Communications Litigation Today was a Warren News publication.
NIST Framework Prominent

Companies Increasing Cybersecurity Due Diligence After Increase in Incidents, Lawyers Say

Recent cyberattacks and data breaches against federal agencies and the private sector have prompted the communications sector and other industries to significantly increase their focus on cybersecurity as a factor when considering buying another company, industry lawyers and consultants said in interviews. The push to give the private sector the leading role in driving sectorwide improvements in cybersecurity, as evidenced in the development of the National Institute of Standards and Technology’s Cybersecurity Framework, means federal agencies are not closely monitoring cybersecurity as a main factor in deal reviews, stakeholders said.

Companies considering a merger or other acquisition invariably are more likely to give much more prominence to an assessment of cybersecurity practices at the acquired company than would have been the case as little as a year ago, said Norma Krayem, Holland & Knight senior cybersecurity policy adviser. “There’s now a greater focus on trying to do cybersecurity assessments of these deals, particularly in relation to what the pre- and post-merger system connectivity will be.” Multinational corporations are even more likely to place cybersecurity and privacy issues “front and center” in the due diligence process because of the potential for stricter cybersecurity rules in EU nations, Krayem said.

Communications and Internet companies have always made cybersecurity a factor in M&A reviews, but that interest is spreading into every industry, said Venable cybersecurity and telecom lawyer Jamie Barnett, former FCC Homeland Security Bureau chief. AT&T and Charter Communications didn’t comment on the extent to which they evaluated cybersecurity in their respective AT&T/DirecTV and Charter/Time Warner Cable/Bright House Networks deals. Cybersecurity due diligence has become particularly important in the context of M&A because of the decreasing likelihood that a company is able to self-detect advanced persistent threats (APTs), Barnett said. Cybersecurity firm Mandiant said in a February report that only 31 percent of companies affected by APTs were able to detect those cyberattacks themselves. External entities like cybersecurity firms or the federal government were responsible for alerting the other 69 percent of affected companies to the attacks, Mandiant said. “It’s dangerous to buy a company and not really know what might be lurking in those systems,” Barnett said.

Effective cybersecurity due diligence needs to include thorough tests like penetration testing of a company’s network, along with more general assessments of a company’s cyber practices, Barnett said. Those assessments should include examining whether a company is using multifactor authentication, application whitelisting and other practices, he said. Many companies are putting together checklists that amount to a more comprehensive cybersecurity assessment in due diligence, including an examination of a company’s risk management regime and compliance with technical standards, Krayem said. Those types of assessments are becoming more of a focus on the front end of the merger process, though it’s unclear the extent to which companies are specifically delaying reaching a deal until they can do those assessments, she said.

The NIST framework has become a prominent tool for companies to evaluate cyber practices as part of due diligence, particularly if the deal involves companies in a critical infrastructure sector or companies that have contracts within the federal government, he said. The NIST framework is probably going to have the widest effect on due diligence evaluations, but more specific cybersecurity standards will also play a more specialized role depending on the industry, Barnett and others said. The ISO/IEC Information Security Management Systems 27000 (ISO/IEC 27000) standard is also prominent as a due diligence tool, said former Qwest Chief Information Security Officer Mel Gates, Squire Patton cybersecurity and privacy lawyer. “There’s not one single accepted standard," as the prominence of any particular standard can vary by sector and organization, she said.

Companies that have already dealt with a data breach may engender more cybersecurity scrutiny from a prospective buyer or merger partner, but the focus remains on what the company’s cybersecurity practices are at the time of due diligence, Gates said. “There are a number of scenarios one can envision where an organization may have been subject to a data breach but may be better positioned today because all too often cyber is an investment that organizations make on a reactive basis,” she said. “That an organization has had a breach isn’t as important as having a plan in place. Companies want to know what a company has in place now, what kinds of tools and techniques they’ve invested in.”