Cybersecurity and data-protection in M&A using Blockchain
INTRODUCTION As the digital environment continues to grow rapidly, it is time to acknowledge that in any effort to complete a successful M&A transaction, privacy and data security due diligence of the target company is needed. In a world hurtling through one technological breakthrough after another, we are entering into an exciting-yet dangerous-new era. Privacy and data security, once overlooked in many corporate transactions, is now taking center stage. The increasing wave of cyberattacks, without appropriate safeguards, has caused governments around the globe to scramble for new ways to secure records and data from theft, damage or alteration. Nevertheless, there is one exceptional enhanced form of technology, known as “blockchain”, that might be useful to secure data from the target company before any type of merger or acquisition.
CURRENT SITUATION
Most target companies are dependent on digital data and network systems. Currently, all of a target company’s data is created, used, and stored in digital formats using internet and computer technology. This has provided companies with remarkable economic benefits, including significantly reduced costs and increased productivity. However, the resulting dependence on digital records creates significant cybersecurity vulnerabilities that can result in major harm to a company and possible future M&A transactions.
Recent security incidents have made clear that no company is immune from cyberattacks. Verizon’s acquisition of Yahoo in 2017 provides a recent and high-profile example. Yahoo was sold to Verizon for a consideration of $4.48 billion in cash. However, the deal was nearly derailed by the late disclosure of security breaches in which Yahoo’s digital data was stolen by hackers, and they were capable of obtaining names, birth dates, phone numbers and passwords from users, in large part, because the central security protocol was too easy to decipher. Verizon ultimately decided to move forward with the acquisition. Nonetheless, $350 million were reduced from Verizon’s original consideration. [1]
Some experts have questioned whether Verizon would have uncovered Yahoo’s data breaches if it had done more robust due diligence. However, the question should be if the security breach would have happened with Yahoo’s use of a more sophisticated and robust form of technology.
Furthermore, the recent Equifax cyber security scandal [2] that shocked the world in September, 2017 involved the breach of sensitive information including names, Social Security numbers, birth dates, addresses, driver’s licenses, and credit card numbers of consumers’ personal data.
As a result of recent cybersecurity scandals, the New York Department of Financial Services [3] (“NYDFS”) issued a new regulation addressing cybersecurity risks and “the evergrowing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.”
Furthermore, the recent European Union’s General Data Protection Regulation [4] provides that data must not be transferred outside of the European Economic Area unless the European Commission deems that an adequate level of data protection is in place, or that another compliant data transfer mechanism is available.
The tools and techniques by which the target companies collect, store, use and transfer personal data has become instrumental in understanding the valuation and risks associated with a transaction, as non-compliance could lead to additional risks. For instance, a cybersecurity incident may result in a wide range of losses, including: (a) out-of-pocket expenses for legal advice and forensic investigators; (b) regulatory penalties imposed by authorities; (c) potential damages awarded in civil claims from consumers; and, (d) damages to market reputation and goodwill. [5]
To mitigate potential risks to the transaction, it has become usual for the buyer to include broad reps and warranties, specific indemnities, closing conditions, and pre-closing covenants concerning the areas of data privacy and cybersecurity. However, the best remedy for target companies, to avoid security breaches and broad contractual conditions in a transaction, is the adoption of blockchain.
THE ADOPTION OF BLOCKCHAIN TO PROTECT SENSITIVE DATA FROM THE TARGET COMPANY
Blockchain can be described as a distributed and immutable ledger that stores information, known as blocks. These blocks are structured in the form of a ‘chain' sequence, stored on various nodes (“computers”), which ensure that no single person or entity can manipulate the ledger without everyone else knowing. [6]
The potential effect of blockchain extends far beyond its potential use in payments, finance, and smart contracts. Now, blockchain is serving as a tamper-resistant and resilient repository for data, to modernize and increasingly secure critical data from target companies.
Blockchain operates differently than earlier forms of databases. Blockchains blend together several existing concepts including peer-to-peer networks, public-private key, cryptography, and consensus mechanism, to create a highly resilient and tamper-resistant database. This new technology has enabled the transfer of digital currencies, the management of valuable assets, and-perhaps most profoundly-facilitating the protection of sensitive records and information. [7]
Blockchain’s unique structure provides cybersecurity capabilities not present in traditional ledgers and other internet technologies. The following characteristics [8] of the blockchain architecture provide an enhanced security features that could be used by target companies:
A) Disintermediation: No single party controls a blockchain, and blockchains do not rely on one centralized party for their operation. The distributed architecture of a blockchain increases the resiliency of the overall network from being exposed to compromise from a single access point or point of failure. Hackers generally prefer to target a centralized database that, once compromised, would infect and destabilize the system as a whole. A distributed network structure, however, provides inherent operational resilience. With the risk dispersed among various nodes (i.e. computers), an attack on one or a small number of participants would not compromise the data stored in the system. B) Consensus mechanisms: A consensus mechanism requires a prescribed number of nodes to reach a consensus on whether a new block of data is valid and suitable for inclusion in the shared ledger. Consensus mechanism makes it possible for a distributed network of peers to record information and data without the need to rely on any centralized operator. Thus, consensus among network participants is a prerequisite to validating new blocks of data, not allowing a hacker to corrupt or manipulate the ledger. C) Resiliency and Tamper Resistance: The technological design of blockchain makes it materially impossible to change or delete information. No single party has the power to modify or roll back stored data. D) Transparent and Nonrepudiable Data: Information maintained on a blockchain is authenticated and the use of digital signatures serves as evidence that an account has allowed the operation. Blockchain also provides participants with enhanced transparency, making it much more difficult to corrupt blockchains through malware or any type of manipulative action. E) Public-Private Key Encryption and Digital Signatures: Blockchain employs multiple forms of encryption at different points, providing multilayered protections against cybersecurity threats. Participant access rights are secured through asymmetric-key cryptography or public/private key encryption. The linked lists or blocks are also encrypted by a combination of cryptographic hashing and digital signatures.
As the worldwide web and technology continues to develop, more data gets produced and more hackers will attempt to steal or corrupt that data. However, by implementing rigorous encryption and data distribution protocols on blockchain, target companies can ensure that their information will remain safely intact and out of the reach from hackers.
PRACTICAL APPROACH
Buyers need to assess cyber security carefully during the due diligence phase because the contingencies can be significant and, materially affect the valuation of the target company. However, the target company should adopt enhanced forms of technology to reduce massive liabilities such as expensive consumer class action litigation, intrusive government investigations, hefty remediation costs and other expenses, even before a transaction is concluded.
Cybersecurity principles and controls from existing laws, regulations, and industry guidance are critical components to an effective cybersecurity program using blockchain. For example, the United States National Institute of Standards and Technology (“NIST”) published a Framework for Improving Critical Infrastructure Cybersecurity [9], which was updated in December 2017.
The Framework describes five broad functions – identify, protect, detect, respond, and recover – that define the high-level goals of any cybersecurity risk management program. In most instances, blockchain will facilitate the goals and activities specific in the functions and categories. For instance, the ability to create strong encryption protocols for a blockchain is consistent with the Framework’s emphasis on protective technology solutions that are designed to ensure the security and resilience of data stored.
For example, it was recently announced that General Electric Ventures, the investment branch of General Electric, invested in Xage [10] , a blockchain security startup based in Silicon Valley. Now, the start-up is valued at about US$35,000,000.00 [11] . Xage provides an example of how blockchain detects anomalies in cybersecurity and that signal will be shared through the distributed system, preventing a hacker from spreading through the network.
The use of a centralized architecture and simple logins, passwords, and captcha systems are the big weakness of conventional systems. No matter how much money an organization throws in cybersecurity, all these efforts go in vain if there is one single point of access that is easy to decipher. However, with blockchain, the security system provides each device with a specific private key instead of a password, which makes it virtually impossible for attackers to use fake accounts.
HOW BLOCKCHAIN COULD WORK FOR CYBERSECURITY IN M&A
Blockchain is designed in a way that if someone who is not the owner of the data in the “block” (such as a hacker), attempts to tamper with a block, the entire system examines each and every data block to locate the one that differs from the rest and is an obstacle for a complete, accurate and validated chain. If this type of block is located by the system, it simply excludes the block from the chain, recognizing it as false.
Furthermore, every data entry, transaction, or block added to a blockchain is timestamped and signed digitally. This means that target companies can verify what happened at a particular time period and locate what, when and who attempted to compromise the system. This blockchain’s functionality increases the system’s reliability as every transaction is associated to a user at a given period of time.
According to a recent article by the U.S. Chamber of Commerce, “Cybersecurity poses a threat to all businesses, but it is particularly challenging for small businesses” [12] . This means that plenty of target companies are susceptible to a cybersecurity breach. Many target companies do not have the resources, infrastructure, or knowledge to install an enhanced fortress of software and security protocols. Furthermore, no target company is “too big to fail” when it comes to cybersecurity. This creates a serious problem for M&A transactions because many of the deals generally happen between large and small privately held companies.
However, if target companies engage in the active the use of blockchain for cybersecurity purposes the target company could secure their data with the following seven steps:
The target company recollects the data which is sharded by the system. [13]
The data that has been sharded is duplicated for the user’s node.
The data is encrypted. [14]
The data is distributed around the nodes of the peer-to-peer network (i.e. blockchain), for validation.
Then, participants of the blockchain validate the information by hashing [15] the block.
The data is finally recorded in the blockchain, rendering the record tamper-proof.
BENEFITS OF BLOCKCHAIN FOR CYBERSECURITY IN TARGET COMPANIES Target companies should embrace blockchain for data storage and cybersecurity, which could have tangible results on the company. In first place, distributed storage is much economical than maintaining servers, hardware and expensive equipment. Furthermore, the use of blockchain is cheaper that using a cloud storage solution such as the ones provided by Amazon, Microsoft, and Google.
Secondly, using sharding and encryption to distribute pieces of data across nodes, makes stealing and compromising the data more difficult. That means that, even if a hacker gains access to a single node, they will only have a piece of data and will be more complicated, time-consuming, and expensive than hacking into a centralized database.
Thirdly, it is important for target companies to experiment blockchain-based data storage, to avoid broad reps and warranties, specific indemnities, closing conditions, and pre-closing covenants concerning the areas of data privacy and cybersecurity imposed by the seller.
CONCLUSION
In general, blockchain technology today focuses mainly on cryptocurrency and fintech. Yet, target companies needs to look beyond that, and realize how businesses can take advantage of this technology for cybersecurity purposes.
With everything from democratic elections to Yahoo email accounts being targeted by hackers; it makes sense to improve cybersecurity for target companies with an enhanced form of technology. While no technology is completely secure, target companies have not given blockchain a chance. For blockchain technology’s early adopters and evangelists, it feels a lot like the internet frenzy in the early 1990s. However, blockchain’s practical applications are limited only by the imagination and effort of dreamers who will use this technology to transform their companies and better protect future mergers or acquisitions.
Technology is no longer a luxury; it is increasingly becoming a necessity. The pace of technological change is accelerating, the innovations cycles are getting shorter, and new technologies are adopted at lightning speed. Target companies require a reorientation of perspectives along with the adoption of blockchain technology. New technologies can ease transaction costs in any merger or acquisition, generating opportunities for better deals. However, in order to improve M&A deals, a tradition of innovation has to be embraced.
Notes
[1] Fiegerman, Seth. Verizon cuts Yahoo deal price by $350 million, February 21, 2017, available at: [https://money.cnn.com/2017/02/21/technology/yahoo-verizon-deal/index.html]
[2] McCrank, John and Finkle, Jim. Equifax breach could be most costly in corporate history, March 2, 2018, available at: [https://www.reuters.com/article/us-equifax-cyber/equifax-breach-could-be-most-costly-in-corporate-history-idUSKCN1GE257
[3] See. Cybersecurity Requirements for Financial Services Companies, New York State Department of Financial Services (23 NYCRR 500), available at: [https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf] [4] See. General Data Protection Regulation, European Parliament and the Council of the European Union (Regulation (EU) 2016/679), available at: [https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32016R0679]
[5] Samengo William and Parker, Nigel. Cybersecurity: considerations for M&A practitioners, April 1, 2018, available at: [https://uk.practicallaw.thomsonreuters.com/w-014-3753?transitionType=Default&contextData=(sc.Default)&firstPage=true&comp=pluk&bhcp=1]
[6] Thompsons, Josh. Blockchain: The Blockchain For Beginners Guide To Blockchain Technology And Leveraging Blockchain Programming, CreateSpace Publishing, 2017,
[7] Mougayar, William. The Business Blockchain, John Wiley & Sons, Inc. New Jersey, 2016, p.124
[8] De Filippi, Primavera and Wright, Aaron. Blockchain and the Law- The Rule of Code-, Harvard University Press, Massachusetts, 2018, p. 33
[9] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Revised December 5, 2017, available at: [https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_framework-v1-1_without-markup.pdf]
Infrastructure Cybersecurity, Revised December 5, 2017, available at: [https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_framework-v1-1_without-markup.pdf]
[10] Available at: [https://xage.com/]
[11] Kuchler, Hannah. GE backs blockchain cyber security start-up, July 22, 2018, available at: [https://www.ft.com/content/fe6930cc-8c29-11e8-bf9e-8771d5404543]
[12] U.S. Chamber of Commerce, Majority of Small Businesses Concerned about Cybersecurity Threats, August 23, 2017, available at: [https://www.uschamber.com/press-release/majority-small-businesses-concerned-about-cybersecurity-threats]
[13] Sharding is the process of cutting down horizontal fractions of data.
[14] Encryption is the process of encoding a message or information in such a way that only authorized parties can access it if they have access to a decryption key.
[15] Hashing is the process of taking an input of any length and turning it into a cryptographic fixed output through a mathematical algorithm.
About the Author Mauricio Duarte is an Attorney from Guatemala City, with a J.D. from Universidad Francisco Marroquín and an LL.M. Degree in U.S. Law. As a young associate of QIL +4 Abogados, Mr. Duarte has worked in cases involving international investment for energy infrastructure, international arbitrations, and other complex international matters.
Mr. Duarte currently serves as a Professor and an active coach in International Moot Court Competitions. He has been an active proponent of the use of technology, especially Blockchain, in the legal industry and is a member of the TAG Alliances Blockchain & Cryptocurrency Specialty Group Members.
