editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
While we may not focus on it very often and we certainly don’t talk about it a lot, most growing companies are trying to get somewhere very specific. For most companies, this means an IPO, an acquisition, or a sale.
It’s tempting to think that this “ending” also ends your need to focus on security. After all, all going well, your company is entering a new phase, perhaps even under new ownership.
There are parts of the exit and acquisition process, however, that have a significant relationship to your security program, and it’s worth taking a look at some of these key events and considerations.
danger Company sales, IPO, and acquisitions require very specific legal support and advice. The guidance in this section is from a security perspective, not from a legal perspective. You must consult a lawyer from your operating jurisdiction to ensure that any actions you take in this process are legal and in the best interest of your company. This section represents a list of things to consider and think about, and does not represent legal advice.
If you have read Part III of this book, you will remember that there are two main types of due diligence your company is likely to encounter, customer due diligence and financial due diligence. While they share the same objective, they work slightly differently. We cover customer due diligence in Part III and we will take a look at financial due diligence now.
Definition Financial due diligence is the systematic process whereby an enquiring party who has (or is planning to hold) a financial interest in a legal entity will examine the behaviors and financial situation of the organization. This process hopes to assess the operating health of the organization, the potential for growth and return on investment, and any risk that the organization carries that may be inherited by the new owner or investor.
Financial due diligence is not specific to security and it is used widely throughout the financial services industry to ensure that risk is managed and assessed appropriately before significant transactions take place.
In recent years, cybersecurity has started to play a role in this financial due diligence process, with specific review sections included to assess the maturity of an entity’s security program, product, and operations.
During customer due diligence, the aim is for your potential customer to decide whether the risk they will inherit from using your product or service is acceptable in relation to their security expectations and risk appetite. If a customer decides this is not acceptable, they will not buy. If they purchase your product and later decide the risk has changed, they can revisit this decision and may choose not to renew their contract or ask for a change in the product or operations.
Misrepresentation in customer due diligence may lead to poor customer relations, lost customers, and lawsuits; however, these are limited to the terms agreed in your operating terms of service and often have a fixed maximum limit of liability.
In financial due diligence, things are quite different.
Financial due diligence is the precursor to investment, company purchase, IPO, or acquisition. These are significant transactions that involve material sums of money. If an investor chooses to fund your organization and finds that the information they received in financial due diligence was incorrect or misleading, the consequences for your company (and you as a company director) can be significant.
While these consequences will differ from deal to deal and country to country, they will often include things like:
Directors being held legally and financially liable for any claims made against them in relation to information provided during due diligence that was found to be incorrect or misleading.
Directors or executives losing their role in the organization.
The claims or promises made during the financial due diligence process are known as warranties.
Definition A warranty is a claim or promise made by a seller. Often during large financial transactions, the buyers or investors will ask for a series of warranties to be included in the contract. These warranties are a set of promises the seller must ensure are met or true for the contract to be honored. These warranties must be met at the time of contract completion and may need to be maintained for an agreed period of time after the completion date.
Warranties give the party receiving them (in most cases the buyer or investor) the right to sue for damages if the warranty is breached and the breach causes loss or liability. In short, these fundraising and exit events will require you to make legally binding commitments regarding aspects of your business.
Increasingly now, cybersecurity is included amongst these warranties and as such, we need to know how to stay safe and meet our warranty obligations, for our company’s success (and our own).
Given the legal profession’s love of creating new and inventive clauses, there really is no set of fixed cybersecurity warranties. Let’s take a look at some themes you can expect:
The cybersecurity program and details you provided when asked were accurate, truthful, and up to date.
Your systems or products have been validated, audited, or reviewed by a qualified third-party organization and the results were accurately made available on request.
You are not aware of any previous, current, or potential security incidents or risks that may materially affect the organization that have not otherwise been disclosed to the buyer/investor.
The software and components you use to build your product are appropriately licensed, up to date, and managed within their terms and conditions.
Any IP that is included within the deal is suitably protected, and auditable information is available to confirm these protections and any access to these resources, documents, or systems.
Firstly, as mentioned above, this is not something to mess around with. Talk to your lawyer and let them help you navigate this process. It is their job to help you stay safe.
important Some tips on how you respond to a cybersecurity warranty request:
Like any other claim, promise, or decree in contract law, your responses to warranty checks should be in writing. If you do verbally discuss something, ensure that you also document and share a written statement (and that the two statements match).
Answer only the specific questions asked as part of the warranty. Remember, they don’t want to know everything about everything, they are asking very specific questions. If you are not clear about what they are asking, clarify before responding.
Tell the truth but keep it short and sweet. There is no need for qualifying or justifying statements when responding to warranty questions. You either meet the promise or you don’t. Your lawyer will help you answer in a way that is specific and accurate.
Remember that risks you escalate during financial due diligence have to be managed and accepted by the buyer. Ensure that before you raise a risk, you are explicitly clear about the severity, impact, likelihood, and scope of the issue. Your investor or buyer may be taking on director’s liability for your organization so they will inherit (and have to resolve) any risks they know about. Keep it focused and use the skills we learned in How to Handle Common Security Events to help you communicate.
🚀 As explained by Laura
Throughout this book, we have often assumed that your business is growing. However, we know things don’t always work out that way. Sometimes you are faced with scaling your business down or downsizing and are faced with different risks and decisions to make. We speak from experience on this; SafeStack has been around for over seven years now, and we’ve had to scale down and change a few times before we got to where we are now.
This uncertainty triggers our fight for survival. You may not be directly thinking about security—but the risk is still there. There may be employees you have to let go, accounts and services you need in order to continue to operate, and expenses you need to cut back on.