cybersecurity

Subscribe to cybersecurity via RSS

By Gail Crawford, Mark Sun and Katie Campbell

Click for larger image

Amid a growing number of high-profile corporate data breaches, cybersecurity is now a key issue for strategic acquirers. The hack of Yahoo, which came to light midway through its 2016 takeover by Verizon, resulted in a US$350 million purchase price reduction. The true extent of the hack has only recently been uncovered, demonstrating how damaging a large-scale data leak can be. With state-sponsored actors and opportunist hackers at work, and recent cyberattacks specifically aimed at obtaining inside information about transactions, a target’s cybersecurity must be front of mind. In our view, deal teams must consider how a data breach could impact a potential acquisition, before, during and after a deal.

Preparing for a Transaction — What Should M&A Deal Teams Scrutinise?

M&A deal teams must identify a target’s cyber assets and review security protocols and cyber defences, emphasising thorough technical due diligence. Diligence should include how data is stored and managed, where it is handled, and the data security measures implemented by third-party service providers. Acquirers should assess data sets including personal information, focusing on why information is being stored and whether storage is necessary and proportionate.

Acquirers should be alert to red flag issues; for example, lack of awareness about data protection and cyber issues; poor employee training on data security; failure to keep records of historic breaches; and regulatory investigations. Addressing poor practices post-close requires time and resources — buyers may prefer to factor costs into the purchase price, or require pre-closing remediation.

By Gail Crawford

Cybercrime has become a critical issue for buyout firms as hackers are increasingly targeting sensitive business data to profit from insider knowledge. According to a Private Funds Management survey of 91 PE houses, 54% of PE firms said they had been hit with a cyberattack, while 45% said cybersecurity was a high threat to business operations. Despite this, 66% of PE firms said their cybersecurity programme was only partially implemented.

Buyout Firms Are Vulnerable

Click for larger image

If a PE firm falls victim to a cyberattack, highly sensitive information is likely to leak. This is problematic, especially in cases of listed buyout firms where performance data will be market sensitive, or in public- to-private transactions where any leak is price sensitive. Even where entities are not listed, buyout firms hold valuable information, not only on acquisition targets and portfolio companies, but also on their investors, which may include sovereign wealth and pension funds.

In our view, cybersecurity needs to be a priority for PE firms. However, many PE firms may have a limited number of IT support staff and a small budget to fight cybercrime. In order to combat the growing threat, this will need to change.

By Christian McDermott, Calum Docherty, Stuart Davis and Anne Mainwaring

The European Banking Authority (EBA) has published its consultation document on security measures for operational and security risks under the revised Payment Services Directive (PSD2).

Technology - dreamstime_xxl_19374657The WannaCry ransomware attack that swept across the globe last week revealed the destructive and indiscriminate nature of cyber threats. It attacked hospitals, telecoms networks and universities, seizing hold of important data and leaving users and systems administrators temporarily powerless. These are precisely the risks that the payments industry wants to avoid as it braces for the revised PSD2, which will come into force across the EU from 13 January 2018. As such, the EBA has published a consultation paper on security measures for operational and security risks under PSD2, setting out proposed requirements for payment services providers (PSPs) to mitigate the concomitant payment processing risks.

The consultation paper is one of the EBA’s three security mandates in PSD2, complementing the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (submitted to the European Commission for adoption 23 February 2017), and the Guidelines on Major Incidents Reporting (which recently finished its consultation).

By Sophie Lamb and Samuel Pape

The latest global ‘WannaCry’ attack has again brought to the fore the need for sovereign and private parties to have in place adequate cyber-security measures and response plans to deal with cyber-attacks, including in the context of internationalData Protection - Fingerprint arbitration.  As attackers are becoming increasingly resourceful in their ability to exploit vulnerabilities, it is critical that participants in arbitration play their part in mitigating against this type of risk, particularly where sensitive information is involved and large sums are at stake. Even the arbitral institutions themselves are not immune, as was evidenced by the hack on the Permanent Court of Arbitration’s (PCA) website during a hearing of a high profile maritime border dispute.

The increase in transparency in investor-State arbitration through the publication of case documents during the proceedings might provide new opportunities for hacktivists to interfere with the arbitral process.  For example, hacktivists could use a form of social engineering that would involve impersonating a tribunal chairperson based on information from published procedural orders for the purposes of eliciting confidential information from the parties or co-arbitrators.  This type of ‘social engineering’ has become a common method of attack and has supplanted the more basic forms of phishing attempts.  Cyber-attacks can only be thwarted if all participants in arbitration remain alive to this type of threat.   

By Jennifer Archie and Hanna Roos 

Cyber security breaches are now an everyday reality permeating all aspects of business and private life, including the world of international commercial and investment treaty arbitration. These breaches can relate to the subject matter of the dispute, communications between parties and their counsel or between tribunal members, or the website and IT systems of the parties or the arbitral institution, among others. Hanna Roos and Jennifer Archie recently published a note for Practical Law

By Gail Crawford and Christian McDermott

The recent cyberattack on Tesco Bank’s IT systems has prompted Rt Hon. Andrew Tyrie MP, Chairman of the Treasury Committee, to call on regulators to take action against vulnerable bank IT systems:

Making sure that banks improve their IT systems, and their resilience to cybercrime, is also a responsibility of regulators. We will raise this issue with them again shortly. We can’t carry on like this.

The call follows earlier correspondence on this topic between Andrew Tyrie, various major UK banks, the FCA and the PRA.

By Lex Kuo, Hui Xu, Gail Crawford, Jennifer Archie and Serrin Turner

The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) has introduced China’s first and comprehensive Network Security Law (also referred to as Cybersecurity Law). The law will have far-reaching implications for parties that utilize the internet and handle network data and personal information in the PRC.

What this means for China’s internet users

Both individuals and entities which access internet in the PRC will be subject to enhanced security requirements and new regulation relating to the use and transfer of personal data. Network operators, equipment suppliers, security solution providers and other market participants will need to comply with the sweeping new security requirements and national standards, which will come into effect on June 1, 2017. Key requirements of the new law are set out below:

By Jennifer C. Archie, Gail Crawford, Andrew Moyle, Serrin A. Turner, and Brian Meenagh

Hacking of organisations’ systems is becoming increasingly commonplace, even with advancements in security practices. To mitigate risk, a company must have an enterprise-level, cross-functional incident response plan that is rehearsed and practiced. In the event of an incident a company with a rehearsed plan can avoid delays and mistakes, minimize conflicts between functions, and ensure regulatory, legal and contractual reporting requirements are met.