In this episode of Cascade Conversations, Managing Director Ron Reed discusses IT security preparation for mergers and acquisitions with Claudia Rast, Butzel Long Practice Department Chair of Intellectual Property, Cybersecurity and Emerging Technology Group.

Check out our Data Defense article here:


Video Transcript:

Ron Reed – CEO and Managing Director at Cascade Partners:
Welcome to our Cascade Conversation series of videos where we’re taking M&A topics and discussing them with key professionals in industry. If you want to see other videos you can go to the Butzel Long website, the Cascade Partners website, or our Cascade YouTube channel.

Today, I’m really excited to be sitting here with Claudia Rast, who I think I’ve known you for about ten years. And your career has been focused nearly entirely around cybersecurity, data analytics and other information technology topics.


Claudia Rast – Butzel Long Practice Chair:
That’s correct. Most recently, yes.


Ron Reed: Absolutely, since you stopped throwing logs in college, right?


Claudia Rast: (laughs) That’s right. You got to do something in college.


Ron Reed: So, today what we thought we’d start with is security preparation for M&A, both for buyers and sellers of companies. And you and I talked about three topics that I think are pretty interesting and very impactful for, potentially, on the price of business that we think we should really think about before buying or selling a company. And the three topics we talked about are vulnerability, security, IT vulnerability, supply chain security, and where is your data and where does it come from?


Claudia Rast: Yeah. So, those are really important topics for the audience to understand and learn about, and vulnerability testing is incredibly important. It’s the what you do to determine—say the example is a house, how many keys to how many doors, how many windows have latches—You want to know where those openings are, potentially, that a company may have.

What is tested are what we call Open Facing Internet Protocol Addresses. A company has used the Internet—what company nowadays doesn’t use the Internet for connectivity? And so, they have what they call a group of IP addresses, those IP addresses—some are used, some are in storage—but those are open facing to the Internet and they present opportunities for threat actors to gain access.

So, the vulnerability test basically touches those IP addresses to see what might be vulnerable, what might need a patch or new software to correct a problem.


Ron Reed: And I’ll say, from an M&A standpoint and from the finance standpoint, how that shows up in your price. Most recently, I sold a company that did penetration testing and it impacted their earnings. So, if you’re not spending $60,000 to $120,000 a year, which is a typical price for penetration testing, the buyer of your company or if you’re buying a company that may need to be a consideration for the future. So, they may discount your value because you’re not spending that money and the buyer may need to start spending that money.

So, the nature of your business comes into play here.


Claudia Rast: And to distinguish, there is a simple vulnerability scan which is much, much less costly than a penetration test. Those can run $800 to $1,000 per scan. So, that’s not a big expense. Penetration testing, as you mentioned, is a much more thorough, much more exhaustive, and much more costly but equally, or not more important than the vulnerabilities.


Ron Reed: And I want to start by putting a pin in this, it’s to point out that these topics are showing up in every major newspaper every week. What they’re really starting to do is show up at your front door as a business owner. You know, most people think about this in kind of grand, big tech companies’ areas, but these are really showing up.

Anybody who ends up with either consumer information about their customers or financial information about their business partners or their business customers, they’re now at risk in ways they weren’t at risk maybe ten, 20 years ago.


Claudia Rast: Oh, absolutely.


Ron Reed: So, next we were talking about supply chain, and we’re starting to realize that in IT and anybody selling a business that has either a heavy use of IT or the business uses a lot of technology for its services, that IT vendor and the supply chain has a really big impact. I’ve got a couple of examples, but I know you have some as well.


Claudia Rast: Yeah, well, the notable example—and we talked about this earlier—was the Verizon acquisition of Yahoo in 2017, where Yahoo had incurred this massive data breach 3 billion people with their information on the dark web. That was not disclosed, oddly enough, to Verizon at the time and ultimately that that amounted to a $350 million price reduction for Yahoo and selling this company to Verizon.


Ron Reed: Which could, as you bring it up, really impact the reps and warranties of a business because if you don’t know about these—the owner of this may not even know about the breaches that they’re dealing with—so, you’re going to start seeing these show up and some of these topics are insurable. So, if you at least start looking at your contracts to understand the liability that your vendors have or don’t have, that’s at least a good start.


Claudia Rast: Right. But you take the average company, and they don’t have to be a Verizon or Yahoo. These can be companies who do payroll processing. Where do they have their cloud information to do certain other types of custom processing for the manufacturer of their widgets? Or the customer service that they use and a platform to maintain customer client contact information? Those are all really important vendor relationships that also need to be vetted.


Ron Reed: And I think that’s an important point. Your supply chain isn’t just where you buy parts these days. It’s also those—what we may not think about—third parties we use for payroll services that are IT driven, that we may use for communication on Slack or Microsoft Office 365, which historically weren’t at the top of mind for vendor issues, but now knowing what the security vulnerabilities or costs or liabilities are will impact the value because we’re going to see those show up increasingly in reps and warranties.


Claudia Rast: Oh yeah. You know, and the other sort of interesting side and we haven’t talked about this before is if a company is in the process of some kind of litigation, not uncommon. There are lawsuits pending all the time. There may be an eDiscovery platform that is out there that has been basically represented by both parties as being secure, where they are disclosing certain required information to one another. Those platforms have been hacked. That information then goes out on the dark web as well.

So, the supply chain is not always necessarily the big ones that you think about.


Ron Reed: Right. And the last topic I think you started to segue into that direction was your data. Increasingly, our data is not within our four walls. Our information is in Cloud.

Knowing where those cloud locations are and knowing where the information that your company is now maintaining in those clouds is increasingly sensitive, I understand. And both state, U.S. and international law is applying. And we buy and sell companies that do business all over the world, and it’s no longer one rule fits all. Maybe you can talk a little bit about it.


Claudia Rast: So, it’s a very interesting kind of thing. In contracts, where you are maybe contracting with the cloud platform for a certain service, one of the questions that’s not commonly asked is, “Where are those servers located?” “What country?” “Are those servers domestic U.S. servers or are those servers in the EU?”

If they are in the EU, then the international laws and the General Data Protection Regulation (GDPR) would apply, and that has certain restrictions on the ability. In the US, our laws are such that we can send all kinds of data everywhere, but in the EU they’re very strictly concerned. Privacy is considered a fundamental right. You cannot take data of an EU citizen and bring it to the U.S. without certain protections, and they’re still working on that today. That has not been resolved since July 16th, last year.


Ron Reed:
Well, then I would say, back to the financial impact of that for a buyer or a seller, is these turn into liabilities. So, in the event that you have, for instance, information about a business, a consumer or an individual at a business, and they have a right for you to lose their data, for instance, people—I think the phrase is “the right to be forgotten”—and you’re still maintaining data they have they have asked you to delete, you have financial liability for that.

And again, that will show up in price reductions and due diligence. And the more you can get ahead of this, I think that the better you’ll be to maintain the price, both selling a business, but also, these are considerations when buying a business. You don’t want these prices to surprise you, these costs to surprise you, post-acquisition.


Claudia Rast: Right. And all data is not the same, and it’s not all defined the same way.


Ron Reed: Give us an example.


Claudia Rast: Well, for example, in the EU, personal data is any information that can be linked to a human being, a natural person, they say. But in Michigan, personally identifiable information would be a Social Security number, a driver’s license number or financial information sufficient to access your account, it wouldn’t be a name and an address. A name and an address would be personal data in the EU.

Every state has its own definition. Some of the same as other states, but that’s the important part of understanding the data, mapping the data, knowing what kind of data you have, where it’s stored, who owns it. A lot of vendor contracts will say we want to own the data, and many companies don’t realize that what they’re doing in sharing that data is giving that data up to the vendors to monetize. And then how they store it is important because, from a vulnerability standpoint, if you have all your data in one big box, if that big box is stolen, you’ve lost all the data.

If you compartmentalize that data and put your trade secrets here with certain security and some less sensitive data here with certain security, and maybe just email messages about lunch dates in this box, when the threat actors enter one area, they’re not going to be moving across your network.

So, the idea of knowing where your data is and mapping the data is really important. And also, don’t retain the data you don’t need. That’s a cost.


Ron Reed: Well, it seems to me that, if I’m listening to this video, the most important thing—much of what we’re talking about are modern best practices for businesses and things that are—as you said, not all data is alike, not all businesses are alike—but increasingly, there are fewer and fewer businesses that don’t somehow use cloud systems to run their operations to either make their payroll, deal with their marketing, interface with their customers, etc. And those systems increasingly have an impact on the sale price.


Claudia Rast: Right. And yet here’s another little warning bit because some companies will say, “Well, I don’t use the cloud because it’s dangerous.” I would be concerned about those companies using what we call on-premises or on-prem servers. Because those servers maintained physically in their office location are generally managed by their IT Department, their IT partners, not necessarily focused on security. They’re focused on connectivity. They’re focused on what we call break/fix.

So, to say, “I’m not in the cloud so I’m safe,” is to me a warning sign.


Ron Reed:
I think the takeaway from this conversation are, 1) If you are dealing with any kind of cloud or any kind of IT systems in your business, increasingly how well or not those systems are managed will have an impact on the value of your business, whether you’re selling a business or buying a business these are considerations you really need to think about.


Claudia Rast: Absolutely. And I would say look at the board. If the board of the company you are acquiring does not have a privacy officer or a security officer on that board, I would be careful.


Ron Reed: So, that’s a real good consideration. Many of the businesses we sell don’t even have boards of directors. So, we think about these topics when we’re doing preliminary due diligence prior to taking a company to market. And these are just the kind of things that we are increasingly worrying about and getting ahead of so that we can disclose them early, and if they’re going to impact the price, we know earlier rather than later in due diligence.

Yeah, that’s the Cascade part of our approach is to really make sure that we surface all the bad news, if you will, early. Because some of these things, as we said, they can be addressed with insurance, they can be addressed with actual vendors, restructuring contracts, working through these topics in advance so they don’t surprise you just as you’re trying to close a deal.


Claudia Rast: And that’s a real value add, Ron. That’s the trusted partner. That’s what you bring to the transaction; the ability, the knowledge, the experience as a trusted partner, understanding things. So, it’s a true value.


Ron Reed: Well, thanks for being here today with us, and I look forward to doing this again.


Claudia Rast: A pleasure.


For more Cascade Conversations, click here!