Insights / June 18th, 2015

Buying into a hack attack: Will your DD save you?

So much of the value of businesses today lies in their IP and their data, including confidential information about their customers. Most businesses are critically reliant on the effective and secure operation of their IT systems. Hackers know this of course. ‘Break and enter’ has a whole new meaning. Why risk capture trying to blow a safe door in a bank when you can do the job in the comfort of your own room, in a far distant place? Why steal one wallet when you can steal a million credit card details because someone has a sloppy IT security system?

Suffering an IT hack attack can impact greatly on a company’s reputation, value and legal position. Hackers can be like leeches, clinging to a business for as long as necessary to suck the valuable information out of it. If a hacker is able to access the data of a company, all of its confidential information, secret IP and know-how are at risk of misuse by criminals or exposure to competitors anywhere in the world. Sony, EBay and Target are just some of the companies that have endured recent cyber attacks. The disclosure to their customers and to the public of the security breaches hammered their reputations and their customer goodwill.

What does this have to do with corporate transactions, including due diligence (DD)? Plenty, it turns out.

How would you (or your shareholders) feel if you just completed a purchase of a business and then found out that it had been the subject of a cyber infiltration? Maybe you bought the business for what you thought was its secret IP or its high brand reputation or customer loyalty (ie goodwill). What if after completion, you discovered that your competitor, for no more than it paid some 17 year old hacker, had acquired all the IP you just paid a lot of money for? Or what if you had to tell all those loyal customers whose goodwill you just purchased, that all of their personal information, including their credit card details, had been stolen by criminals somewhere?

Leading Australian telco, Telstra, has just experienced this first hand. It completed its $856 million acquisition of the Asian telecoms provider Pacnet Limited and in the settlement process, found out that Pacnet had been subject to a sustained infiltration of its corporate IT network, including its email system. We don’t know the value of the damage done but the PR impact has been less than ideal. To borrow an old industry phrase, ‘Not happy Jan’.

How does a potential buyer discover this issue in the target in a timely way? Identifying a system security breach in a DD process, by its very nature, is not easy. A long time may pass before the presence of a hacker is detected. Most targets will not give buyers complete access to their IT systems during DD. Many times, targets themselves are unaware of the hack. In other cases, they may be aware but fail to inform the buyers.

A thorough IT systems focussed DD process is imperative in all transactions where a cyber breach would have a detrimental impact (are there any deals now where that is not the case?). A ‘standard DD checklist’ is likely to be inadequate. Especially where IT systems and data are critical and complex, you should involve an IT systems expert in your DD structuring and execution. Consider carefully the level of information you need concerning system security structures and procedures and the measures in place to prevent or detect infiltrations. Obviously, ask for full information about any prior breaches and actions taken in consequence and seek your IT expert’s advice on what level of system access you ought to be given by the target to carry out reasonable DD.

Even the best DD may not enable a buyer to uncover a hack. As a second line of defence buyers should ensure that the purchase or other transaction document contains solid warranties. Especially where a system breach could have high negative value impact, we recommend to buyers that those warranties should not be qualified by knowledge or be subject to caps or baskets or time limitations. The financial detriment resulting from unauthorised third-party access to a company’s IT systems can be extensive and it may be difficult to predict or quantify the exact measure of damage or loss. For this reason, indemnity clauses with respect to protection of IP and IT need to be comprehensive. Consider also the suitability of warranty and indemnity insurance.

Cowell Clarke has extensive experience in assisting parties in corporate transactions to address these issues at the transaction structuring phase, in due diligence and in contract drafting. If you are planning a corporate transaction and require assistance, please contact us.

Related Expertise