WannaCry and Petya: Why Attention Should be Devoted to IT Security in Corporate Due Diligence
July 24, 2017
It's not every day that a company’s corporate information assets are seized and held for ransom. But it’s becoming more and more prevalent, making information technology (IT) security a real concern for companies, and for companies looking to buy or invest in other companies. In fact, evaluating IT security should be on par with evaluating any other material business function, like employment practices, financial accounting, tax reporting, intellectual property policies, and environmental compliance.
The "WannaCry" and “Petya” attacks
In March 2017, over 300,000 computers in 150 countries were infected by a malicious software attack dubbed "WannaCry." "WannaCry" is a type of computer intrusion known as ransomware. Ransomware is malicious software downloaded to a computer which encrypts the data on that computer, blocking access to that data unless a ransom is paid, often through Bitcoin cryptocurrency which cannot be easily traced. The software can penetrate a network, jumping from machine to machine, crippling a company's computer systems by restricting access to valuable data on its network servers. It can enter a company's internal systems in a variety of ways, one of which is through phishing. Phishing is a form of social engineering where an intruder attempts to obtain sensitive information from computer users, such as usernames or passwords, or to have users surreptitiously download malicious software, typically using e-mail disguised as coming from a trustworthy source.
"WannaCry" infected computers running the Microsoft Windows operating system, starting on or about March 12, 2017. Microsoft issued a patch on March 14, 2017. Microsoft also issued patches for older, no longer supported versions of its Windows operating systems. If a system were not patched, and infected by "WannaCry," the victim had essentially two choices: (1) pay the ransom, and hope the perpetrator would release the key to decrypt the encrypted data, or (2) delete the infected systems entirely, and restore from backup. Either one could be costly, and might not be 100% effective.
In late June, 2017, another ransomware cyber-attack named “Petya” caused widespread data operational issues at a number of large companies around the world, including advertising firms, law firms and hospital systems.
The “WannaCry” and “Petya” ransomware attacks are an important reminder that many companies and organizations remain vulnerable to cyberattacks. It is also a valuable reminder that diligence in any corporate transaction should include an in-depth investigation of a company’s current cybersecurity practices, its past security incidents and breaches, and its IT policies and programs (including its backup, contingency and disaster recovery plans). In the context of mergers and acquisitions, as well as investments, the prevalence of ransomware and phishing attacks has caused many buyers and investors to heighten their focus on a target company's exposure to cybersecurity risks and what is being done to respond to and mitigate those risks.
This is especially true in industries where the goodwill of the target company rests largely in the collection and utilization of third party data, particularly personally identifiable information (“PII”) and certain statutorily regulated data, such as protected health information ("PHI") under the Health Insurance Portability and Accountability Act (HIPAA) and financial nonpublic personal information ("NPI") under the Gramm-Leach-Bliley Act (GLBA). The compromise of such statutorily regulated data could subject a company not only to reputational loss and private actions by affected individuals (and the possibility of a class action lawsuit), but also investigations by government oversight authorities, fines and sanctions.
Acquiring a company with vulnerable or previously attacked systems can also lead to unintended consequences, such as unrecognized liabilities or potential exposure of the acquirer's own systems to vulnerabilities in the acquired systems. Prior to entering any sale discussions or letters of intent, target companies and buyers or investors should each consult with IT security experts and legal counsel versed in IT security issues to discuss cybersecurity risks and how these risks could potentially impact the negotiation and the economics of a deal. It is important to contemplate these potential liabilities, to document the diligence efforts and to draft agreements addressing these risks should any future loss or litigation arise. The following are issues to be considered in due diligence.
Diligence Areas of Focus
During the due diligence process, buyers and investors should gain a clear understanding of how the target company is protecting itself, its customers, and the data it maintains from ransomware, phishing and similar attacks. Part of the diligence should pose questions about whether a company has had a past cybersecurity attack or breach and the controls and protocols put into place to address such attacks or breaches. The company’s response to any questions regarding cyberattacks or breaches should be included as a representation and warranty in the purchase contract. From the acquirer's or investor's perspective, specific representations and warranties that cull out and focus on IT security will, ideally, be included in the transaction documents.
Various federal and state laws may expose the target and the acquirer to liability if there has been a past attack. For example, in the context of an entity covered by the privacy and security rules promulgated under HIPAA, a ransomware attack is presumed by the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) to be a breach of the HIPAA security rule. How a target company that is a covered entity responded to such an attack and the remedial measures implemented thereafter should be included in any diligence efforts. The same would be true in looking at security breach requirements under state laws, which in many states are broad and include stringent security breach notification requirements, which can be quite costly. If there has been a past attack, an in-depth discussion should be had with the target company's security and IT personnel to understand the nature of the attack, what information was lost, stolen or attacked, and how the company changed its security measures after the attack.
Buyers and investors should also specifically inquire into any complaints regarding data security breaches the target company has incurred. Target companies should be expected to provide specific details regarding their data collection processes (e.g., whether this information is transmitted directly from individuals or through other third parties), restrictions on employee access to sensitive data and any internal privacy policies or trainings implemented for employees and contractors with access to the data. They should also be expected to deliver information regarding the data security software and policies used to ensure the confidentiality, integrity and protection of such data from ransomware and phishing attacks. An acquirer or investor should demand a history of the target’s data retention policies that govern how long PII and other personal data is kept, and the methods by which data is deleted or destroyed to ensure the confidentiality and integrity of the data are maintained.
Owners of companies contemplating a sale or investment may want to consider engaging technology consultants to review, implement or improve, if so advised, cybersecurity policies and procedures ahead of a diligence process conducted by a counterparty.
Another area of diligence is cybersecurity breach insurance of the target, which may stem potential losses from breaches that have occurred or may occur after a transaction.
Finally, the target company's IT practices should be reviewed with an eye on its backup, business contingency and disaster recovery policies and procedures. In the case of a ransomware attack, a practical option may be to ignore the perpetrator's ransom demands and delete the affected computers entirely. That should eradicate the systems of the malicious ransomware software, but this is only a viable option if the company has an adequate backup of the affected data. If no backups exist, or the most recent backup is old, restoring the data may leave unresolvable problems as a portion of the data may not be available. For these reasons, it is advisable for the due diligence review of companies to scrutinize its IT practices regarding how often data is being backed up and if those practices and policies are customary within its industry.
For companies involved in the healthcare industry or consumer finance industry , failure to investigate these issues could lead to significant costs due to comprehensive federal and state breach notification requirements, liability for injury should a cyberattack breach protected health information of individuals, and federal civil and criminal actions.
Tips for Drafting Contracts
The buyer’s or investor's satisfaction with the diligence provided and the adequacy of the target company’s cybersecurity measures will affect the drafting and negotiation of the transaction documents, particularly the representations and warranties in the purchase agreement. The transaction documents should include specific representations, warranties and covenants relating to the target company’s PII collection and processing procedures and policies, confirmation that such policies and procedures are in compliance with applicable laws, and other more specific representations, warranties and covenants the buyer or investor may request in response to the due diligence reviewed. Each specific area of cybersecurity concerns should be articulated and addressed with appropriate company specific representations and warranties. Examples include representations and warranties regarding unauthorized intrusions to the company's networks and systems, the company's compliance with specific industry-recognized security standards, security audits and network penetration tests conducted by the company, and the existence of and adherence to company policies for backing up and storing company data, business contingency and disaster recovery.
Any cybersecurity risks identified by the buyer or investor that are not adequately addressed by the target company, or any reported or potential security breaches identified by the buyer or investor, may result in a holdback of purchase price consideration (in the acquisition context) or require the target company to specifically indemnify the buyer or investor for any claims or losses relating to such personal data. Target companies may be in a stronger position to push back on indemnity or holdback provisions, and negotiate qualifiers, such as reasonability, knowledge or materiality, in the representations and warranties if they are able to show the buyer they are taking sufficient precautions to protect against ransomware, phishing and other cyber-attacks.
Protecting Diligence Documents
In current transactional practice, due diligence relies almost completely on the electronic exchange of documents. The protection and security of these documents in the diligence process is just as important as performance of the diligence, itself. In some cybersecurity attacks, such as with ransomware or malware, hackers can leave behind other malicious codes embedded in electronic files that can be triggered to allow another attack. This not only opens a company up to an attack at some point in the future, if the buyer’s systems are infected by that code via files received in diligence, it could allow those systems to be infected as well.
Many law firms offer a secure platform or “data room” where documents and information can be uploaded. Such services can help protect against any potential attacks during the electronic exchange of documents in diligence. For example, if a company being investigated for a potential transaction has had a cyberattack or is vulnerable to one or if one happens to occur during the diligence process or if there is leftover malicious code from a previous attack, keeping the acquirer's systems separate from the target's systems will help to insulate the acquirer from such an attack.
The potential liability of acquiring or investing in a company vulnerable to a cyberattack or that has had its computer systems breached makes a strong case that these issues be properly evaluated and addressed in any due diligence efforts. Lack of compliance with laws regulating the handling of PII can create significant exposure which also compels thorough diligence in determining the regulatory environment within which the company operates.