Cascade Conversations: IT Security Prep for Mergers and Acquisitions
In this episode of Cascade Conversations, Managing Director Ron Reed and attorney Claudia Rast from Butzel Long, discuss the importance of IT security preparation and its role in mergers and acquisitions.
Ron Reed: Welcome to our cascade conversation series of videos, where we’re taking the M and A topics and discussing them with key professionals, on the industry. If you want to see other videos, you can go to the “Butzel Long” website, the “Cascade Partners website” or our “Cascade YouTube Channel”. Today I’m really excited to be sitting here with Claudia Rast, who I think I’ve known you for about 10 years Claudia.
Claudia Rast: Is that right.
Ron Reed: And your career has been focused nearly [00:00:30] entirely around cybersecurity, data analytics and other information technology topics.
Claudia Rast: That’s correct, most recently, yes.
Ron Reed: Absolutely, since you stopped throwing laws in college, right?
Claudia Rast: That’s right. You got to get something in College. Right?
Ron Reed: Great. So today, what we thought we’d start with tis security preparation for M and A both for buyers and sellers of companies. And you and I talked about three topics that I think are pretty interesting and very impactful for potentially on [00:01:00] the price of a business that we think we should really think about before buying or selling a company. And the three topics we talked about, our vulnerability security, IT vulnerability, supply chain security and where is your data and where does it come from? Right?
Claudia Rast: Yeah. So those are really important topics for the audience to understand and learn about it and vulnerability testing is incredibly important. It’s the way you do to determine… [00:01:30] Say the example is a house, how many keys, to how many doors, how many windows have latches? You want to know where those openings are potentially that a company may have. And what is tested are what we call open facing internet protocol addresses a company has used the internet, what company nowadays doesn’t use the internet for connectivity. And so they have what they call a, a group [00:02:00] of IP addresses. Those IP addresses. Some are used, some are in storage, but those are open facing to the internet and they present opportunities for threat actors to gain access. So the vulnerability test basically touches those IP addresses to see what might be helpful, what might need a patch or new software to correct a problem.
Ron Reed: And I’ll say from an MNA standpoint, from a finance standpoint, how that shows up in [00:02:30] your price? Most recently I sold a company that did penetration testing and it impacted their earnings. So if you’re not spending 60 to $120,000 a year, which is a typical price for penetration testing the buyer of your company, or if you’re buying a company that may need to be a consideration for the future. So they may discount your value because you’re not spending that money and the buyer may need to start spending that money. So you need to, at least the nature [00:03:00] of your business comes into play here.
Claudia Rast: Right and to distinguish there is a simple vulnerability scan, which is much less costly than a penetration test. Those can run 800 to a thousand dollars per scan. So that’s not a big expense, penetration testing, as you mentioned, is a much more thorough, much more exhaustive and much more costly, but equally, or not more important than the volatility.
Ron Reed: And then I want to start by putting opinion this is to point out that [00:03:30] these topics are showing up in every major newspaper every week. What they’re really starting to do is show up at your front door as a business owner. You know, most people think about this in kind of grand, big tech companies areas, but these are really showing up anybody who ends up with either sick consumer information about their customers or financial information about their business partners or their business customers they’re now [00:04:00] at risk in ways they weren’t at risk maybe 10, 20 years ago.
Claudia Rast: Oh, absolutely.
Ron Reed: So next we were talking about supply chain and we are starting to realize that in IT and anybody selling a business that has either a heavy use of IT or the business uses a lot of technology for its services that IT vendor IT in the supply chain has a real big impact. I’ve got a couple of examples, but I know you have some as well.
Claudia Rast: Yeah, well the big example and we talked about this earlier [00:04:30] was notable with the Verizon acquisition of Yahoo in 2017, where Yahoo had incurred this massive data, breach three billion people with their information on the dark web that was not disclosed oddly enough, to Verizon at the time and ultimately that amount of two or $350 million price reduction for Yahoo and selfies company to Verizon.
Ron Reed: Which could, [00:05:00] as you bring it up, really impact the reps and warranties of a business because if you don’t know about these in the owner of a business, may not even know about the breaches that they’re dealing with, so you’re going to start seeing these show up and some of these topics are insurable. So if you at least start looking at your contracts to understand the liability that your vendors have, or don’t have, that’s at least a good start.
Claudia Rast: Right, then you take the average company and they don’t have to be a Verizon or a Yahoo.
Ron Reed: Right.
Claudia Rast: These can be companies who does payroll processing, [00:05:30] where do they have their cloud information to do certain other types of custom processing for the manufacturer of their widgets or the customer service that they use in a platform to maintain customer or client contact information. So those are all really important vendor relationships that also need to be [inaudible 00:05:51]
Ron Reed: And I think that’s an important point, your supply chain, isn’t just where you buy parts these days, it’s those what we may not think about third [00:06:00] parties we use for payable services that are IT driven that we may use for communication on slack or Microsoft office 365, which historically weren’t at the top of mind for vendor issues, but now knowing at least what the security vulnerabilities or costs or liabilities are, will impact the value because we’re going to see those show up increasingly in reps and warranties.
Claudia Rast: Right, you know, and, and another sort of interesting side, and we haven’t talked about this before is if the company is in the process [00:06:30] of some kind of litigation, not uncommon, there are lawsuits pending all the time. There may be an e-discovery platform that is out there that has been basically represented by both parties as being secure, where they are disclosing certain required information to one another. Those platforms have been hacked. That information then goes out on the dark web as well. So, the supply chain is not always necessarily the big ones that you think about.
Ron Reed: Right, and [00:07:00] the last topic I think you started the same way into that direction was your data. Increasingly our data is not within our four walls, our information is in cloud, knowing where those cloud locations are and knowing where the information that your company is now maintaining in those clouds is increasingly sensitive I understand. And both state US and international law is applying and we [00:07:30] buy and sell companies that do business all over the world, and it’s no longer one rule fits all. Maybe you can talk a little bit about it?
Claudia Rast: Right, so it’s a very interesting kind of saying in contracts where you were maybe contracting with the cloud platform for a certain service, one of the questions that’s not commonly asked is where are those servers located? What country? Are those servers domestic US servers? or are those servers in the EU? If they are in the [00:08:00] EU, then the international laws and their general data protection regulation, GDPR would apply. And that has certain restrictions on the ability in the US our laws are such that we can send all kinds of data everywhere, but in the EU they’re very strictly concerned. Privacy is considered a fundamental, right? You cannot take the data of an EU citizen and, and bring it to the US without certain protections. And they’re still [00:08:30] working on that today, it has not been resolved since July 16th or last year.
Ron Reed: Well, and I would say back to the financial impact of that for a buyer or seller is these turn into liabilities. So in the event that you have, for instance, information about a business or a consumer, or an individual, a business, and they have a right for you to lose their data, for instance, people, I think the phrase is the right to be forgotten, and you’re still maintaining data they have asked you to delete, [00:09:00] you have financial liability for that?
Claudia Rast: Right.
Ron Reed: And again, that will show up in price reductions and due diligence. And the more you can get ahead of this, I think the better you’ll be to maintain the price, both selling a business, but also these are considerations when buying a business, so you don’t want these prices to surprise you, these costs to surprise you post acquisition.
Claudia Rast: Right, and all data is not the same, and it’s not all defined the same way.
Ron Reed: Give us an example.
Claudia Rast: Well, for example, [00:09:30] in EU personal data is any information that can be linked to a human being, a natural person may say, but in Michigan, personally, identifiable information would be a social security number, a driver’s license number, or financial information sufficient to access your account. It wouldn’t be a name and an address, a name and an address would be personal data in the EU. [00:10:00] Every state has its own definition, some of the same as other states, but that’s the important part of understanding the data, mapping the data, knowing what kind of data you have, where it’s stored, who owns it.
And a lot of vendor contracts, we’ll say we want to own the data and many companies don’t realize that what they’re doing and sharing that data is giving [00:10:30] that data up to the vendors to monetize, and how they store it is important, because again, from a vulnerability standpoint, if you have all your data in one big box, if that big box is stolen, you’ve lost all the data.
Ron Reed: Right.
Claudia Rast: If you compartmentalize that data and put your trade secrets here with certain security and some less sensitive data here with certain security, and maybe just email messages about lunch dates [00:11:00] in this box, when a threat actors enter one area, they’re not going to be moving across your network, so the idea of knowing where your data is and mapping the data is really important. And also don’t retain the data you don’t need. That’s a cost.
Ron Reed: Right, well, it seems to me that, so if I’m listening to this video, the most important thing is much of what we’re talking about are good, modern best practices for businesses and things that are, as you said, not all data is a life, not all [00:11:30] businesses are alike, but increasingly there are fewer and fewer businesses that don’t somehow use cloud systems to run their operations, to either make their payroll deal with their marketing interface, with their customers and those systems increasingly have an impact on sale price.
Claudia Rast: Right, And yet here’s another little warning bit because some companies will say, well, I don’t use the cloud cause it’s dangerous. I would be concerned about those companies using their, what we call on premises or on [00:12:00] prem servers, because those servers maintained physically in their office location are generally managed by their IT department. Their ID department is not necessarily focused on security, they’re focused on connectivitY, they’re focused on what we call break fix. So to say that I’m not in a cloud, so I’m safe is to me a warning sign.
Ron Reed: I think the takeaway from this conversation are one, if you’re [00:12:30] dealing with any kind of cloud or any kind of IT systems in your business, increasingly those how those are managed, how well or not those systems are managed will have an impact on the value of your business. If you’re, whether you’re selling a business or buying a business, these are considerations you really need to think about.
Claudia Rast: Absolutely. And I would say, look at the board, if the board of the company you’re acquiring does not have a privacy officer or a security officer [00:13:00] on that board, I would be careful.
Ron Reed: So that’s a real good consideration. Many of the business we sell don’t even have boards of directors, so we think about these topics when we’re doing preliminary due diligence prior to taking a company to market, and these are just the kinds of things that we are increasingly worrying about getting ahead of so that we can disclose them early. And if they’re going to impact the price we know earlier, rather than later in the diligence.
Claudia Rast: Yeah.
Ron Reed: That’s the cascade part of the [00:13:30] approach is to really make sure that we surface all the bad news, if you will early, because some of these things, as we said, they can be addressed with insurance. They can be addressed with actual vendors, restructuring contracts, working through these topics in advance. So they don’t surprise you just as you’re trying to close a deal.
Claudia Rast: This is a real value, to add Ron, that’s the trusted partner, that’s what you bring to the transaction of the ability, the knowledge, the experiences, the trusted partner to understand these things. So it’s a true value.
Ron Reed: [00:14:00] Well, thanks for being here today with us, and I look forward to doing this again with.