Data Privacy and Cybersecurity Due Diligence in M&A Deals

Transcription

1 Presenting a live 90-minute webinar with interactive Q&A Data Privacy and Cybersecurity Due Diligence in M&A Deals Identifying Vulnerabilities, Drafting Data-Related Provisions in M&A Agreements, Post-Acquisition Data Integration Considerations THURSDAY, OCTOBER 9, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Roberta D. Anderson, Partner, K&L Gates, Pittsburgh Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J. Gerard M. Stegmaier, Partner, Goodwin Procter, Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.

2 Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

3 Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the SEND button beside the box If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at ext. 35.

4 Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

5 Privacy & Data Security in M&A Transactions Gerard M. Stegmaier Partner 2013 Goodwin Procter LLP

6 6

7 7

8 Fiduciary Duties of Directors Goodwin Procter LLP 8

9 Class Action Lawsuits Goodwin Procter LLP 9

10 Employee Privacy Goodwin Procter LLP 10

11 Due Diligence The process of asking questions and assessing and quantifying risk in order to allocate it intentionally. Goodwin Procter LLP 11

12 Principal Risk Areas Liability Reputation Integration Goodwin Procter LLP 12

13 Managing Risk Identify Risk Shift Risk Mitigate Risk Accept Risk Goodwin Procter LLP 13 13

14 Asset Acquisitions: Common Features Buyer purchases some or all assets of the Target Neither ownership nor existence of Target is affected (i.e., Target shareholders continue to own their stock) Goodwin Procter LLP 14

15 Stock Acquisitions: Common Features Buyer purchases stock of the Target from the Target s shareholders All of the assets and liabilities of the Target remain with the Target (which is owned by Buyer post-closing) Because liabilities are acquired as well, due diligence and contractual protections should be more comprehensive, BUT fewer third party consents will be likely Goodwin Procter LLP 15

16 Merger One company is merged with and into another, which is the Survivor All assets and liabilities of the merged company succeed to, and are held by, the Survivor Goodwin Procter LLP 16

17 Common Merger Types Direct merger Forward triangular merger Reverse triangular merger Goodwin Procter LLP 17

18 Common Negotiation Considerations Knowledge Materiality Laws Personal Information Remedies Goodwin Procter LLP 18

19 8 Questions for Privacy Pros in Transactions What is the relationship between the diligence information sought and the transaction (both now and in the future)? Do I know what the deal is about and what my clients care about (or should care about)? Am I being a problem solver rather than a problem spotter or administrator? Is privacy material in this deal? How? Do I know why this matters? Goodwin Procter LLP 19

20 8 Questions for Privacy Pros in Transactions What effect do qualifiers such as knowledge or MAE have on diligence? On the seller s representations and risk allocations? Should identified issues or risks be included on disclosure schedules? What tools are available to manage privacy risks to help the parties complete a transaction? Escrows? What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned? Goodwin Procter LLP 20

21 GERARD M. STEGMAIER, ESQ., PARTNER Contact Information: 901 New York Avenue, NW Washington, DC Goodwin Procter LLP 21

22 Data Privacy and Cyber Security Due Diligence in M&A Deals Alan Brill, CISSP, CFE, CIPP/US, FAAFS October 9, Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

23 1 The Problem: Why has Cyber Become So Important? A Quick Introduction 23 Data Privacy and Data Cybersecurity Privacy and Cybersecurity Due Diligence in Due M&A Diligence Deals in Alan M&A Briill Deals Alan Briill

24 When you or your client wants to Expand into a new business area Increase market share Neutralize competition Improve technology and systems Acquire a new customer base or BI data WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN? 24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

25 You Want to Know (BEFORE, not After.) September, 2013 February, Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

26 You Want to Know (BEFORE, not After.) August, 2014 September, Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

27 What s the Cyber Risk in an M&A Transaction Theft of intellectual property and trade secrets? Loss of sensitive business information and strategies? Loss of customer / employee data and damages to reputation and employee / consumer confidence? Litigation and compliance risks? Remedial expenditures? Loss of shareholder value? (Not counting compromise of data on the deal itself!) 27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

28 2 Kroll s Experience and Advice 28 Data Privacy and Data Cybersecurity Privacy and Cybersecurity Due Diligence in Due M&A Diligence Deals in Alan M&A Briill Deals Alan Briill

29 Kroll s Approach to the M&A Cyber Challenge At all stages of the deal process, there is a continuum of cyber-risk management need. Phase 1: Target risk evaluation Identify key InfoSec risk facing business Set up team to review data and processes Phase 2: Deal and response diligence Deal diligence on key players and assets Technical response review of assurances Phase 3: Pre closing network diligence Endpoint Threat Monitoring and analysis Security controls review Phase 4: Post purchase implementation Incident response planning incident Table top exercise (TTX) 29 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

30 Phase 1. Target Evaluation Identify the InfoSec risks facing the target Data risks Regulatory risk Develop the data security team involvement Identification of integration issues and constraints Define roles with transaction team Implement secure communications approach Identify outside expertise needs 30 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

31 Phase 2: Pre-Signature Development of diligence approach Kroll diligence workup on key players and corporate assets Assistance to review technical InfoSec reporting on pre-signing actions: Covenants, representations, and warranties Licenses, vendors, business associates Indemnification, limits, and basket Divestment triggers Avoidance of knowledge qualifiers Use of Material Adverse Security Effect 31 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

32 Phase 3: Pre-Closing Endpoint Threat Monitoring and Analysis Used to understand how the enterprise controls unknown software inside its environment o Not just looking for known malware Review all binaries and processes that exhibit behavior similar to malware: location, signature, network connections, persistence Review all running binaries and processes Corroborate patching processes and find significant vulnerabilities o A two week process 32 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

33 Phase 3: Pre-Closing Security Controls Review Determine whether the target is actually implementing key measures to protect against persistent targeted attacks Review the governance and structure of the target s InfoSec response 33 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

34 Phase 4: Post-Closing Integration TTX Review information response plan ID and brief changes Interview key stakeholders Develop scenarios Deliver TTX with old and new teams 34 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

35 In Summary It is a brave new world, and cyber risks present an emerging risk to value and liability in mergers, acquisitions and investment transactions You will never invest in a house without an appropriate inspection Information security involvement as part of the deal team is key Technical solutions designed to identify and report on InfoSec risks in a relevant way, and that provides value through each phase of the transaction, is of significant value in due diligence 35 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

36 Alan Brill, CISSP, CFE, CIPP/US, FAAFS Senior Managing Director Kroll Cyber Security & Investigations T Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

37 Data Privacy and Cybersecurity Due Diligence in M&A Deals The Importance of Insurance Coverage Roberta D. Copyright 2013 by K&L Gates LLP. All rights reserved. October 9, 2014

38 AGENDA The Importance Of Timing What To Look For In An Insurance Audit Potential Coverage Under Legacy Policies Limitations Of Legacy Insurance Policies Cutting Edge Cyber Insurance M&A Insurance Provisions A Word About Vendor Contracts 38

39 THE IMPORTANCE OF TIMING 39 Copyright 2013 by K&L Gates LLP. All rights reserved.

40 THE IMPORTANCE OF TIMING Advanced Attacks Go Undiscovered For A Median 229 Days A Merger/Acquisition May Close Before The Attack Is Discovered Resulting In Substantial Post-Closing Liability 40

41 WHAT TO LOOK FOR IN AN INSURANCE AUDIT 41 Copyright 2013 by K&L Gates LLP. All rights reserved.

42 POTENTIAL COVERAGE UNDER LEGACY POLICIES 42 Copyright 2013 by K&L Gates LLP. All rights reserved.

43 POTENTIAL COVERAGE UNDER LEGACY POLICIES Directors and Officers (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime Property? Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy) Commercial General Liability (CGL)? 43

44 POTENTIAL COVERAGE UNDER LEGACY POLICIES Coverage B provides coverage for damages because of personal and advertising injury Personal and Advertising Injury is defined in part as injury arising out of [o]ral or written publication, in any manner, of material that violates a person s right of privacy What is a Person s Right of Privacy? What is a Publication? 44

45 LIMITATIONS OF LEGACY INSURANCE POLICIES 45 Copyright 2013 by K&L Gates LLP. All rights reserved.

46 LIMITATIONS OF LEGACY INSURANCE POLICIES ISO states that when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. 46

47 LIMITATIONS OF LEGACY INSURANCE POLICIES 47

48 LIMITATIONS OF LEGACY INSURANCE POLICIES cv cv 48

49 CUTTING EDGE CYBER INSURANCE 49 Copyright 2013 by K&L Gates LLP. All rights reserved.

50 back klgates.com 50

51 CUTTING EDGE CYBER INSURANCE Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data breaches, transmission of malicious code, denial of third-party access to the insured s network, and other network security threats Regulatory Liability Provides coverage to deal with regulators and liability arising out of administrative or regulatory investigations, proceedings, fines and penalties Crisis Management Media Liability Provides coverage for forensics experts to determine the cause of the breach, notify individuals whose PII may have been compromised, call centers, ID theft monitoring, PR and other crisis management activities Provides coverage for liability (defense and indemnity) for claims alleging invasion of privacy, libel, slander, defamation, infringement of IP rights (not patent), and other web-based acts (e.g., improper deep-linking) 51

52 CUTTING EDGE CYBER INSURANCE Network Interruption And Extra Expense (and CBI) Coverage lost business income and extra expense caused by malicious code, DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks (e.g., a website goes down and orders cannot be taken). Information Asset Coverage Extortion Coverage for damage to or theft of the insured s own systems and hardware, and may cover the cost of restoring or recreating stolen or corrupted data. Coverage for losses resulting from extortion (payments of an extortionist s demand to prevent network loss or implementation of a threat). Emerging Market For First-Party Property Damage Emerging Market For Third-Party Bodily Injury and Property Damage Coverage 52

53 CUTTING EDGE CYBER INSURANCE Defense And Indemnity For Claims Regulatory Defense, Fines And Penalties Crisis Management 53

54 54

55 55

56 BEWARE THE FINE PRINT 56

57 M&A INSURANCE PROVISIONS 57 Copyright 2013 by K&L Gates LLP. All rights reserved.

58 M&A INSURANCE PROVISIONS 58

59 M&A INSURANCE PROVISIONS 59

60 M&A INSURANCE PROVISIONS ***** 60

61 A WORD ABOUT VENDOR CONTRACTS 61 Copyright 2013 by K&L Gates LLP. All rights reserved.

62 A WORD ABOUT VENDOR CONTRACTS Be specific Who is responsible for securing stored data? Data in motion? Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security Controls Who has access and to which parts to various parts of the organizations network? What are the required cybersecurity standards? Dovetail Vendor Contracts With Insurance Contracts 62

63 Linkedin: robertaandersonesq Insurance Thought Leadership 63