Guest blog: Steve Black, Visiting Professor of Law at University of Houston, Cybersecurity Consultant and RSAC 2020 speaker shares his views on the importance of thorough due diligence.
Many see the cautionary tale of the fallout of the Marriott / Starwood breach and the £99 million fine the UK Information Commissioner’s Office intends to levy as simply an unlucky acquisition. I see it as a warning to all of us who advise clients participating in acquisitions. Speaking specifically about the Marriott breach, Information Commissioner Elizabeth Denham said:
“[O]rganisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.” (emphasis added)
A number of years ago I was approached by a client who was selling a business for several hundred million dollars. I spoke with the owners and their advisors about the specific facets of the deal for a while, and then I asked about key data the business owned. “Oh, that,” was the reply. “It’s not very valuable, and we aren’t worried about it.”
Data Valuation
Since we live in the information age, the data that organizations collect and use always has value. When that data is stolen, organizations find themselves scrambling to secure and rebuild. Time and effort are involved, and sometimes even embarrassment (“Please ignore any email purporting to come from me … I’ve been hacked!”). Each facet of a data loss incident has risk and cost associated with it.
You must consider these risks and costs of data loss when determining how much your client or organization is willing to invest in security and data breach preparedness.
The Value of Data Loss Itself and Compliance Violations
If you were to ask a CEO, CFO, or CIO, “How much would you pay to have not gone through this breach and lose this data?” -- you’d be surprised how much they’d be willing to spend after the fact to fix their reputation, relationships and customer trust. Compliance also comes into play. If proper data security and compliance practices weren’t in place, an organization could be facing penalties the could drive the ‘data loss’ bill way up. For example, the average fine (without taking into account the €50 million fine Google received) during the first compliance year of the GDPR of 91 fines issued was approximately €66,000. [1] Your client needs to determine how much and what kind of data they have (PII or other), and how much it would cost if they lost it all together. This estimated cost of just the data loss itself should be an organization's first indication that they should spare no expense on security.
The Cost to Rebuild
Following a ransomware attack, clients are frequently asked where the backups are located, and how long it will take to restore systems and functionality. Occasionally, the answer is a sad, deer-in-the-headlights look -- no usable backups are available. At that point, the conversation turns to: what’s the possibility and cost of rebuilding.
In valuation practice, we frequently look to replacement cost as one measure of value, usually with the question, “How much would it take to replace or rebuild this?” Do your clients have customer lists, key contacts with suppliers, proprietary information, or scientific data that has been accumulated over a period of years? What would the cost be to replace that information?
The Cost of Time
Even if all went well following a data breach, business can still be disrupted for hours, days, or even weeks while backups are located, loaded, and tested. In a large organization, the resultant loss of time can equate to millions of dollars in losses.
In some organizations, the backup and recovery process has not been tested. The confusion and extended loss of time can spell real trouble if the downtime results in loss of business, employee productivity, and public trust. Don’t forget to account for the cost of time in valuing data.
The Cost of Public Scrutiny
The Irish Republican Brendan Behan opined, “There's no such thing as bad publicity except your own obituary.” However, as several large companies in the technology space have recently learned, you can have enough bad publicity to land you in unfavorable public cross-hairs. Generally, business leaders enjoy great latitude with their decisions and strategy. However, a history rife with antitrust litigation and regulatory intervention (and now GDPR, CCPA and others) teaches us that there is a serious cost when the government and public become interested in what your business does.
Following a breach, there is a natural inclination on the part of others to know what happened and what went wrong. Opening the doors and windows of your client’s business is costly and can directly affect business agility for the foreseeable future.
Other Miscellaneous Costs
I frequently mention to clients who are seeking to secure their organizations that they should consider what else might happen following a serious breach – declines in stock value, loss of employee morale, terminations (whether or not justified), the lack of trust from vendors and partners, and government scrutiny. Each of those has a value, too.
The Importance of Cyber Due Diligence, Even Outside of M&A
Whether your clients are actively involved in M&A transactions or not, every business can benefit from being proactive in asking the types of questions involved in due diligence inquiries, both for themselves and for those with whom they have business dealings, such as:
What is our current state of cybersecurity awareness and defense?Do we know where and what our assets are doing? Do we know who has access to them?
Do we know our systems? What their value is? How fast can they break (and how fast can they be repaired or replaced)?
Do we know what secrets we hold and how they are kept? Do we know where we do business, and where our people are? Do we know what our relationships in those jurisdictions look like? Do we know who our key partners are (including those to help in the event of a breach or crisis)? Do we know what data partners have access to?
Can we test and improve upon that state?
In The End, It's Your Responsibility
From the recent breach headlines, we know that many companies are struggling to answer these difficult questions. But the difficulty shouldn’t be an excuse to put customers, partners and the industry at risk.
If you aren’t an expert in cybersecurity yourself, be sure to surround yourself with experts. Education, experience, and training are the only ways to combat the cybersecurity crises our clients are faced with daily.
And when in doubt, remember to always revert to the basics -- valuation and due diligence practices. These principles can help organizations and business leaders more easily understand the importance of data security for themselves and their partners. By assigning a value to the various facets of data loss, your clients can determine how and what to prioritize in their security preparations before it’s too late.
[1] https://gdpr.eu/gdpr-fines-so-far/