Interview the Expert
An Interview With Tom Burton
Thomas R. Burton, III is a Partner at Mintz Levin in the Corporate & Securities Section and is the founder and chair of the firm’s Energy Technology Practice. Tom received his J.D. from Boston College. [email protected] / https://www.mintz.com / https://www.mintz.com/professionals/detail/name/thomas-r-burton-iii
Interviewer – Marcus McInnis
Marcus McInnis, as the Director of Operations for Lockheed Martin’s Cybersecurity Innovation Center, provided the full range of system security solutions for complex enterprise and system environments. As an advocate for increased security awareness he promoted the concepts of brand assurance while developing internal cybersecurity practices and policies across a $40 billion corporation.
Key Take Away
“Managing cyber security risks as a preventative action is a crucial step for companies functioning in today’s business environment – as a corporate and securities lawyer I’ve seen the failure to manage these risks early rear their head later in the M&A context, resulting in unnecessary costs and delays.”
McInnis
Tom, can cyber security problems impact companies in the M&A context?
Burton
The short answer is yes. As the frequency and magnitude of cyberattacks on private enterprise have increased in recent years, more businesses are realizing the risks of inadequate cyber security and the cost burdens of data breaches. The massive data breaches Yahoo suffered have created a barrage of negative headlines for the company, and are significantly impacting its proposed acquisition by Verizon. This is just one example within a larger trend of cybersecurity issues rearing their ugly head in the context of record-setting years for M&A transactions. The Corporate Counsel’s 2015 study on cybersecurity risk in the M&A context found that “83 percent of respondents believed a cyberincident mid-deal or the identification of past data breaches during due diligence could have an impact on the transaction.
McInnis
What are the direct costs in the M&A context?
Burton
One aspect of the cost burden that has received little attention is the potential erosion of company value in the private market M&A context. Reporting on the impact of security breaches has centered on high profile, public companies, such as Target, Sony, JP Morgan, and most recently Yahoo. Unlike public companies, however, private companies do not have to publicly disclose security breaches or their financial consequences. As such, little data exists to directly link data breaches and lower valuation. Nonetheless, for the reasons discussed below, attacks are value eroding, or even deal-killing, events, and therefore represent critical risks to companies.
Reductions in net income and valuation as a result of a cyberattack are the most obvious and potentially significant to a deal. If a data breach results in the theft of intellectual property that provides a company its competitive edge, the company could face long-term profit losses that seriously impact valuation. Even if a company’s long-term prospects are not affected, a reduction in valuation can still result from expenses incurred when responding to cyberattacks, including consumer and securities fraud litigation costs, liability for corporate directors, fines, and the implementation of new IT systems and training programs.
Indeed, such losses can yield a lower baseline input to determine valuation, as EBITDA multiples are often a key metric. The impact has a multiplier effect on valuation reduction; for example, in a market where a sale multiple is 8-10x EBITDA, even a 2% reduction in profit can have a significant downward effect on valuation. At worst, prior data breaches can be used as a negotiation tool to drive down valuation, as Verizon is doing now in its negotiations with Yahoo.
McInnis
Are there indirect costs?
Burton
Yes, during deal negotiations, past breaches can adversely affect the seller’s ability to secure favorable terms related to escrows, indemnities, and representations and warranties insurance. Prior cyberattacks on a company may lead a buyer to demand extra warranties regarding potential liabilities and ongoing or currently unknown costs related to the breach. As a result, the buyer may also demand a larger escrow or special escrows to shift the risk burden to the Seller. Similarly, a buyer may demand special indemnities, longer survival periods, limited carve outs, and basket and caps to mitigate perceived risk. These deal complications and clawback risks lead to other indirect costs: increased uncertainty and lost time value of money with a larger percentage of the deal tied up in escrow and longer and more robust indemnity periods. These are deal proceeds that could have been sooner distributed to sponsor fund limited partners, which affects sponsor fund IRR. All of these factors can lead to longer negotiation time and increased insurance policy costs, including additional preparation time and cost for disclosure schedules.
Finally, companies that experience cyberattacks frequently incur damage to their reputation, which while difficult to quantify, can have a significant impact on profits and valuation. Brand erosion could result in reduced exit value in an M&A transaction, particularly for technology companies or those that deal with sensitive data, such as personal financial or health information.
McInnis
Why should cyber security be a top priority for all companies, regardless of size or industry?
Burton
As companies conduct nearly all of their business on internal software systems and online, the threat of cyberattacks will only increase. Attacks against major companies may make front-page headlines, but all companies, regardless of size or industry, face the risk of breaches. According to the NACD Cyber-Risk Oversight Handbook, “the majority of small and medium-sized businesses have been victims of cyberattacks,” and a study conducted by the U.S. National Cyber Security Alliance found that “60 percent of small companies that suffer a cyberattack are out of business within six months.” Increasingly hackers are using smaller companies that have customer, supplier or joint-venture relationships with large corporations to piggyback into large corporations’ systems. Therefore, it is paramount that companies invest in the best prevention methods, secure appropriate insurance policies in the event that a breach does occur to minimize financial repercussions, and work with expert counsel in managing these risks in sale scenarios.
McInnis
What are the elements that can contribute to cyber risk?
Burton
There are three different elements within companies that can increase vulnerability: technology, policies and procedures, and people. IT protection is the most obvious vulnerability for companies. Without state of the art IT protection, companies will be more likely to suffer serious consequences from cyberattacks than those who do properly safeguard their digital information and infrastructure.
Additionally, comprehensive policies and procedures governing information and cyber security are critical to protecting sensitive data and internal infrastructure. If these are not properly implemented, companies’ risk of cyberattacks can increase. Policies and procedures also need to be revised periodically to account for new technologies, software systems, and other changes to business practices that could open up new pathways for hackers to exploit. Appointing a Chief Information Security Officer to oversee the company’s cybersecurity is an important part of ensuring that policies and procedures are properly enforced. Other IT personnel should also be required to attend technical trainings and obtain appropriate certifications in information security. Companies should also regularly hire a third party to conduct external penetration tests to assess how well company systems defend against possible cyberattacks and internal vulnerability tests to assess security against internal data breaches.
Finally, an often overlooked but also significant part of cyber security is the behavior of companies’ employees. This threat is often thought of only in the case of a “rogue” employee. However, IBM’s 2015 Cyber Security Intelligence Index found that 95% of all breaches are the result of human error. In order for companies to effectively implement cyber security policies and procedures, employees have to be properly trained to practice smart habits that will protect proprietary information and internal systems.
McInnis
What challenges do companies face in understanding the risk their own employees pose to cyber security?
Burton
Many companies simply lack the awareness that the greatest cyber security threat they face comes from within. Major corporations like Target and Sony had policies in place to prevent hacks, but still suffered data breaches despite believing they were protected. Indeed, AT&T’s most recent Cybersecurity Insights Report confirms that this is true of most companies; it found that 90% of U.S. organizations had been affected by cyberattacks, though many had training programs in place to educate employees about cyberrisk. The Employee Cyber Readiness Survey recently conducted by the University of Massachusetts alarmingly found that a majority of employees did not remember receiving training on safe procedures for using external and personal devices or working remotely. Many also did not remember how to create and maintain secure passwords.
Even once companies recognize that employees, simply through their daily activities, present the greatest challenge to maintaining cybersecurity, they also need to understand that traditional approaches to cybersecurity training are not effective, as the University of Massachusetts’ survey demonstrates. Long and infrequent trainings on cybersecurity are neither memorable, nor sufficient in explaining to employees how they are part of the companies’ cyber defense or the seriousness of the risk posed by their daily actions.
McInnis
How can companies make their employee awareness training for cyber security more effective?
Burton
For cyber security training to be effective, it must result in long-term changes to employee behavior and habits. Companies should aim to have employees not only understand why cybersecurity is important, but also their personal responsibility in helping to protect their company. Corporate culture is a key component to achieving this goal. Beginning with the Board of Directors and the highest executives, company leaders have to prioritize cyber awareness throughout their organization, not just within the IT department. If employees see that their Board and executives are actively engaged in cyber defense measures and are making sure that training programs and policies are working effectively, they will be more likely to understand the importance of cyber security.
Effective behavioral training programs for all company employees should raise awareness about the threats posed by bad habits concerning password management, personal devices used for work, other external devices, wireless security, data backups, and working remotely. Awareness of these vulnerabilities needs to extend beyond periodic training sessions so that employees learn to naturally act in ways that are smarter and safer. Qualitatively, this means training programs should be concise to keep employees actively engaged and allow companies to measure the effects of the program on employee behavior. Firms like ThreatReady Resources provide on-going behavioral training services that encompass proven learning techniques to instigate long-term behavior change and a broad scope of multimedia communications to help deliver new content on a regular basis and keep employees engaged.