The New York Department of Financial Services (“NYDFS”) recently issued guidance for its covered entities[1] highlighting the importance of cybersecurity as a necessary part of M&A due diligence. This guidance comes in the greater context of the Yahoo! SEC resolution to demonstrate that regulators are paying close attention to the cybersecurity risks posed by mergers.  According to the NYDFS Frequently Asked Questions page, its Covered Entities are expected to conduct “a serious due diligence process” and “cybersecurity should be a priority” when acquiring or merging with a new company:

Section 500.09(a) states that the ‘Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations.’  Furthermore, Section 500.08(b) states that the institution’s application security ‘procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.’  As such, when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition.  Some important considerations include, but are not limited to, what business the acquired company engages in, the target company’s risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems.  The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions.

Depending on the merging parties, the cybersecurity due diligence that Covered Entities may be expected to conduct could include the following:

  • Nature and Use of Target’s Data, including where that data is held, whether it is subject to particular regulatory requirements (e.g., HIPAA, GDPR, etc.), and how and for what purposes it is used or shared.
  • Internal Management and Governance, including the assessment of cybersecurity personnel and reporting lines, board oversight, crisis management procedures, how prior cybersecurity events were handled, testing of cybersecurity policies, results of vulnerability assessments and audits, training, budgets, and cybersecurity insurance.
  • Third-Party Relationships, including vendor management and contract terms, data transfers to third parties, reporting obligations, responsibility sharing, and regulator and law enforcement relationships.
  • Cybersecurity Systems, including access controls, network segmentation, patching procedures, backup testing, password policies, mobile device security, encryption, threat monitoring, and two-factor authentication.

The Davis Polk Cyber Portal, available now by subscription, has many resources to help clients with cybersecurity compliance, and other resources to help assess cybersecurity risk, including model Cybersecurity Due Diligence Questions and Cybersecurity Checklists.  If you have questions about the Portal, please contact cybersecurity@davispolk.com.

Also, please join us for a Webcast discussing GDPR and its impact on M&A transactions on May 24, 2018 at 12:00 pm ET.

[1] “Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR 500.01(c).