Mitigating Cyber Issues in M&A
1 like252 views
This document outlines a webcast on mitigating cyber issues in mergers and acquisitions (M&A), featuring industry experts discussing cyber security challenges, due diligence, and risk management strategies. Key topics include the importance of cyber insurance, vendor risks, and preventive measures for organizations, particularly focusing on small-to-mid-sized companies which are more vulnerable to cyber attacks. The panelists bring extensive experience from different sectors, providing insights into best practices for safeguarding against cyber threats during business transactions.
Mitigating Cyber Issues in M&A
- 1. Moderator: Alexander B. Kasdan, Senior Managing Director, DelMorgan & Co. Panel: • Mike Goldgof, Vice President, Marketing, WhiteHat Security • Greg Reber, Founder and CEO, Astech • James M. Westerlind, Counsel, Arent Fox LLP • Ben Collins, Director of Strategy and Product Marketing, Intralinks © Copyright 2017 Expert Webcast – All Rights Reserved MITIGATING CYBER ISSUES IN M&A September 26, 2017
- 2. 1 Expert Webcast is a sophisticated source of expertise for the professional and the business communities locally, nationally and cross-border. Producing the industry’s leading webcast panels covering corporate, M&A, restructuring and finance topics, Expert Webcast features foremost experts in law accounting and finance, and addresses timely and relevant issues faced by general counsel, C-level executives, boards of directors, business owners and their advisors, as well as institutional investors. We welcome you to join our upcoming video webcasts or visit our on- demand library to access recorded programs: www.expertwebcast.com.
- 3. 2 MODERATOR: Alexander B. Kasdan, Senior Managing Director, DelMorgan & Co., brings more than twenty years of senior-level Wall Street advice to middle market companies, entrepreneurs and institutional investors. He has extensive experience in investment banking, corporate law and restructuring at world’s leading firms, including Credit Suisse First Boston, O’Sullivan Graev & Karabell LLP (now O'Melveny & Myers LLP), Battle Fowler LLP (now Paul Hastings LLP) and Schlumberger Ltd., and as a founding partner of Convergence Capital Partners. Alex has worked on more than 100 domestic and cross-border transactions in North America, Europe and Africa. Alex is a Senior Advisor to Governance and Transactions LLC, an advisory firm established in 2003 by Mr. James L. Gunderson, former Secretary and General Counsel of Schlumberger Limited, to assist boards, management and owners with corporate governance, compliance, structuring and strategic transactions. Alex is a frequent moderator and an interviewer at Expert Webcast roundtable discussions attracting business leaders and leading professionals from around the world. Alex graduated magna cum laude from Middlebury College with a B.A. degree in Economics and Italian and was elected to Phi Beta Kappa during his junior year. In addition, he holds a J.D. degree from Columbia University Law School and has studied at the University of Florence in Italy. 100 Wilshire Blvd. Suite 750 Santa Monica, CA 90401 +1 310 980 1718 mobile +1 310 935 3826 office ak@delmorganco.com www.delmorganco.com
- 4. 3 Panelist: Mike Goldgof, Vice President, Marketing, WhiteHat Security, brings over 20 years of executive experience in marketing and product management to WhiteHat where he is responsible for all marketing activities. His previous experience includes senior roles in marketing, product management and business development with information security, software and telecom companies, including Juniper Networks, Hifn, Phoenix Technologies and Lucent. At WhiteHat Security, Mike is responsible for product messaging, solutions content, sales enablement and go-to-market strategies. He holds an MBA in Marketing from Columbia Business School and an MS in Electrical Engineering from Cornell University. Direct: +1.408.343.8393 Mobile: +1.650.799.7423 michael.goldgof@whitehatsec.com www.whitehatsec.com
- 5. 4 Panelist: Greg Reber is the Founder and CEO of AsTech, a leading information security consulting firm. Since its founding in 1997, AsTech has established itself as a leading cyber security risk management firm dedicated to helping organizations discover and remediate vulnerabilities in their Internet applications, infrastructure and critical systems. AsTech has a well-established Mergers & Acquisitions (M&A) Technology and Security Due Diligence practice offering either a Rapid Assessment, covering key areas and identifying potential risks, or a Comprehensive Assessment, involving greater in-depth analysis, testing and cost factors. For customers of its Paragon Security Program, AsTech offers a warranty of $5 million against damages from data breaches, making it the largest monetary guarantee for cyber security products and services in the world. Greg has an engineering degree from the University of Maryland and started his career as an aerospace engineer, then subsequently served as an international trade consultant in the aeronautical industry. He is a member of a number of professional organizations including the Computer Security Institute (CSI), Information Systems Audit and Control Association (ISACA) and the Open Web Application Security Project (OWASP). 700 Larkspur Landing Circle Suite 199 Larkspur, CA 94939 T 415.291.9911 C 415.786.7857 greg.reber@astechconsulting.com www.AstechConsulting.com
- 6. 5 Panelist: James M. Westerlind, Counsel at Arent Fox LLP, focuses on cyber risk issues, including insurance coverage and potential data breach liability for companies and their board members. His practice also focuses on resolving insurance and reinsurance disputes, including insurance and reinsurance coverage issues on behalf of policyholders and carriers. James has also represented brokers, agents, and MGAs in disputes with insurance and reinsurance carriers. James has substantial litigation experience in both state and federal trial courts within and outside of New York, representing plaintiffs and defendants in insurance and noninsurance disputes. In addition to insurance litigation, he has defended a number of prominent US companies in product liability actions. He has also defended toxic tort cases. He has first-chaired applications for emergency relief, evidentiary hearings for emergent relief, and contempt hearings. He tried a major jury trial in the Southern District of Florida, obtaining a jury verdict finding that a life insurance policy was valid and enforceable, despite the jury finding that the trust that owned the policy made material misrepresentations in the policy’s application and engaged in a civil conspiracy to defraud the insurance company and engage in a stranger-originated life insurance (STOLI) scheme. James holds a J.D. from St. John’s University School of Law and a Bachelor’s degree from State University of New York at Stony Brook. 1675 Broadway New York New York 10019 212-457-5462 james.westerlind@arentfox.com www.arentfox.com
- 7. 6 Panelist: Ben Collins, Director of Strategy and Product Marketing, Intralinks. As Director of Product Marketing, Mr. Collins is responsible for driving the growth of IntraLinks’ Corporate Development platform, including the company’s offerings for facilitating both buyside and sellside transactions. Prior to joining IntraLinks, Mr. Collins served as Director of Corporate Development for Cognizant Technology Solutions, a leading global provider of IT services solutions. While at Cognizant he was responsible for evaluating and executing a variety of strategic initiatives, but was primarily focused on driving growth through acquisitions. Before Cognizant, Mr. Collins was a Vice President with Innovation Advisors, a boutique investment bank focused on providing advisory services for mergers and acquisitions in the technology industry. He also worked at SG Cowen Securities in both their Corporate Finance and Mergers & Acquisitions practices. Mr. Collins graduated with honors from Harvard University with a B.A. in Government. 404 Wyman St. Suite 1000 Waltham, MA 02451 United States T +1-617-357-3660 M +1-617-388-2999 bcollins@intralinks.com www.intralinks.com
- 8. 7 MAJOR TOPICS: • Information security and decision making • Valuation issues • Identifying industry-specific security issues • Cyber due diligence • Buy v. Sell side • Potential post-transaction cyber liability • Risk mitigation • Preventative measures • Crisis management
- 9. 8 © 2017 WhiteHat Security, Inc. WhiteHat Security 1 2013 – 2017 LEADER in the Gartner Magic Quadrant for Application Security Testing (AST) Founded in 2001 320+ Employees 150+ Security Experts 800+ Active Customers 50,000+ Applications Scanned 92 Million+ Attack Vectors Detected SUPER 60 2017 Winner
- 10. 9 LA / NY / SF / DC / arentfox.com Expert Webcast: Cybersecurity Issues in M&A Presented by: James M. Westerlind Counsel, Arent Fox LLP September 26, 2017
- 11. 10 Value of Cyber Insurance • Provides coverage for risks not covered by CGL. • First- and third-party liability coverage. • Breach response coverage. • Cyber risk policies not uniform. 2
- 12. 11 Due Diligence for Buyer • Comprehensive privacy and information due diligence questionnaire. • Data security policies and procedures. • Vulnerability testing. • Types of personal identifiable information stored/maintained. • Types of insurance policies in force and limits. • Identify vendors, and what access they have to confidential data and PII. • Interview key officers and employees of seller. • Including CISO. • Review documents. • Cybersecurity policies and procedures; vulnerability assessments; penetration tests; vendor contracts; vendor audits; data incident reports; insurance policies (including cyber insurance). 3
- 13. 12 Seller Reps & Warranties • Tailored to the seller company’s industry and regulatory environment. • At minimum: • Seller (and its vendors) are in compliance with its written data security and privacy policies and procedures and applicable law. • Seller (and its vendors) are in conformance with industry practice with respect to data security. (May need specifics in certain industries). • The seller’s data security policies are enforced by the company and sufficient to reasonably ensure secure and proper access to the seller’s systems and data. 4
- 14. 13 Vendor Risks • Two-thirds of data breaches caused by third-party vendors. Ponemon Institute. • Target data breach – HVAC contractor. • Review the seller’s vendor contracts. • Sufficient confidentiality provisions? • Obligation for vendor to promptly inform company where its confidential data is at all times, and when and if it has been moved. • Obligation of vendor to immediately notify company of any actual or suspected data incident. • Obligation of vendor to cooperate with company if a data incident occurs that may involve the company’s confidential information. • Ability for company to control the investigation of a data incident. • Sufficient cyber insurance, with company named as an additional insured? 5
- 15. 14 Reps & Warranties Insurance Too • Most cyber insurance policies exclude reps & warranties made in an M&A transaction. • Purchase reps & warranties insurance specifically tailored to the transaction. 6
- 16. 15 M&A Provisions in Policies • Buyer’s Policies: • Usually automatic coverage for acquired company if revenues above a certain threshold for a period of time (60 days). • Only covers claim occurring after acquisition, not before. • Must notify insurer and pay extra premium to extend coverage afterwards. • Seller’s Policies: • Only applies to claims that occur prior to date of transaction. • Usually can be extended for claims made after transaction for prior incidents. Must make seller notify insurers in advance; ask for extended coverage and pay additional premium; and get endorsement extending coverage. 7
- 17. 16 Preventative Measures for Cyber Risks • Combined Legal and IT audits of company’s IT system. • Identify potential weaknesses. • Protect audit, findings and recommendations as privileged. • Train management (including CEO) and employees to avoid being victims. • Using more sophisticated passwords a must. 8
- 18. 17 Danger to Small-to-Mid-Sized Companies • 60% of the victims of cyber attacks in 2014 were small-to-mid-sized companies. 1/13/15 N.Y. Times Article: Entrepreneurship: No Business Too Small to be Hacked. • Smaller companies accept payment by credit cards. • Malware installed in retailer’s credit card processing system to collect credit card information – ATMs, gas pumps, groceries. 9
- 19. 18 Danger to Small-to-Mid-Sized Companies (cont’d) • Employee personal information. • Ransomware attacks on the rise. • Smaller companies often don’t have as sophisticated cyber security measures in place as larger companies – easier prey. 10