Cybercrime is one the fastest growing threats to businesses, and the risk it poses to valuations can be devastating, because it not only impacts company finances, it can also damage an organization’s reputation. Home Depot and Target are just two examples of how cybercrime can bring large corporations to their virtual knees, resulting in the loss of millions of dollars in the process. Imagine the damage that could be inflicted on your business. However, you and your company can avoid becoming victimized by cybercrime, but it takes vigilance. Join Jeff Allen as he talks with Dan Cotter, attorney and partner at Butler Rubin Saltarelli & Boyd, about cybercrime, what it looks like and steps you can take to prevent it.
The other thing that's taking place and is becoming more and more frequent, and that is a big challenge is denial of service type of hacks. What happens here is a really a form of extortion.
- Daniel Cotter
Jeff: Welcome to the web's number one content source for small business owners committed to building a business for eventual sale. Here on Deal Talk it's our mission to provide information and guidance from our growing list of trusted experts that you and all small business owners can use to help you build your bottom line and improve your company's value.
To talk with us about the persistent threat of cybercrime and how to protect our businesses from its devastating impacts is an expert in this area, Mr. Dan Cotter, attorney and partner at Butler Rubin Saltarelli & Boyd in Chicago. Dan Cotter, welcome to Deal Talk, good to have you.
Dan: Thank you, Jeff. It's great to be out here.
Jeff: Dan, in order to gauge just how serious an issue that cybercrime has become, in your opinion is this something that we as business owners should be concerned about in terms of the possible damaging effects that it could actually have on our company's value especially when you consider that we have plans down the line to sell our company maybe in the next few years, or certainly down the line 10-20 years from now?
Dan: Jeff, that's an excellent question and I think the reality is that business owners should be concerned about cybercrime and cyberhacking that takes place. The reality is that these attacks, whether they’re on a small company and there's limited amount of data, or if they're on giant companies like Target that happened in 2013. When you look at the significance of the exposure in terms of remediating, in terms of fixing, in terms of getting notice out and doing things that make sense there's a real significant cost and exposure for these companies. In addition, when you look at some of the acts that have taken place and when you consider reputations of a company that's planning to sell in the next few years, the reputation will hit that a company might incur from a cyberattack could be very damaging to the perceived value and security of that company, especially if they're in the Internet or other technical space.
The reality is that these attacks, whether they’re on a small company and there's limited amount of data, or if they're on giant companies like Target that happened in 2013. When you look at the significance of the exposure in terms of remediating, in terms of fixing, in terms of getting notice out and doing things that make sense there's a real significant cost and exposure for these companies.
Jeff: Target in particular as you've mentioned in 2013, that all happened during the holiday season and I want to touch on that here in just a little bit. But we want people to understand that even if they were to listen to this show in 2017, this would continue to be a problem because it doesn't seem like something that we're going to be able to completely eliminate. From your vantage point can you see that enough is being done to stop this kind of stuff from happening on such a large scale? It just seems like this stuff comes out of nowhere and it's just amazing to me.
Dan: When you hear a lot of people talk about the issue of cyber and whether your company will be attacked, people such as Tom Ridge who was the head of Homeland Security back in the Bush Administration, when you look at and you hear him speak and other experts in the field that are tracking or looking at the attacks, and the volume, and the players in the space, what they all say is that there's two types of companies that exist: those that have experienced an attack and know it, and those that have experienced an attack and are not aware of it yet. And we'll get into later but I think a lot of, the fact of the matter is with cyberattacks and cyberhacking is that you can mitigate and do your best to be in the best position to minimize or mitigate the amount of damage and ability for attackers to get into systems. But the reality is that because it's an evolving market just like the Internet was several years ago, just like apps for smartphones have been, it's something that as soon as you figure out a way to prevent one methodology or one system of attack the sophisticated hackers around the world are on to their next technique, their next bit of malware. And so it's an ever evolving market and very difficult to completely put an end to.
...the reality is that because it's an evolving market just like the Internet was several years ago, just like apps for smartphones have been, it's something that as soon as you figure out a way to prevent one methodology or one system of attack the sophisticated hackers around the world are on to their next technique, their next bit of malware. And so it's an ever evolving market and very difficult to completely put an end to.
Jeff: So we can't just rely on our IT security vendors to simply go out and purchase the most expensive anti-malware, anti-virus, anti-hack software, install it, and expect that we're going to be taken care of. And I'm assuming that insurance is not available to take care of all of the losses that we could incur as a result of these types of attacks. Is that correct?
Dan: That is correct. If you look at some of the hacks that have occurred. I was at a conference on Friday and one of the folks that was there that does a lot of online data collection and has a lot of personal information, his theory is that cyber-insurance is not the answer. I don't agree with that. There is an ability to obtain cyber-insurance, and small companies, large companies, mid-size. But the one issue is for example with Target, the amount of the cost incurred, the steps that they took on remediating and recovering their data from the breach that occurred in the holiday seasons. When you look at that breach they had I believe $100 million of cyber-insurance that they have purchased and the amount of the loss that they've disclosed is $250 million. So the insurance is available, it's out there. I think that's an evolving market as well and there's more carriers out there with more menu options for the insurance programs. And to your question about whether or not just have an antivirus software is sufficient, when you look at guidelines that are coming out from the FTC, when you look at best practices, like a lot of compliance issues the rules are fairly vague in terms of what's considered to be sufficient for a company. And a lot of it depends on the sophistication of the company, the size of the company, the amount of personal information or health information that they have that might be accessible. And so you start to look at some of those things. For a small company that’s not really collecting any data maybe an antivirus software with a new card reading credit card chip machine in their store if they're doing a point of sale. Credit cards suffices, but absent that best practice is probably to take a look at what their cyber-policies are, what they're doing with data, how they're storing it, and to do an overall assessment so that they at least can be aware of what the exposures might be for that organization.
For a small company that’s not really collecting any data maybe an antivirus software with a new card reading credit card chip machine in their store if they're doing a point of sale. Credit cards suffices, but absent that best practice is probably to take a look at what their cyber-policies are, what they're doing with data, how they're storing it, and to do an overall assessment so that they at least can be aware of what the exposures might be for that organization.
Jeff: Dan Cotter is an attorney and partner at the firm Butler Rubin Saltarelli & Boyd LLP in Chicago. He joins us today here on Deal Talk. We're glad to have him on board. Tell us if you would Dan about the kinds of cybercrime, the various forms that are available out there. When we think of cybercrime you and I as an individual we think of identity theft where someone gets our credit information, as they did by the way with the Target situation you talked about. And then that was followed not too long after that by a similar situation involving Home Depot, and we can get into the numbers and stuff like that in a little bit. But tell us about the various forms of cybercrime that can actually victimize a company and really create a lot of problems.
Dan: Sure. Like you said, the traditional hacking and theft that we think of is the credit card information identity theft that then leads them being able to open accounts with your name to use your social security number, to use other points of personal data, to be able to go out and use those cards. That’s a big part of the hacks. But what we've seen more and more in the last few years, and that is still I think kind of a puzzle in terms of what exactly is taking place or what the purpose of the hacking is, is we're seeing State-sponsored hacking. For example, we hear a lot of noise and stories about the Chinese having some of its government employees hacking into our systems, obtaining data. The Russians as well and some other areas of the world. What's difficult to fathom in this is when the FBI, when the Department of Justice, and when the companies do forensics on the data that's been hacked, when they look at the dark web and see if the information’s being used out there for purposes of selling fraudulent credit cards or other things, a lot of the data that they're seeing especially like in the health insurance breaches that occurred with Anthem and others is that the data is not being used for purposes of current currency, it's not being traded on the dark web or anywhere that can be fathomed, and so people are not experiencing for example like the old days when we used to get our carbon copies stolen out of garbage cans or from clerks at stores. We would see instantly the fraud alert. We would get a phone call from the bank and say, "Have you been to California this week? Have you stayed at a Hilton? Have you done this or that?" You see a lot of that.
The other thing that's taking place and is becoming more and more frequent, and that is a big challenge is denial of service type of hacks. What happens here is a really a form of extortion. It goes back again to can you just use antivirus software? We've all probably received these phishing emails where it looks legit. It looks like it might be either an invoice or a note from your credit card company, or from PayPal or somebody else that says, "Your immediate attention is required. Please hit the link below and correct your data or provide us with data." And what's happening on these types of situations is that the employee who doesn't know that they're not supposed to do that or the individual at home they hit that link, it looks legit, and it looks like a regular page from Chase bank or American Express. Hit the link and then they get a note that all the data on their computer is being hijacked or kidnapped I guess would be the analogy until a payment is made to release the key that will then allow the hacked information to come back to the person that's the victim of the hack. And the challenge there is that for professional service firms, for consultants, for organizations that rely on all this data it can be pretty severe and pretty wide reaching within their systems depending on what kind of firewalls and internal security and encryption they might have on their various systems and various applications.
Those are really the main things we're seeing. What people like the FBI and others are telling people that we need to take a look at their cyber-programs is that the most valuable information, more valuable than the personal information, your social security number, maybe your credit number is your private health information that's covered by HIPAA because this permits people to have procedures, it permits them to go into a lot of other avenues that they might not get from just your personal information.
Jeff: Dan, there's much more to talk about. When we come back with Dan Cotter I want to talk a little bit just about the interesting back story about that Target ID theft situation that happened in 2013 during the holiday shopping season. I think you're going to be interested to hear what he has to say if you are not familiar with that story already. My name is Jeff Allen, back with Dan Cotter, attorney and partner at Butler Rubin Saltarelli & Boyd in Chicago when Deal Talk continues in a moment.
Selling your business may be the most important business transaction you'll ever undertake so don't go it alone. Work with an organization that has made it their business to sell businesses and that's all they do. Morgan & Westfield at 888-693-7834. At Morgan & Westfield we know that selling your company is not something you should take lightly. It can be a stressful, difficult, even emotional process. That's why it's important to work with a team whose one and only specialty is selling businesses throughout the United States. And Morgan & Westfield will help you every step of the way, from helping you plan your exit strategy, to preparing a comprehensive appraisal and locating the right buyers. Without the right team behind you, you could be leaving money on the table. So don't leave your most important business transaction to chance. Call Morgan & Westfield for a free consultation at 888-693-7834, 888-693-7834, or visit morganandwestfield.com.
If you have questions about any of the topics you've heard us discuss here on Deal Talk, all you have to do is ask. Simply call our Ask Deal Talk info line 24 hours a day, seven days a week, at 888-693-7834, extension 350. Follow the instructions to leave your question and we'll reach out to one of our guest experts for their response on a future edition of Deal Talk. Ask Deal Talk at 888-693-7834, extension 350.
Jeff: And we'd also like to hear your thoughts about how we're doing. Do you like Deal Talk? What do you like about it? How can we make the show even better for you? Well, all you have to do is drop us an email to firstname.lastname@example.org. Once again, that's email@example.com. Dan Cotter, attorney and partner at Butler Rubin Saltarelli & Boyd in Chicago is my guest. We're talking about cyber-theft, the problem that it's become and what you as a business owner can do to prevent it in your organization to the best of your possible ability. Dan, one thing we started talking about at the top of the show we mentioned that Target incident that happened in 2013, the holiday shopping season. Target stores of course, well respected retailer, everybody shops there, and then we were absolutely stunned by the news that came out back then about this massive ID theft, cybercrime incident that took place. How did that all happen? What happened there?
Dan: Jeff, it was massive. What happened was, believe or not, the software and programs of the HVAC vendor were the entrance into Target's systems. As we talked about earlier, backdoor hacking sometimes allows the hackers to get into other systems and other data based on where they're coming in through the systems. And in this case what happened was that the HVAC vendor, just like a smart home or other mechanisms being used today on the Internet, with the Internet of Things, the HVAC software was designed to measure what the store temperature looked like and what it felt like in the store. That piece of software that was running the HVAC systems in each of the Target stores was on the same servers in the same bundle of programs as the point of sale credit card scanners in that piece of software. And so the hackers in the Target instance were able to find a weakness in the link that was the HVAC vendor's software. Once they got into Target's overall systems they were then able to hack into other systems. And that's where the data and personal information that they stole was found and located. When you think about that, honestly I think if you were a Chief Information Security Officer, if you were in IT at any company such as Target, if you were in legal or a consultant on cyberhacking and were given advice back in 2013 you probably would not have started on the list that your vendor that provides HVAC services might have a piece of software on your overall systems would be the entrance into a massive $250 million cyberattack.
Jeff: Now, let's go ahead and move forward. A lot of people are kind of sitting forward in their chairs. They want to hear exactly what it is that you think that they should be doing to help prevent these types of things from happening. We talked a little bit about vendor management now. Let's suppose I'm a business owner and I'm interested in selling my company and I obviously want to retain my value, I want to bring it up, whatever it is that I have to do. How critical is that due diligence process really from both sides, from the buyer and sell side in making sure that what the numbers are telling us is accurate about our company's valuations and not just EBITDA but our accounting and the money is where it's supposed to be. And we're not seeing anything leave, we're not seeing any other intellectual property leaving. Anything at all that you can tell us about due diligence with respect to its importance in making sure that cybercrime is dealt with or eliminated, or we can at lease see it and try to mitigate it while it's going on.
Dan: I think the first question in any business that's looking to sell or a buyer that's looking to buy the business is what types of information is that business collecting. And depending on what the answer to that is, I think that will dictate how much due diligence needs to be done. I do think that a fair question for a buyer is to ask the seller if they have cybersecurity policies and procedures, what their IT security policies look like. For example, the employees of the target company that's being bought, are they required to have passwords that are considered very strong? And you can go out to Microsoft, you can go out to some other websites and you can mess around with the passwords that you use with combinations of numbers, and letters, and symbols, and then we'll give you a strength assessment. That's an easy step. Probably a quarter of all cyberhacks that occur are the result of employee behaviors. For example, many people use basic passwords like 1234, or “password” for password. The hackers what they do is, like any form of attack they repeatedly try different, most common words. And so that's one thing that you could ask in terms of due diligence, is what exactly have the employees been told, how have they been trained in terms of their use and security of sensitive data.
The other questions that would be asked, does the C-suite have knowledge, awareness, involvement in cyber? If the company has board meetings, is the board being informed of cyber and what's happening at the particular company. I think those are some of the things that can be asked in due diligence, and I think it's like any other potentially material exposure that you might be buying if you're buying the company. What you don't want to have is to not ask the questions and not kick the tires on the company, and then day one after the acquisition consummates you discover that they've been hacked, and now you've got a huge reputational risk on your hands. You may have a large diminution of the value of the company. There could be a lot of factors that take place, not to mention that you're trying to address the post-acquisition needs of the company, and to get it operational and integrated if it's being part of another entity. And the last thing you want is to be spending time, energy, and resources on trying to deal with a public problem on your hands.
I think the first question in any business that's looking to sell or a buyer that's looking to buy the business is what types of information is that business collecting. And depending on what the answer to that is, I think that will dictate how much due diligence needs to be done. I do think that a fair question for a buyer is to ask the seller if they have cybersecurity policies and procedures, what their IT security policies look like.
Jeff: And by the way too if you're on the sell side and you know that there have been some ... maybe you've isolated some incidents. When I say isolated. you're aware of some issues that you have addressed that seem to be rather invasive on your IT systems there at your company regardless of size. If you don't disclose this stuff to the buyer you could really be in some hot water yourself. It would seem, Dan, even after that sale consummates, if they could track it all back as far a representations and warranties are concerned, tell us about that. Is there any insurance available for those types of situations, anything at all that you can share?
Dan: Sure. The representations and warranties insurance market I think is evolving. I think that all indications around that in general, the sale of those policies has increased something like sevenfold in the last seven or eight years. It's really creeped up. The question that I don't know is whether or not those policies in the insurers that are issuing the reps and warranties, insurance for transactions, has contemplated or come up with anything directly addressing cyber. But depending on the nature of the policy and if it's a general reps and warranties policy and in the deal documents you have representations and warranties about your cyber-programs and security. And if there's something for example that says to the best of seller's knowledge there's no cyberattack then I think like any breach of warranty, if the seller had knowledge I think it sets them up for some potential challenges to the deal and to the purchase price, and it could indemnity hold harmless or reps and warranties insurance to address those gaps.
Jeff: What is it that we can do as business owners, Dan, if we may at some point begin to suspect we may be victims of cyber-theft or cybercrimes of any kind with our business. What would you recommend that we do?
Dan: I think the first thing to do would be to reach out to experts, especially on the IT front, on the cyberhacking and penetration front. There are a number of vendors out there that their sole focus these days is on being proactive on the front-end before cyberattacks occur. And also offering services on the back end for forensics, and recapture, and getting back online and in business again. If there's a suspicion or you're getting ready to sell I think it's probably resources well spent to retain those IT experts and find out what their assessment is. There's also groups like FS-ISAC that is a blog or network that captures and reports to the extent possible all attacks that have taken place. And that's a group that I believe could be easily joined. There are resources out there in terms of being in the loop, keeping abreast. Talk to your insurance broker if you have an insurance program and get an assessment from them of what the cyber-insurance arena looks like. Take a look and find resources external that can help provide guidance and kind of a framework of what best practices might look like in terms of being proactive.
I think the first thing to do would be to reach out to experts, especially on the IT front, on the cyberhacking and penetration front. There are a number of vendors out there that their sole focus these days is on being proactive on the front-end before cyberattacks occur.
Jeff: If anybody needs to get in touch with you and your office how can they reach out to you guys?
Dan: Sure there's a number of ways. They can call my line directly. I'm at 312-696-4497. They can shoot me an email: firstname.lastname@example.org. Or they can look us up on the web, butlerrubin.com and find information there on our cyber-practices team, and more information.
Jeff: Dan Cotter, it's been a worthwhile conversation. We appreciate you stepping up and chatting with us about this very, very serious issue of cyber-theft. Dan Cotter, thank you so much for joining us today.
Dan: Thank you, Jeff.
Jeff: Dan Cotter, attorney and partner at Butler Rubin Saltarelli & Boyd has been my guest and we hope that you enjoyed this discussion. We've got a lot out of it, I know that I did. Tell a friend about Deal Talk won't you? In addition to morganandwestfield.com you can find us on iTunes, Stitcher, and Libsyn.
Deal Talk has been brought to you by Morgan & Westfield, a nationwide leader in business sales and appraisals. Learn more at morganandwestfield.com. My name is Jeff Allen. Thanks so much for listening. We’ll talk to you again soon.
While we take reasonable care to select recognized experts for our podcasts please note that each podcast presents the independent opinions of such experts only and not of Morgan & Westfield. We make no warranty, guarantee, or representation as to the accuracy or sufficiency of the information provided. Any reliance on the podcast information is at your own risk. The podcast is for general information only and cannot be considered professional advice.