Top Tips to Prevent or Reduce the Impact of Cyber Incidents in Mergers & Acquisitions

By: Lewis Brisbois' Data Privacy & Cybersecurity Team 

Selling and purchasing a business presents many challenges for both the seller and the buyer, but it’s important that data privacy and cybersecurity concerns aren’t lost in the due diligence process. In an increasingly digitized world, all businesses face data privacy challenges that further complicate the process. While larger businesses may be more likely to take privacy and cyber issues into consideration, smaller businesses face similar challenges. Here are our top tips for smaller businesses to reduce the chances of data privacy issues arising during the sale or purchase of a business: 

Insurance: Make sure the business you are selling or buying is insured for cyber incidents and that there are no coverage gaps. It is essential to avoid a situation where the seller’s policy has been canceled or expired and the buyer’s policy is not yet in effect. While there are costs associated with maintaining policies, doing so is worth it. According to Hiscox’s Cyber Readiness Report, cyber incidents cost small and medium businesses on average $200,000. This is only an estimate, and expenses can and do exceed this amount. Make sure purchase agreements require policies to be maintained. Where both the seller and the buyer have cybersecurity policies, consider the effects of holding overlapping policies and try to determine in advance which policy will cover which expenses so that if an incident occurs, both sides have a plan of action. 

Remote Access: These days, remote access is critical to maintaining business operations. Employees working from home likely rely on it. The sale is a transition that affects not only your hardware but your network. Make sure you secure remote access to your environment. Consider implementing multifactor authentication on virtual private networks (VPNs), use strong passwords that include complex elements like special characters to protect remote desktop protocol (RDP), and use firewall controls to limit internet protocol (IP) addresses accessing the business’ network environment. 

Phishing: Where employees are being integrated into another business, ensure that they have tools to recognize which emails are legitimate. Ensure that employees at both businesses are trained on recognizing phishing emails designed to give malicious actors access to sensitive business information. Consider providing employees with a green list of email addresses from which legitimate communications regarding the sale will come. 

Where emails relate to financing, confirm all information through a phone call before issuing any payments. Malicious actors that do gain access to email environments often attempt to divert transactions to their own financial accounts. By establishing a protocol prior to issuing funds, businesses can minimize the risk of losing funds to such malicious actors.

General Hygiene: In the (sometimes chaotic) sales process, general cyber hygiene concerns should not be neglected. Software used by the business should be patched when security patches become available. Any unused accounts, like those of former employees, should be disabled promptly. These steps not only minimize the chances of a cyber incident but assist with operations. 

This advice will help purchasers ensure that they can hit the ground running and will help sellers avoid hassles after a sale has gone through. It is important that both parties communicate and clearly allocate costs and responsibilities for data privacy and cybersecurity issues. Taking these precautionary measures can help avoid extra costs and ultimately assure more harmonious relations between buyer and seller. 

For more information on this subject, contact the authors of this post. Subscribe to this blog to receive email alerts when new posts go up.

**Lewis Brisbois has been nominated for two Advisen Cyber Risk Awards! Vote for Lewis Brisbois as “Cyber Risk Event Response Team of the Year” and “Cyber Law Firm of the Year” here.**