

collaborations, data sharing/analytics, and AI;

• Advertising and marketing;

• Health information technology and telemedicine; and

• Cloud services, mobile apps, and connected devices

Reed Smith

Overview of the M&A process: stages

Early Stages of the Deal

Negotiation and Closing

7

Indication of Interest

Management Meetings

Letter of Intent/Term

Sheet (exclusivity)

Due Diligence

Negotiation/ Execution of Transaction Documents

Interim Period

ClosingPost-

Closing

Reed Smith

What is due diligence?

8

Reed Smith

What is due diligence? (cont’d)

• The process of obtaining, reviewing and analyzing

information concerning a business enterprise.

• We perform diligence for either buyers, sellers, or institutional

investors / underwriters.

• Buy-side due diligence is much more common.

• Vendor due diligence reports are sometimes provided to

potential buyers or bidders.

• We may perform sell-side diligence to ensure that our clients’

representations and warranties and related schedules are

correct and to understand issues that may affect contract

negotiations.

9

Reed Smith

Diligence: objectives

• Identify structural and business characteristics

of the target that might impact the deal

• Provide information that affects the purchase

agreement

• Provide information that informs post-closing

management and mitigation of risk, liability or

expense

10

Reed Smith

Due Diligence: The typical process

11

Submit questionnaires to the target

Document review

Submit supplemental questions depending on review results

Interview responsible representatives of target

Providing detailed memorandum or shorter red flags report

?

Reed Smith

Things deal teams need to identify

• Anything that extends the time to close

the transactions or accomplish full

separation

• Material liabilities

• Reputational issues

• Terms of material contracts

12

Reed Smith

Privacy/Security Questions and Requests

Generally, the goal is to understand:

1. How personal information is collected,

used, stored, disclosed, and otherwise

processed

2. What privacy and security laws the target

or the personal information it collects may

be subject to

3. Any red flag issues (e.g., data breaches,

regulatory investigations)

13

Reed Smith

Sidebar: can the target/seller disclose PI during diligence?

• HIPAA: “. . .sale, transfer, merger, or consolidation of

all or part of the covered entity with another covered

entity, or an entity that following such activity will

become a covered entity and due diligence related to

such activity . . . .” 45 C.F.R. 164.501(iv)

• GDPR: Legitimate interest?

• CCPA: “The business transfers to a third party the

personal information of a consumer as an asset that

is part of a merger, acquisition, bankruptcy, or other

transaction. . . .”

14

Reed Smith

Data room and public facing material review

15

Contracts with Vendors,

Suppliers, and Clients

Business Association Agreements

(BAAs)

Data Processing Agreements

Policies and Procedures

Documentation of Security incidents

Compliance documents

Employee Training

Documents

Any Documents indicating Data

Flows/Data Mapping

Reed Smith

Due Diligence Interview

• Goal: get a deeper understanding of answers to

due diligence questionnaire. For example:

• What are the purposes for collecting and/or processing

personal information?

• Does the target further disclose any personal

information it receives? To whom?

• Follow up on any red flag

or outstanding issues.

16

Reed Smith

Rolling it up into a final analysis and recommendations

• Did diligence identify material risks, liabilities,

contingencies in the context of the overall proposed

transaction?

• What is the level of confidence in the facts or issues

that were described in the final diligence read-out’s

and reports? i.e., should the buyer have confidence

that assurances and representations to no incidents,

compliance with laws, etc. are reliable?

• What gaps in readiness, incident investigation or

response, or compliance need to be addressed in

agreement and schedules? Seller’s pre-closing

behaviors? Post-closing?17

Reed Smith

Allocating data privacy and cybersecurity risks when drafting and negotiating transaction documents

18

Reed Smith

The definitive agreement

Representations and Warranties

Lookback Periods

Definitions

Disclosure Schedules

19

Reed Smith20

Representations and warranties

• What are they?

• Common privacy and security reps &

warranties:

• Compliance with laws

• No data breach, complaint about PI use,

regulatory investigation, etc.

• Lawful rights to use data

• Contracts with third parties

Reed Smith21

Reps & warranties – allocating risk . . .

• Lookback periods

• 5 years? 3 years? 1 year?

• Defined terms

• How specific do you want to get?

• Materiality and knowledge

qualifiers

• Disclosure schedules

• 10b-5 disclosures

Reed Smith22

Indemnity provisions

• Baskets

• Caps

• Special

indemnities

Reed Smith23 Introduction to Smart Contracts

Insurance

• Reps & Warranties

insurance

• What is the role of cyber

insurance in mitigating

identified expense, loss, or

risk?

Reed Smith24 Introduction to Smart Contracts

Other provisions of note

Less common issues for

privacy/cybersecurity but. . .

• Covenants

• Closing conditions

Reed Smith

ABU DHABI

ATHENS

AUSTIN

BEIJING

CENTURY CITY

CHICAGO

DUBAI

FRANKFURT

HONG KONG

HOUSTON

KAZAKHSTAN

LONDON

LOS ANGELES

MIAMI

MUNICH

NEW YORK

PARIS

PHILADELPHIA

PITTSBURGH

PRINCETON

RICHMOND

SAN FRANCISCO

SHANGHAI

SILICON VALLEY

SINGAPORE

TYSONS

WASHINGTON, D.C.

WILMINGTON

reedsmith.com

This document is not intended to provide legal advice to be used in a specific fact situation; the contents are for informational purposes only.

“Reed Smith” refers to Reed Smith LLP and related entities. © Reed Smith LLP 2018

Reed Smith is a dynamic international law firm, dedicated to helping clients move their businesses forward.

Our belief is that by delivering smarter and more creative legal services, we will not only enrich our clients’

experiences with us, but also support them in achieving their business goals.

Our long-standing relationships, international outlook, and collaborative structure make us the go-to partner for the

speedy resolution of complex disputes, transactions, and regulatory matters.

For further information, please visit reedsmith.com

.

25 1/31/2020[Insert > Header and Footer to change footer text]25

Real Risks, Practical Solutions

Alan Brill, Senior Managing Director

Cyber Risk

Data Privacy and Cyber Security

Due Diligence in M&A DealsFebruary 5, 2020

The Problem:

Why has “Cyber”Become So Important?

27

When you or your client want to……

✓Expand into a new business geography

✓ Increase market share

✓Neutralize competition

✓ Improve technology and systems

✓Acquire a new customer base or BI data

WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN?

28

What’s the Cyber Risk in an M&A Transaction

❑Theft of intellectual property and trade secrets?

❑Loss of sensitive business information and strategies?

❑Loss of customer / employee data and damages to reputation and employee / consumer confidence?

❑Litigation and compliance risks?

❑Remedial expenditures?

❑Loss of shareholder value?

❑ (Not counting compromise of data on the deal itself!)

29

Kroll’s Experience and Advice

Lessons Learned in a Changing Technology Environment

30

Kroll’s Approach to the M&A Cyber Challenge

At all stages of the deal process, there is a continuum of cyber-risk management need.

▪ Phase 1: Target risk evaluation

− Identify key InfoSec risk facing business

− Identify key risks arising from business partners and outsourcing

− Set up team to review data and processes

▪ Phase 2: Deal and response diligence

− Deal diligence on key players and assets

− Technical response review of assurances

• Phase 3: Pre closing network diligence

− Endpoint Threat Monitoring and analysis

− Security controls review

• Phase 4: Post purchase implementation

− Incident response planning

− Table top exercise (TTX)

31

Phase 1. Target Evaluation

▪ Identify the InfoSec risks facing the target

▪ Data risks, Regulatory risk, Partner/Outsourcing risks

▪ Incident history

▪ Develop the data security team involvement. Is there a CISO? Chief Privacy Officer?

▪ Identification of integration issues and constraints

▪ Is there existing cyber insurance?

▪ Define roles with transaction team

▪ Implement secure communications approach

▪ Identify outside expertise needs

▪ Are you protecting information relating to the M&A activity?

32

Phase 2: Pre-Signature

▪ Development of diligence approach

▪ Diligence workup on key players and

corporate assets

▪ Coordinate with legal assessment to

identify requirements for additional

analysis including international risks

(e.g. GDPR, CCPA)

33

Phase 3: Pre-Closing

• Consider Endpoint Threat Monitoring and Analysis on Acquired/Integrated Systems−Used to understand how the enterprise controls

unknown software inside its environment o Not just looking for known malware

−Review all binaries and processes that exhibit behavior similar to malware: location, signature, network connections, persistence

−Review all running binaries and processes

−Corroborate patching processes and find significant vulnerabilitieso The objective is to identify risk factors and mitigate

them to the extent possible.

34

Phase 3: Pre-Closing

• Security Controls Review

−Determine whether the target is actually implementing key measures to protect against persistent targeted attacks

−Differentiate actual security practices from standards that turn out to be “aspirational”

−Review the governance and structure of the target’s InfoSec response

35

Phase 4: Post-Closing

▪ Integration TTX

▪ Review incident response plan

▪ ID and brief changes

▪ Interview key stakeholders

▪ Develop scenarios

▪ Deliver TTX with old and new teams

36

In Summary…

▪ It is a brave new world, and cyber risks present an increasing risk to value and liability in mergers, acquisitions and investment transactions

▪ You would never invest in a house without an appropriate inspection

▪ Information security involvement as part of the deal team is key

▪ Technical solutions designed to identify and report on InfoSec risks in a relevant way, and that provides value through each phase of the transaction, is of significant value in due diligence

37

For more information about our global

locations and services, please visit:

www.kroll.com

About Kroll

Kroll is the leading global provider of risk solutions. For more than 45 years, Kroll has helped clients make confident risk management decisions

about people, assets, operations and security through a wide range of investigations, cyber security, due diligence and compliance, physical and

operational security, and data and information management services. For more information, visit www.kroll.com.

About Duff & Phelps

Duff & Phelps is the global advisor that protects, restores and maximizes value for clients in the areas of valuation, corporate finance,

investigations, disputes, cyber security, compliance and regulatory matters, and other governance-related issues. We work with clients across

diverse sectors, mitigating risk to assets, operations and people. With Kroll, a division of Duff & Phelps since 2018, our firm has nearly 3,500

professionals in 28 countries around the world. For more information, visit www.duffandphelps.com.

38

Thank You

Alan Brill, CIPP/US

abrill@kroll.com

39