The ESOP Association wants to hear from you: Would you mind taking a few minutes to tell us about your website experience today? Your feedback is confidential, and will take less than 5 minutes to complete.

Take the Survey
ESOP Association Blog

*Special In-Depth Review* Cybersecurity Considerations for ESOP Companies and Professionals

By Holly Jones, Maselan & Jones, P.C.
Cyber Security

Executive Summary

On April 14, 2021, the DOL issued guidance on cybersecurity practices directed at plan sponsors, plan fiduciaries, record keepers, and plan participants. Cybersecurity has emerged as a growing concern in our personal and professional lives. The risks and associated costs of a cybersecurity incident are becoming increasingly central to company valuations as professionals look to find and measure potential threats faced by companies. In the context of an ESOP transaction, it is especially important that a company’s cybersecurity profile is evaluated, risks are addressed, and the consequences of an incident are understood.

I. Background

As cybersecurity concerns continue to grow, businesses and individuals are investing more time and money into safeguarding information. Cybersecurity is the practice of protecting systems, networks, and information from digital attacks, which may originate within or outside of a network.1 Attacks fall into several categories, some of the most recognizable being malware, ransomware, and phishing schemes.2  Cybersecurity concerns have significantly impacted business practices, with organizations and executives prioritizing the prevention of cyber incidents.3  While many people understand the gravity of a cyber incident, most lack the technical expertise to understand exactly what that entails and how to prevent one. Adding confusion to a broad lack of understanding, the price of preventative measures and costs of an attack are difficult to quantify. Time, money, and personnel are dedicated to the prevention of a potential breach; software and services are combined to defend networks; insurance policies are purchased in the hopes of minimizing damage after a breach. These resources combine to provide maximum security, but in doing so provide little measurable data aside from a lack of incidents.4  Similarly, it is difficult to determine the financial impact of a company’s cybersecurity practices and risks on its overall value with any confidence and precision.

Despite the complex and elusive nature of cybersecurity, it has become clear that developing good practices is critical for business management, much like how a digital presence has become essential to so many businesses. An estimated $5.3 trillion was driven by cybersecurity in the private sector from 2015 through 2024.5  The investment in deployment and maintenance of best practices has allowed businesses to cultivate increased innovation and growth, accounting for a majority of that attributed value.6  Despite the risks of an attack and benefits tied to robust cyber policies, half of US businesses continue to operate without a cybersecurity plan in place.7  This is no longer a sustainable business decision in a time of unprecedented cyberattacks, which continue to grow in number and sophistication.8  Despite the acknowledged importance of this investment, many businesses report insufficient cybersecurity budgets, underdeveloped processes, and outdated procedures, despite the fact that preventative costs are dwarfed by the potential damage of an incident.9

Notably, the pandemic has forced businesses on both ends of the size and sophistication spectrum to adapt to remote work, an adjustment accompanied by a significant reduction in company security due to a lack of control of remote employee networks and practices.10  While reported statistics vary, it is universally accepted that a significant portion of breaches stem from human error or carelessness.11 Employees use weak or repeated passwords, lose track of devices, and work on shared or vulnerable networks.12  Despite this increased risk of exposure, only a fraction of small and medium sized businesses have reported changing their cybersecurity practices since the onset of the pandemic.13  With this increased vulnerability, businesses can no longer afford to continue operating with the hope that they are not impacted by a breach, but instead must operate under the assumption that an attack is inevitable.

Trends in litigation underscore the importance of having good cybersecurity hygiene. Companies experiencing the aftereffects of a breach may experience business disruption, reputational damage, and lawsuits from individuals impacted by the attack. The importance of having practices in place, the proper tools and programs, and a cyber liability policy are critical in avoiding this worst case scenario. Emerging ERISA litigation contemplates the duty of prudence, requiring fiduciaries to act with the care, skill, prudence and diligence of a prudent man in fulfilling their responsibility to a plan and plan participants, to encompass a requirement to secure participant information as well.14  Participants are seeking remuneration following access to their personal information and accounts.15  With caselaw still developing in different jurisdictions, outcomes are underscoring a common sense lesson: issues, especially known issues, must be addressed head on.

II. The Costs of Cybersecurity 

Cybersecurity programs are a significant financial investment that could play a substantial role in the company’s projected future. Cybersecurity costs are notoriously difficult to quantify, but can be broken down into the preventative costs incurred to mitigate or eliminate cybersecurity risks and the reactive costs associated with an incident. These costs are easily recognized in the market generally as substantial, but much more difficult to consider on an individual business basis.16  While the costs of preventative measures seem steep, they are dwarfed by the potential losses associated with a breach that may have been avoided had the right tools been in place, exemplifying an ounce of prevention being worth a pound of cure.

Preventative costs fall into several categories, the expenses of which will be determined by company-specific factors including size, industry, and available resources. In addition to investing in IT professionals, software, third-party tools and companies, additional costs come from ensuring that employees are aware of the company’s best practices through outreach and education. Additionally, companies need to have appropriate cybersecurity insurance policies in place, making sure to note the risks covered and retention provided. While every business faces at least some degree of risk, it will be up to leadership to determine what expenditures best balance a company’s resources against those risks and plan their budgets accordingly.17

The failure to take appropriate preventative measures, including appointing directors with cybersecurity backgrounds, establishing a chief information officer position, and creating board committees focused on cybersecurity, opens a company up to significant financial risk.18  The costs of a single incident may amount to millions.19  While larger companies have the resources to weather this degree of loss, the financial impact of a cyber incident is much more likely to cause irreparable financial harm to a small business.20  Any reputational harm combined with financial liability far outweighs the costs of investing in a good cybersecurity program, which unfortunately some businesses learn too late.

Reactive costs, those associated with a breach, may stem from ransom paid, business disruption, reputational harm, lost proprietary knowledge, or even liability resulting from physical injuries caused by interference with machinery and equipment.21  Ransom paid in response to a ransomware attack is perhaps one of the most easily measured financial impacts of a breach. Any ambiguity would rise from the inability to determine if an incident is contained or ongoing. Business disruption occurs when a company’s files or networks are compromised such that the company is unable to conduct business as usual. While a financial impact is clear, it may be difficult to discern an approximate dollar amount of loss to the company, particularly in industries that deal more with long-term contracts and projects rather than daily sales. Reputational harm caused by a breach is dependent on the type of data compromised, which in turn depends on the target company’s industry. A breach involving sensitive consumer data could be devastating for a company due to a total loss of consumer trust, particularly if a breach is notorious enough for the company’s name to become synonymous with a data incident like Equifax. The most significant and lasting costs of a breach stem from loss of customers, with an average 3.9% loss of customers after an incident.22  This number varies based on the amount of customer trust tied to a company’s industry, with companies in industries requiring the greatest amount of consumer trust, particularly the financial industry, impacted more by a reported event.23  In addition to lost customers due to compromised customer data, a company may lose value from lost proprietary knowledge compromised in a breach. Some data derives its value from its exclusivity, including trade secrets, research and development, and contact lists. If compromised in a cybersecurity incident, the value of that data could evaporate along with a company’s competitive edge.24 

III.    Insights from DOL Guidance

On April 14, 2021, the DOL provided guidance on cybersecurity practices, marking EBSA’s first issuance of regulations relating to cybersecurity.25 Directed at plan sponsors, plan fiduciaries, record keepers and plan participants, the publication emphasizes the need to safeguard participant and beneficiary assets in a rapidly changing technological landscape.26  Specifically, the DOL’s announcement noted that it seeks to protect an estimated $9.3 trillion in plan assets for 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants.27  The DOL noted the duty of plan fiduciaries to engage in cybersecurity best practices, suggesting an expanded scope of fiduciary duties as cybersecurity shifts from a peripheral consideration to a central obligation for plan fiduciaries. EBSA has demonstrated that what in the past may have been suggestions have evolved to minimum expectations for fiduciaries given the current landscape.28  Coupled with EBSA’s Reporting and Disclosure Guidance for Employee Benefit Plans published in September 2017, the cybersecurity guidance marks a lasting shift in focus to cybersecurity that will presumably continue indefinitely.29 

This guidance provides detailed information for ERISA-covered benefit plans, outlining twelve key components of a comprehensive cybersecurity policy.30  These components are: (1) have a formal, well documented cybersecurity program; (2) conduct prudent annual risk assessments; (3) have a reliable annual third party audit of security controls; (4) clearly define and assign information security roles and responsibilities; (5) have strong access control procedures; (6) ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments; (7) conduct periodic cybersecurity awareness training; (8) implement and manage a secure system development life cycle (SDLC) program; (9) have an effective business resiliency program addressing business continuity, disaster recovery, and incident response; (10) encrypt sensitive data, stored and in transit; (11) implement strong technical controls in accordance with best security practices; and (12) appropriately respond to any past cybersecurity incidents.31  Notably, these practices are flexible enough to scale or otherwise modify to apply to a business of most any size or complexity. This DOL guidance can be applied in several contexts in addition to its stated purpose. It’s flexible enough to scale or modify to apply to a business of most any size or complexity. It provides guidance for company management to evaluate their own practices outside the scope of ERISA and it provides professionals in an ESOP transaction guidance to evaluate a company.

IV.    Cybersecurity Due Diligence for ESOPs

While generic due diligence consists of the evaluation of a company’s assets and liabilities to provide for fully-informed decisions regarding a contemplated transaction, cybersecurity due diligence is a crucial component of this evaluation process. Cybersecurity due diligence is the process of identifying the potential cyber risks facing a company.32  Identification and evaluation of a company’s cybersecurity practices allows for the mitigation, and hopefully elimination, of the possibility of a cyber-attack. This evaluation, in turn, dictates a party’s willingness to embark on a merger or acquisition with the target company, and helps to inform a trustee of the complete risk landscape involving the company to ensure that a plan and its participants are protected. A company exhibiting cybersecurity best practices likely has comprehensive cybersecurity policies and processes in place, active cybersecurity insurance policies, consistent audits of internal tools and technology, and employee education and training. These practices help to minimize the potential for, and damage caused by, a cyber-attack. In addition to these best practices, company-specific factors impacting its vulnerability and desirability as a target must be identified and weighed. 

A company’s industry dictates its communications, clients, and data use.33  Industries known to store, transfer, or otherwise use sensitive data deemed by hackers to be the most valuable need to have a robust cybersecurity program to mitigate more frequent targeting. Industries known to collect either little or low value data are far less likely to be targeted. Large public companies seem logical targets due to the possibility of substantial payouts, but are more likely to have substantial IT budgets, established processes, sophisticated security tools, and staff dedicated to preventing attacks. Small businesses are considered easier targets due to the likelihood of fewer resources and less developed cybersecurity programs. Breaches may require lower effort, making smaller payouts more than worth the expended energy.34  The average ESOP company has twenty to five hundred employees, though several significant outliers exist.35  Thus, it is probable that most ESOP companies are operating with fewer IT resources than large public companies, and as such should prioritize the development of cost-effective best practices to avoid falling victim to cyber criminals seeking out low-hanging fruit.

Once the due diligence process has identified a company’s faced risks, the financial impact of those risks can be estimated. Cyber risk is an additional risk factor when evaluating the overall risk associated with entering into a transaction with a company. An undeveloped cybersecurity program, lack of employee education and outreach, non-existent cybersecurity insurance policy, and history of any past incidents would all factor negatively into a company’s overall value. A reduced value may result from an applied discount, contingent liabilities, reduced cashflow projections, or decreased multiples all attributed to increased risks stemming from a weak cyber profile.36  These risks can be captured and quantified under different valuation approaches just as other risks are estimated in the valuation process to demonstrate that a sufficient level of care was taken on the record.37

ESOP professionals can draw from the DOL’s cybersecurity guidance and integrate these best practices into their due diligence questionnaires. This helps to ensure that an accurate picture of a company’s overall health and wellness is evaluated during the due diligence process, which in turn allows professionals to provide an accurate valuation for a transaction and make informed decisions throughout a transaction. Examples include:

  • Provide a summary of third-party data collected by the Company in the course of business, including customer and vendor information.
  • Provide a list and description of any policies or procedures currently in place relating to the use and protection of sensitive data, including storage, transfer, processing, and collection. If applicable, include any past audits that have been conducted regarding these practices.
  • Provide a description of any electronic, physical, or other data security breaches, losses, or corruption of data involving the Company or its systems (including third-party systems) including a description of the data accessed or otherwise compromised, remedial steps, third-party complaints, and estimated financial impact. 

While each due diligence review includes the same basic categories, the specifics of each transaction require the tailoring of questions and requests.38  A company’s facilities located near a brownfield may require additional environmental due diligence, while a company with a complex multilevel ownership structure may require more corporate organizational diligence. Just as these areas of review are shaped by the company or companies involved, cybersecurity questions should be adjusted to capture the right level of information to draw accurate legal and valuation conclusions. Similarly, cybersecurity due diligence questions should be scaled to reflect a company’s level of likely cyber risk just as that company’s best practices should be tailored.39  It is equally important to identify documents that may provide cybersecurity insight. Board of director minutes may provide valuable and candid commentary not addressed in questionnaires. Insurance policies should be reviewed for cyber incident coverage along with loss runs to determine whether any incidents have occurred. Financial statements may include descriptions in line items of significant purchases or costs associated with preventative measures. Employee handbook policies may address best practices for employees. Documents and responsive files that may not be thought of as responsive to technical questions sometimes provide the best insight to a company’s practices and any past incidents. This makes it essential to view all files through a cybersecurity risk lens the same way that all files are reviewed to provide insight to a company’s financial wellbeing, stability, and risk.

While both sides of a transaction have different motivations in valuing a target company, they are equally benefitted by establishing a clear and complete company profile. Those on the sell side of a transaction have a duty to ensure that all past cybersecurity incidents are properly disclosed just as past financial, environmental, and other issues are disclosed to avoid any violations of representations and warranties, or in a worst case scenario, fraud.40  Additional assurances may be provided through clear representations and warranties provisions within transaction documents, with the option to also obtain representations and warranties coverage, though this may be cost prohibitive in smaller transactions. The discovery of a previously undisclosed cyber incident may cast doubt over the integrity of the entire due diligence process. Other aspects of a company’s profile may be second guessed upon realizing that such a critical piece of the picture was either inadvertently, or worse, intentionally, excluded.41  Transparency and forthcomingness are central components of a successful ESOP transaction.

The trustee side has a duty to apply a high level of scrutiny to data provided in the due diligence process, and cybersecurity should be considered a central factor in a company’s projected longevity and financial stability. A strong cybersecurity program reinforces a company’s value and bolsters its projected lifespan,  and may be a dispositive factor in proceeding with a transaction.42  A thoroughly documented cybersecurity due diligence process provides a clear record of a trustee’s consideration of a company’s overall health. The absence of such process would appear to indicate that the opposite is true: not enough analysis occurred and an incomplete and thus potentially inaccurate risk profile and valuation were reached. Cybersecurity breaches are reaching a point of near inevitability. Accordingly, it is imperative that professionals demonstrate with a clear record that they acted prudently under the circumstances then present. 

Want more articles like this? Read the ESOP Report >>

 

Resources

1 What is Cybersecurity? | IBM; What Is Cybersecurity? - Cisco
2 What is Cybersecurity? | IBM; What is Malware? Detection & Removal Methods | CrowdStrike; Ransomware — FBI; Phishing | What Is Phishing?
3 The Business Value of Cybersecurity | by JC Gaillard | Security Transformation Leadership | Medium
4 The Business Value of Cybersecurity | by JC Gaillard | Security Transformation Leadership | Medium
5 Cisco Private Sector Digital Value-at-Stake
6 Cisco Private Sector Digital Value-at-Stake
7 Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know (forbes.com)
8 Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know (forbes.com)
9 Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know (forbes.com)
10 How to factor cybersecurity concerns into a business valuation | Blog | BCC Advisers
11 The biggest cybersecurity risk to US businesses is employee negligence, study says (cnbc.com); NetNewsLedger - Leading MTSP Shares Most Common Cause of Cyberattacks
12 The biggest cybersecurity risk to US businesses is employee negligence, study says (cnbc.com); NetNewsLedger - Leading MTSP Shares Most Common Cause of Cyberattacks
13 How to factor cybersecurity concerns into a business valuation | Blog | BCC Advisers
14 New Cybersecurity Insights From ERISA Rulings, DOL Advice LAW360
15 New Cybersecurity Insights From ERISA Rulings, DOL Advice LAW360
16 Analysis: Average Business Data Breach Costs $15M | Corporate Compliance Insights
17 How Much Does a Cyber Security Breach Cost an Institution? | SQN Banking Systems
18 Cybersecurity awareness and market valuations - ScienceDirect
19 How Much Does a Cyber Security Breach Cost an Institution? | SQN Banking Systems
20 How Much Does a Cyber Security Breach Cost an Institution? | SQN Banking Systems
21 How to factor cybersecurity concerns into a business valuation | Blog | BCC Advisers
22 How Much Does a Cyber Security Breach Cost an Institution? | SQN Banking Systems
23 How Much Does a Cyber Security Breach Cost an Institution? | SQN Banking Systems
24 How to factor cybersecurity concerns into a business valuation | Blog | BCC Advisers
25 US Department of Labor announces new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, plan participants | U.S. Department of Labor (dol.gov); New Cybersecurity Insights From ERISA Rulings, DOL Advice LAW360
26 US Department of Labor announces new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, plan participants | U.S. Department of Labor (dol.gov)
27 US Department of Labor announces new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, plan participants | U.S. Department of Labor (dol.gov)
28 https://www.hklaw.com/en/insights/publications/2021/06/dol-releases-cybersecurity-best-practices-guidance-for-protecting
29 reporting-and-disclosure-guide-for-employee-benefit-plans.pdf (dol.gov)

30 Cybersecurity Program Best Practices (dol.gov); https://www.hklaw.com/en/insights/publications/2021/06/dol-releases-cybersecurity-best-practices-guidance-for-protecting
31 https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414; https://www.jdsupra.com/legalnews/us-dept-of-labor-announces-9649954/
32 https://securityscorecard.com/blog/why-cybersecurity-due-diligence-is-essential-in-mergers-and-acquisitions; https://securityscorecard.com/blog/importance-of-cybersecurity-due-diligence
33 What is Cybersecurity? | IBM
34 How to factor cybersecurity concerns into a business valuation | Blog | BCC Advisers; Definition of Small And Midsize Business - IT Glossary | Gartner
35 A Detailed Overview of Employee Ownership Plan Alternatives | NCEO; ESOP (Employee Stock Ownership Plan) Facts
36 How to factor cybersecurity concerns into a business valuation | Blog | BCC Advisers
37 How to factor cybersecurity concerns into a business valuation | Blog | BCC Advisers
38 https://securityscorecard.com/blog/why-cybersecurity-due-diligence-is-essential-in-mergers-and-acquisitions
39 https://securityscorecard.com/blog/why-cybersecurity-due-diligence-is-essential-in-mergers-and-acquisitions
40 Cyber Crime’s Threat to Valuations (morganandwestfield.com)
41 How security programs and breach history influence company valuations - Help Net Security
42 How security programs and breach history influence company valuations - Help Net Security