Whatever the nature of the data and systems used in your business — and whatever the size of your business — cybersecurity is an issue you cannot ignore. While the media frequently reports on data breaches affecting large companies, small and mid-sized companies are experiencing cyber-attacks just as often, but suffering more significant damages since they lack sufficient resources to deploy a comprehensive response.
Addressing and managing operational cybersecurity risks is important not only to lessen the risks and fallout of a cyber-attack but also to demonstrate that your company has taken appropriate steps and implemented necessary procedures to protect itself and its financial or strategic partners. The focus on cybersecurity will continue to intensify in the negotiation of finance, M&A and strategic transactions for companies of all sizes. Failure to demonstrate a solid cyber program can negatively impact the negotiation of important transactions.
Here are four steps that will help protect your business and better position you for transactions:
1. UNDERSTAND YOUR INFORMATION LIFECYCLE
Start by asking yourself these key questions, which will enable you to have a better understanding of any risks associated with your organization’s collection, use, and storage of data.
- What type of data does your organization acquire?
- How does it acquire such data?
- Who has access to the data (internally and externally)?
- Who do you share data with?
- How is it protected?
- Where is it located in your organization or with vendors?
- How long do you keep the data?
- What happens if the data is damaged or destroyed?
- Does the data belong to other parties?
- How will you recover and continue to operate if the data and/or systems go down or become inoperable or inaccessible?
2. ASSESS RISKS FROM VENDORS OR PARTNERS THAT HAVE SYSTEM OR DATA ACCESS
Identify vendors or partners that have access to your systems, and make sure appropriate controls are in place to prevent unauthorized access to systems or misuse of data in the hands of the vendor. Implement multi-factor authentication for any individual who requires remote access to your system.
3. MITIGATE RISKS: IMPLEMENT PROTECTIVE MEASURES
You should have the appropriate policies in place to adequately protect your systems and data. Certain transactions will require you to produce these policies. You should also audit and test your policies to ensure they are accomplishing what they are intended to.
Ensure you have adequate contractual protections in place for vendor contracts, and make sure your employees are trained on and understand the appropriate protocols for access to and use of data.
Develop an incident response plan, a business continuity and disaster recovery plan, and test them. You do not want to realize after your systems go down that you transferred the data but not the applications required to access the data to your off-site backup, leading to an entire shutdown of your organization.
Whether you have three employees or 300, having a plan in place will help you respond to cyber-attacks efficiently and effectively, mitigating damages and ensuring you are still in business.
4. OBTAIN CYBER INSURANCE AND DESIGNATE COUNSEL
The question isn’t if you are going to have a data breach or system interruption event but when. Make sure you have adequate insurance that covers the cost of any data breach or system interruption (such as ransomware), including legal, forensic, and notification costs, and all costs associated with regulatory investigations and fines. Designate legal counsel who has appropriate experience before an incident occurs — the last thing you have time for while responding to a cyber-attack is to interview and select counsel.
The above actions will help protect your business and reduce the costs associated with a cyber-attack. Additionally, these steps will help potential contract partners or acquirers evaluate the potential for cyber breach when negotiating transactions with your company. If the mitigating steps you have taken are not clear and are not documented, a potential financial or operating partner may regard a transaction as too risky, and you may be forced to provide broad indemnity, purchase additional insurance, leave funds in escrow or simply lose the transaction altogether. Few strategic or financial partners will enter into significant transactions with hidden or unaddressed cyber risks.
As cyber-attacks happen more frequently, contract partners will require disclosure of your company’s cyber plans as part of their due diligence review; therefore, the strength of your cybersecurity preparedness could make or break future transactions. Similarly, as you explore transactions with strategic or financial partners, you should review and understand your potential partner’s cybersecurity policies should your company’s data be exposed to a breach stemming from your partner’s business.
Melissa Ventrone is the chair of Thompson Coburn’s cybersecurity practice. She leads breach response teams in responding to cyber-attacks and helps clients proactively manage data privacy and security risks. A partner in the firm’s Chicago office, Melissa can be reached at (312) 580-2219 or mventrone@ thompsoncoburn.com
Jennifer Post is a Corporate and Securities partner in Thompson Coburn’s Los Angeles office. Jennifer represents companies and investors in a wide range of corporate transactions, among them M&A, capital raising, secured lending, debt and equity investments and IP protection. Jennifer can be reached at (310) 282-2512 or [email protected]
