News and Commentary Impacting Data Privacy and Cybersecurity Programs

M&A Excitement, Cybercriminal Opportunists Taking Notice

This year has seen an increase in mergers and acquisitions (M&A), and with that an increase in opportunities for cybercriminals. High-profile attacks like the ransomware attack on UnitedHealth subsidiary, Change Healthcare, earlier this year that disrupted billing and prescription services nationwide illustrate the vulnerabilities that arise during the M&A process, and highlight the need for organizations to prioritize cyber due diligence and security risk management strategies.

Having acquired Change Healthcare in October 2022 for $13 billion, UnitedHealth assumed the unique risk of a cyber incident targeting one of the single largest suppliers to tens of thousands of healthcare entities, perhaps without fully evaluating the scope of that risk. Before a U.S. Senate hearing, UnitedHealth’s CEO conceded that Change Healthcare’s outdated systems and, in particular, the absence of multifactor authentication on a remote desktop application led to the ransomware attack and the ultimate payment of $22 million to the threat actors, not to mention the dozens of lawsuits being brought by consumers and healthcare providers. 

In short, cyber vulnerabilities inherent to the M&A process are myriad. There are the challenges of expertly assessing the target’s security and privacy compliance and then integrating and updating the target’s IT and information security systems.  Those challenges may be specially amplified if the target company is a supplier on which many market stakeholders depend. The due diligence process itself involves inherent cyber risk with companies relying on platform services to share confidential deal information that can lead to devastating results if that platform or one of the parties using the platform is compromised.

Key Takeaways

Comprehensive Due Diligence: This involves a thorough analysis of a deal to identify any potential security vulnerabilities, including identification of third-party information on the target entity, such as the dark web, as well as reviewing past cyber risk incidents.

Strategic Security Alignment: Prior to finalizing a deal, it is crucial to ensure that the acquirer’s and target’s security protocols and compliance controls are aligned and the riskiest gaps identified and prioritized.

Cybersecurity Consultation and Insurance: As part of the integration process, it is advisable to seek expert cybersecurity consultation. This should cover areas like technology integration, network architecture, and security infrastructure, especially as new users and third parties gain access to the systems. Tailored cybersecurity insurance coverages can provide a critical layer of protection against cyber threats.

Representations and Warranties: Buyers should carefully consider representations and warranties to include in the purchase agreement that address key data privacy and security-related risks, including, for example, representations and warranties addressing the target’s compliance with key provisions of applicable data privacy and security regulations and recent history with reported and unreported cyber incidents.

Beware Downplaying Risks in SEC Cybersecurity Incident Disclosures

Last week the U.S. Securities and Exchange Commission (SEC) made examples of four companies whose disclosures about material cybersecurity risks contained statements the SEC investigated and found to be misleading.  Following investigation related to the 2020 SolarWinds Orion software supply chain attack, the SEC found that each company “negligently minimized its cybersecurity incident in its public disclosures.” In particular, the SEC concluded that:

  • Unisys Corp. maintained deficient disclosure controls and procedures that contributed to the company characterizing its cybersecurity risks as hypothetical, despite knowing that it had suffered two SolarWinds-related intrusions that involved actual exfiltration of gigabytes of data;  
  • Avaya Holdings Corp. downplayed the level of threat actor access by stating that the threat actor had accessed a “limited number of the Company’s email messages,” despite knowing that the threat actor had additionally accessed at least 145 files in Avaya’s cloud file sharing environment;
  • Check Point Software Technologies Ltd. knew of the SolarWinds intrusion but described cyber intrusions and their attendant risks only in generic terms; and
  • Mimecast Limited minimized the nature and scope of the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials accessed.

The SEC imposed civil penalties against each company respectively in the amounts of $4 million, $1 million, $995,00, and $990,000.

Key Takeaways

Beware half-truths in risk-factor disclosures: Let the facts and the numbers speak for themselves. Avoid characterizing them as hypothetical or generic when the scope and nature of the risks is actually known. Refrain from cut-and-paste repeating of generic statements in initial disclosures where subsequent investigation has uncovered more new and specific material risks. 

Review and update the company’s disclosure controls and procedures: Ensure that incident response policies contain appropriate criteria to trigger timely escalation of potentially material incidents to senior management and disclosure decision-makers. Ensure that controls and procedures require disclosure decision-makers to promptly review cybersecurity incident information to determine what information requires timely SEC disclosure.

Concluding Considerations

Extra diligence is due during vulnerable periods like a merger or acquisition. Rather than minimizing the extent of a material cybersecurity breach, companies desiring to avoid regulatory scrutiny may do better to craft straightforward and reasonably detailed disclosures.  

For further information or guidance on these issues, please contact:

Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.575.2649
syoder@carmodylaw.com

If you have topics you would like to see discussed, please email us with your ideas. We’d love to hear from you.

This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.