Blog

IT Security Preparation for Mergers & Acquisitions

Cascade Conversations

In this episode of Cascade Conversations Managing Director Ron Reed discusses IT Security Preparation for Mergers and Acquisitions with Claudia Rast, Butzel Long Practice Department Chair of Intellectual Property, Cybersecurity and Emerging Technology Group.

 

Video Transcript:

00:00:06:13 – 00:00:26:11
Ron Reed – Cascade Partners CEO/Managing Director
Welcome to our Cascade Conversation series of videos where we’re taking M&A topics and discussing them with key professionals in industry. If you want to see other videos you can go to the Bazelon website, the Cascade Partners website, or our Cascade YouTube channel. Today, I’m really excited to be sitting here with Claudia. Asked who I think I’ve known you for about ten years, Claudia.

00:00:26:11 – 00:00:35:08
Ron Reed – Cascade Partners CEO/Managing Director
That’s about right. And your career has been focused nearly entirely around cybersecurity, data analytics and other information technology topics.

00:00:35:16 – 00:00:37:05
Claudio Rast – Butzel-Long Practice Chair
That’s correct. Most recently, yes.

00:00:38:01 – 00:00:42:24
Ron Reed – Cascade Partners CEO/Managing Director
Absolutely. Since you stopped throwing logs in college, right?

00:00:42:27 – 00:00:45:14
Claudio Rast – Butzel-Long Practice Chair
That’s right. You got to do something in college great.

00:00:45:26 – 00:01:16:09
Ron Reed – Cascade Partners CEO/Managing Director
So today what we thought we’d start with is security preparation for M&A, both for buyers and sellers of companies. And you and I talked about three topics that I think are pretty interesting and very impactful for potentially on the price of business that we think we should really think about before buying or selling a company. And the three topics we talked about are vulnerability, security, I.T, vulnerability, supply chain security and where is your data and where does it come from?

00:01:16:09 – 00:01:16:17
Ron Reed – Cascade Partners CEO/Managing Director
Right.

00:01:17:23 – 00:01:44:25
Claudio Rast – Butzel-Long Practice Chair
Yeah. So those are really important topics for the audience, audience to understand and learn about and vulnerability testing is incredibly important. It’s the what you do to determine say the example is a house how many keys to how many doors, how many windows have latches. You want to know where those openings are potentially that a company may have.

00:01:45:05 – 00:02:12:04
Claudio Rast – Butzel-Long Practice Chair
And what is tested are what we call open facing Internet protocol addresses. A company has used the Internet. What company nowadays doesn’t use the Internet for connectivity and so they have what they call a group of IP addresses those IP addresses some are used, some are in storage, but those are open facing to the Internet and they present opportunities for threat actors to gain access.

00:02:12:14 – 00:02:24:27
Claudio Rast – Butzel-Long Practice Chair
So, the vulnerability test basically touches those IP addresses to see what might be vulnerable, what might need a patch or new software to correct a problem.

00:02:25:04 – 00:02:50:05
Ron Reed – Cascade Partners CEO/Managing Director
And also see from an M&A standpoint, from the finance standpoint, how that shows up in your price can most recently I sold a company that did penetration testing, and it impacted their earnings. So, if you’re not spending 60 to $120,000 a year, which is a typical price for penetration testing the buyer of your company, or if you’re buying a company that may need to be a consideration for the future.

00:02:50:16 – 00:03:02:10
Ron Reed – Cascade Partners CEO/Managing Director
So, they may discount your value because you’re not spending that money and the buyer may need to start spending that money. So, you need to at least the nature of your business comes into play here right.

00:03:02:10 – 00:03:26:08
Claudio Rast – Butzel-Long Practice Chair
And to distinguish there is a simple vulnerability scan which is much, much less costly than a penetration test. Those can run 800 to $1,000 per scan. So that’s not a big expense. Penetration testing, as you mentioned, is a much more thorough, much more exhaustive, and much more costly, but equally or not more important than the vulnerabilities.

00:03:26:12 – 00:03:46:18
Ron Reed – Cascade Partners CEO/Managing Director
And I want to start by putting a penis, it’s to point out that these topics are showing up in every major newspaper every week. What they’re really starting to do is show up at your front door as a business owner. You know, most people think about this in kind of grand, big tech companies’ areas, but these are really showing up.

00:03:46:18 – 00:04:03:16
Ron Reed – Cascade Partners CEO/Managing Director
Anybody who ends up with either seat consumer information about their customers or financial information about their business partners or their business customers, they’re now at risk in ways they weren’t at risk maybe ten, 20 years ago.

00:04:03:19 – 00:04:04:12
Claudio Rast – Butzel-Long Practice Chair
Oh, absolutely.

00:04:05:02 – 00:04:26:14
Ron Reed – Cascade Partners CEO/Managing Director
So next we were talking about supply chain, and we’re starting to realize that in it. And anybody selling a business that has either a heavy use of it or the business uses a lot of technology for its services that i.t. Vendor i.t. And the supply chain has a real big impact. I’ve got a couple of examples, but I know you have some as well.

00:04:26:20 – 00:04:58:18
Claudio Rast – Butzel-Long Practice Chair
Yeah, well, the example and we talked about this earlier was notable was the Verizon acquisition of Yahoo in 2017 where Yahoo had incurred this massive data breach 3 billion people with their information on the dark web. That was not disclosed oddly enough to Verizon at the time and ultimately that that amounted to a $350 million price reduction for Yahoo and selling this company to Verizon.

00:04:58:23 – 00:05:21:03
Ron Reed – Cascade Partners CEO/Managing Director
Which could as you bring it up really impact the reps and warranties of a business because if you don’t know about these it’s in the owner of this may not even know about the breaches that they’re dealing with so you’re going to start seeing these show up and some of these topics are insurable. So, if you at least start looking at your contracts to understand the liability then your vendors have or don’t have, that’s at least a good start.

00:05:21:08 – 00:05:46:23
Claudio Rast – Butzel-Long Practice Chair
Right. But you take the average company, and they don’t have to be a Verizon or Yahoo, right? These can be companies who does payroll processing. Where do they have their cloud information to do certain other types of custom processing for the manufacturer? Of their widgets or the customer service that they use and a platform to maintain customer client contact information.

00:05:46:29 – 00:05:51:16
Claudio Rast – Butzel-Long Practice Chair
So those are all really important vendor relationships that also need to be vetted.

00:05:51:21 – 00:06:12:10
Ron Reed – Cascade Partners CEO/Managing Director
And I think that’s an important point. Your supply chain isn’t just where you buy parts these days. It’s also those what we may not think about third parties we use for payroll services that are in order then that we may use for communication on Slack or Microsoft Office 365, which historically weren’t the at the top of mind for vendor issues.

00:06:12:10 – 00:06:22:28
Ron Reed – Cascade Partners CEO/Managing Director
But now knowing at least what the security vulnerabilities or costs or liabilities are will impact the value because we’re going to see those show up increasingly in reps and what.

00:06:22:29 – 00:06:46:12
Claudio Rast – Butzel-Long Practice Chair
Oh yeah. You know, and the other sort of interesting side and we haven’t talked about this before is if a company is in the process of some kind of litigation, not uncommon. There are lawsuits pending all the time. There may be an eDiscovery platform that is out there that has been basically represented by both parties as being secure, where they are disclosing certain required information to one another.

00:06:46:20 – 00:06:58:27
Claudio Rast – Butzel-Long Practice Chair
Those platforms have been hacked. That information then goes out on the dark web as well. So, you know, it’s the supply chain is not always necessarily the big ones that you think about.

00:06:59:02 – 00:07:29:00
Ron Reed – Cascade Partners CEO/Managing Director
Right. And the last topic I think you started to segway into that direction was your data increasingly, our data is not within our four walls. Our information is in cloud. Knowing where those cloud locations are and knowing where the information that your company is now maintaining in those clouds is increasingly sensitive. I understand. And both state U.S. and international law is applying.

00:07:29:00 – 00:07:38:00
Ron Reed – Cascade Partners CEO/Managing Director
And we buy and sell companies that do business all over the world. And it’s no longer one rule fits all. Maybe you can talk a little bit about it.

00:07:38:09 – 00:08:11:02
Claudio Rast – Butzel-Long Practice Chair
Right? So, it’s a very interesting kind of thing in contracts where you are maybe contracting with the cloud platform for a certain service. One of the questions that’s not commonly asked is where are those servers located? What country are you? Are those servers domestic U.S. servers or are those servers in the EU? If they are in the EU, then the international laws and the General Data Protection Regulation GDPR would apply, and that has certain restrictions on the ability.

00:08:11:17 – 00:08:34:04
Claudio Rast – Butzel-Long Practice Chair
In the US. Our laws are such that we can send all kinds of data everywhere but in the EU there, they’re very strictly concerned. Privacy is considered a fundamental right. You cannot take data of an EU citizen and bring it to the U.S. without certain protections, and they’re still working on that today. That has not been resolved since July 16th last year.

00:08:34:17 – 00:08:57:02
Ron Reed – Cascade Partners CEO/Managing Director
Well, then I would say back to the financial impact of that for a buyer, a seller is these turn into liability. So, in the event that you have, for instance, information about a business or consumer or an individual a business, and they have a right for you to lose their data, for instance, people I think the phrase is the right to be forgotten and you’re still maintaining data.

00:08:57:02 – 00:09:21:04
Ron Reed – Cascade Partners CEO/Managing Director
They have they have asked you to delete. You have financial liability for that. Right. And again, that will show up in price reductions and due diligence. And the more you can get ahead of this, I think that the better you’ll be to maintain the price, both selling a business. But also, these are considerations when buying a business. You don’t want these prices to surprise you, these costs to surprise you, post-acquisition.

00:09:21:04 – 00:09:27:02
Claudio Rast – Butzel-Long Practice Chair
Right. And data, that’s not all. Data is not the same and it’s not all defined the same way.

00:09:28:00 – 00:09:28:22
Ron Reed – Cascade Partners CEO/Managing Director
Give us an example.

00:09:28:22 – 00:09:58:22
Claudio Rast – Butzel-Long Practice Chair
Well, for example, in in the EU, personal data is any information that can be linked to a human being, a natural person, they say. But in Michigan, personally identifiable information would be a Social Security number, a driver’s license number or financial information sufficient to access your account it wouldn’t be a name and an address. A name and an address would be personal data.

00:09:58:22 – 00:10:45:13
Claudio Rast – Butzel-Long Practice Chair
In the EU, every state has its own definition. Some of the same as other states, but that’s the important part of understanding the data, mapping the data, knowing what kind of data you have, where it’s stored, who owns it. And a lot of a lot of vendor contracts will say we want to own the data. And many companies don’t realize that what they’re doing in sharing that data is giving that data up to the vendors to monetize and then how they store it is important because again, from a vulnerability standpoint, if you have all your data in one big box, if that big box is stolen, you’ve lost all the data.

00:10:45:16 – 00:11:10:25
Claudio Rast – Butzel-Long Practice Chair
But if you compartmentalize that data and put your trade secrets here with certain security and some less sensitive data here with certain security and maybe just email messages about lunch dates in this box, when the threat actors enter one area, they’re not going to be moving across your network. So, the idea of knowing where your data is and mapping the data is really important.

00:11:10:25 – 00:11:14:18
Claudio Rast – Butzel-Long Practice Chair
And also, don’t retain the data you don’t need. That’s a cost.

00:11:14:27 – 00:11:43:08
Ron Reed – Cascade Partners CEO/Managing Director
Right? Well, it seems to me that so if I’m listening to this video, the most important thing, it’s much of what we’re talking about are good modern best practices for businesses and things that are, as you said, not all data is alike. Not all businesses are alike, but increasingly, there are fewer, fewer and fewer businesses that don’t somehow use cloud systems to run their operations, to either make their payroll, deal with their marketing interface with their customers.

00:11:43:24 – 00:11:47:21
Ron Reed – Cascade Partners CEO/Managing Director
And those systems increasingly have an impact on the sale price.

00:11:47:23 – 00:12:12:19
Claudio Rast – Butzel-Long Practice Chair
Right. And yet here’s another little warning bit because some companies will say, well, I don’t use the cloud because it’s dangerous. I would be concerned about those companies using their what we call on premises or on prem servers. Because those servers maintained physically in their office location are generally managed by their I.T. Department, their I.T. partners, not necessarily focused on security.

00:12:13:02 – 00:12:23:05
Claudio Rast – Butzel-Long Practice Chair
They’re focused on connectivity. They’re focused on what we call break fix. So, to say that I’m not in the cloud so I’m safe is to me a warning sign.

00:12:23:29 – 00:12:45:14
Ron Reed – Cascade Partners CEO/Managing Director
I think the takeaway from this conversation are, one, if you are dealing with any kind of cloud or any kind of i.t. Systems in your business, increasingly those how those are managed, how well or not those systems are managed will have an impact on the value of your business. If you’re whether you’re selling a business or buying a business.

00:12:45:14 – 00:12:47:29
Ron Reed – Cascade Partners CEO/Managing Director
These are considerations you really need to think about.

00:12:48:22 – 00:13:02:14
Claudio Rast – Butzel-Long Practice Chair
Absolutely. And I would say look at the board. If the board of the company you are acquiring does not have a privacy officer or a security officer, on that board, I would be careful.

00:13:03:05 – 00:13:22:08
Ron Reed – Cascade Partners CEO/Managing Director
So that’s a real good consideration. Many of the business we sell don’t even have boards of directors. So, we think about these topics when we’re doing preliminary due diligence prior to taking a company to market. And these are just the kind of things that we are increasingly worrying about. And getting ahead of so that we can disclose them early.

00:13:22:08 – 00:13:46:03
Ron Reed – Cascade Partners CEO/Managing Director
And if they’re going to impact the price, we know earlier rather than later in the diligence. Yeah, that’s how that’s a cascade part of your approach is to really make sure that we surface all the bad news, if you will, early, because some of these things, as we said, they can be addressed with insurance, they can be addressed with actual vendors, restructuring contracts, working through these topics in advance.

00:13:46:03 – 00:13:48:16
Ron Reed – Cascade Partners CEO/Managing Director
So, they don’t surprise you just as you’re trying to close a deal.

00:13:48:18 – 00:13:58:23
Claudio Rast – Butzel-Long Practice Chair
And that’s a real value add. One, that’s the trusted partner. That’s what you bring to the to the transaction, the ability, the knowledge, the experience as a trusted partner, understanding things so it’s true that.

00:13:59:15 – 00:14:02:16
Ron Reed – Cascade Partners CEO/Managing Director
Well, thanks for being here today with us, and I look forward to doing this again.

00:14:02:29 – 00:14:03:10
Claudio Rast – Butzel-Long Practice Chair
A pleasure.