image30

Cyber Security in Banking M&A

Cybersecurity and cyber compatibility used to be the last thing on the mind of a buyer in a banking M&A. But an ongoing bank robber’s evolution from a cowboy chasing a train to a tech genius sitting on a couch in a non-extraditing country and risking no bullet rain, snowballed into multimillion-dollar cyberthefts in the past couple of years, reaching almost a billion dollars per single theft and introducing new professions and jobs for a deft cybersecurity workforce. 


Acquiring a bank has gradually turned into an acquisition of massive digital data, with all past and future security issues it presents. There is little doubt on the market that banking products in their entirety will soon be confined exclusively to digital space, in the industry where bankers are quite used to dealing with being apriori a high-risk target. 


Stringent regulation begun puffing up and a demand for a hybrid between a lawyer and a hacker is about to blow up law schools’ traditional “no-STEM” approach. The steady stream of high impact, high-profile breaches with regulatory fines in hundreds of millions of dollars has moved cybersecurity from a niche worry to a forefront business concern. 


For a bank, a data breach can lead to a mandatory notification of millions of customers, exorbitant fines, loss of business, a PR nightmare, as well as trigger a material adverse effect clause (MAC) in an M&A deal.  


To summarize the patchy cyber regulation (see the sidebar), the current compliance requires not just comprehensive, written security policies and protocols, but such constantly developing programs that would put in place a living, breathing, well-oiled and relentlessly maintained, agile and flexible mechanism that keeps an organization on its toes, continuously adapting to cyber space risks, and even better- anticipating, surpassing and preventing attacks and failures, including by and from insiders.  


Ironically, the means for discovering vulnerabilities, building effective defenses, closing holes in security, tracing a breach, are the cutting-edge technologies, and banks, by their conservative nature, are not nearly equipped to lead as high-tech think tanks, even being far more advanced than most of other retail businesses. Tech edge of nimble mischievous actors will likely outpace any improvements in banks’ defenses. 


Most commonly, a victim or a buyer discovers an attack only when it is reported by third parties, and often long after the closure of an acquisition. Absent seller’s breach of representations and warranties, it may be simply that “companies often do not discover a data breach” or a compromise of their digital assets “until an extended period of time after they have been hacked.” 


Practitioners are privy to the fact that there is no such thing as perfect information security, and cybersecurity will always be relative. For instance, the idea that a bank’s own hardware in the basement or in a data center nearby is more secure than cloud sharing is an illusion, as it might be just the opposite.


A legal team that leads a merger must have a sufficient grasp of the foundations of relationships with third parties and providers. As such, legal risks flow naturally from the fundamentals of essential services like cloud computing and their shared liability contracts, even when provided by market leaders like AWS and Azure. 


Their very systemic advantages of juggling the load around hardware, or what is called “visualization” or, more lately, “containerization,” the “multi-tenancy” in “digital estate” of memory hardware potentially provides a way to access all of the containers, sharing its resources.  


But even more often, man-made catastrophes are a prevailing flaw of any security system, for instance, when personnel mistakenly designate a repository as public rather than securing the access, and time passes between designation and discovery. In an environment where the balance hangs between two evils- overly permissive permissions and overly restrictive permissions, configuration remains purely the customer’s responsibility, and in banking, there are no simple solutions or perfect models to adhere to or to shift responsibility to. 


As a buyer, a bank is in need of a team of talent capable not only of evaluating, but of conveying and presenting to the buyer’s board all of the following, to enable them to make an informed determination. The decisionmakers have to have an exposure to sufficient means, which is a combination of raw information with expert evaluation, resulted from access to an extraordinary array of security tools and technology, security standards, guidance, best practices, catalogs of security controls, security checklists, benchmarks, recommendations, training, certifications requirements, vulnerability databases, and more. 


A buyer’s information would be negligently incomplete without additional intelligence, including information dug from the “dark web,” threat sharing networks, feeds, reports, alert services, and sometimes even from informants and whistleblowers. 


All these provided the decisionmakers are already sophisticated in corporate compliance, data breach regulations, cybersecurity requirements, risk management frameworks, security regimes, and are actively managing an established, agile and adaptive compliance and cybersecurity programs in their own financial organizations. 


The acquiring management may also start with asking their legal cyber team to present and highlight the deficiencies and discrepancies of the target, as compared with their own cyber compliance, to understand and visualize the risks and compatibility of the purchase. 


Sometimes the target is more willing to provide full access to financial skeletons in the closet than to a hard- or software, and protocols of such access are not yet incorporated to become a solid part of a merger agreement, because systems integration begins in most of the cases only after the legal merger is completed. 


Planning of the integration takes many months, effectively delaying the merger in fact well beyond a legal merger. Even the smallest banking target with a basic retail business will be using multiple applications for loans, risk management, anti-fraud and anti-money laundering functions, online banking, treasury, clearing, and many other functions, all of which present unique soft- and hardware engineering projects with a heightened risks of service interruptions and cybersecurity risks.  


It still happens that only when it comes to the actual merger and to systems integration, the quarrels between geek departments arise and lawyers run back to the board to draft and re-draft integration procedures to accommodate demands of some gang of weird hooded dudes who were trying to evade the seller’s precious and, allegedly, pristine space of NASA-style control center of everything.  


It would be interesting to see if it might be that one day even a major data breach won’t be a paralyzing MAC event for a banking M&A anymore, treated instead as a reasonable business factor in the balance of inevitable risks and calculated probabilities that the buyer’s own data will be subjected to an attack sooner or later, and there is no viable guaranteed protection available. 


By Aida Poulsen

Regulation of cyber security

Data breach and cybersecurity are part of global corporate compliance with its many world's laws and regulations on anti-bribery, -corruption, and -terrorism programs, which utilize the same liability principles. 


The current legal environment does not present an overarching federal cyber law, and the traditional two main federal cybersecurity regulations that relate to financial sector require only a “reasonable” level of security, with the vague language of these regulations leaving much room for interpretation. 


The Gramm-Leach-Bliley Act (GLBA) of 1999 was passed in order to modernize the financial sector, recognizing that mergers between different sectors of the financial industry would result in consolidated institutions with unprecedented access to consumers’ private data; the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA), mandates that financial institutions protect their systems and information. 


For example, FISMA “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.” These regulations do not address computer-related industries, such as internet service providers and software companies.  


In a more recent effort, several new cyber security laws, as well as amending the older ones, were introduced for a better security ecosystem. A few of them are Cybersecurity Information Sharing Act (CISA), enhancing sharing of information about cybersecurity threats, and Cybersecurity Act of 2015, providing voluntary public-private partnership to improve cybersecurity research and development. 


The Department of Commerce’s National Institute of Standards and Technology (NIST) has provided a voluntary risk-based Cybersecurity Framework, a set of industry standards, best practices, and guidelines that have been developed by organizations like NIST and the International Standardization Organization (ISO). 


The Framework terms this compilation as the “Core,” composed of five concurrent functions— Identify, Protect, Detect, Respond, and Recover—a lifecycle of an organization’s management of cybersecurity risk. 


Each function is divided into categories correlative to programmatic needs and particular actions, each category is broken down into subcategories that point to informative support, citing specific sections of standards and guidelines. 


For most geeks in finance, the NIST framework might be too basic, where banks’ own programs are far more ingenious, but it still makes sense for a legal team in a merger to compare notes with these guidelines, for a sheer comfort of assurance that nothing is wanted from their precocious cutting-edge client. 


In 2018, California jumped ahead of other states with a bang, catching up and even surpassing the promulgated by the New York Department of Financial Services 23 NYCRR Part 500 (a New York regulation establishing cybersecurity requirements for financial services companies). 


The California Consumer Privacy Act of 2018 (CCPA) largely follows the footsteps of the most stringed to date General Data Protection Regulation (GDPR), which affects data of any individual from the European Union. 


Like California’s regulation for Internet-of-things (IoT), the CCPA became operative January 1, 2020. To comply with the CCPA, businesses will need to, among other things, disclose to consumers details of their data collection.