<<

. 51
( 131 .)



>>

In designing the overall legal risk management framework, businesses should,
as a general rule, have a proactive and structured programme of action involv-
ing the following elements:
An overall system to identify, classify, measure, prioritise and assess legal
risks that are relevant to the enterprise™s operations;
A plan that is documented in the form of an operation manual (both hard
copy and embedded into the system in the form of web-based documents
containing policies, practices and procedures that address and control these
risks). Such a plan must specify the responsibilities of all parties involved in
the whole risk management process from the operational level right up to
the CEO;
A regular test plan that when implemented approximates all possible worst-
case scenarios for the purpose of testing the system to its fullest potential;
A monitoring programme to assess all types of technology and other opera-
tional risks and the evaluation of the effectiveness of such programmes;
The regular updating of such plans in the light of developments in the tech-
nology, law and business practices;
Post-incident recovery procedures which must incorporate digital evidence col-
lection, preservation and presentment techniques which are legally compliant;
The fulfilment of legal compliance requirements as specified by the regula-
tory bodies; and
A security awareness programme that will help nurture a more security
conscious environment.


Business intelligence
The value of a good business intelligence solution system is becoming increas-
ingly important. It should have a data warehouse that ensures that all reports are
based on the same information. It should provide a solution that allows users to
follow an audit trail by drilling down from the high level into more detail.
For instance, commentators have remarked that had Shell been compliant with
SOX they would not have been able to state that they thought that they has one-
third more oil reserves than they actually had. One of the requirements of
SOX is for real-time reporting so that if a major event takes place that has an
impact on a company™s financial statements then the company must respond
quickly by making updated financial reports available (see Chapter 22). This
requires:
Having a very agile infrastructure;
Being able to capture information in relative real time;
Having the tools to assess it very quickly; and
Assessing the implication for the profit-and-loss account or balance sheet.
Some experts warn that many firms implementing solutions are losing sight of
the need for a holistic view by considering, for example, the regulations sepa-
rately. For instance, initially the Basel II and IFRS requirements on reporting
Part B “ Overview of the Economic Aspects of Business Risk
258



losses were not compatible: although the issue has been resolved such conflict
demonstrates the need to take a high level view. In addition, by taking a short-
term view that solves current problems businesses fail to protect themselves
against possible M&A issues. To deal with the constant increase in new
demands solutions should provide a coherent view across the organisation and
the functions that are in place within it.
Therefore, it is clear that in today™s complex business world those organi-
sations that use the right business intelligence should be more successful in
handling all of the issues, relevant to sustainable risk management, in a more
holistic way. However, it also means that many of the complex concerns around
IT and e-commerce should also be considered as a priority. As a result of the
growing reliance upon technology more risks must be managed both as regards
the internal use of technology in monitoring business concerns and as regards
the handling of external relationships and matters. Many smaller businesses,
for example, cannot afford to protect themselves in the ideal way. Therefore in
this chapter an overview is provided of some of the developments that have
occurred “ and current issues “ in the context of the e-debate. This is such a
broad subject, which spans both macro and micro issues (from handling the
above requirements to dealing with everyday email nuisance such as spam),
that it requires a manual in itself. This chapter can only touch upon issues that
relate to due diligence, risk management and corporate governance.


Technology due diligence: managing legal risk exposure
Another issue concerning the use of IT relates to technology due diligence in so
far as it is often one key aspect of the overall due diligence process performed
by those wanting to acquire or invest in companies. In this context it is prima-
rily an exercise about managing both commercial and legal risks. It is about
managing risks in a way that will enable the parties involved in the business
transactions ultimately to maximise their respective commercial returns or to
minimise bottom-line losses. Here technology due diligence is about assessing
the quality of technology assets and any attendant risks that an acquirer would
assume in acquiring such assets. In this spectrum of risks, legal risk exposures
probably rank among the top concerns of senior management.


Intellectual assets
In the New Economy, one of the key assets of organisations is often its intellec-
tual assets. Acquiring intellectual assets is often one of the key objectives in
mergers and acquisitions and they are also increasingly exploited for strategic
advantage. In this discussion ˜intellectual assets™ covers those generic cluster of
intangible assets which, when narrowly defined within a precise legal context,
emerge as rights which are protected or can be protected by law. Such intellec-
tual property rights typically include patents, copyrights, trademarks, design
and trade secrets. They are often intangible and come in the form of technology
Chapter 11 “ Information technology (IT) and e-commerce 259



or know-how which can be software or hardware driven or simply business
processes driven by technology.
Companies typically want to acquire technology from others for any one of
the following reasons:
The technology is useful in itself;
The technology may enhance the acquirer™s own product range, service offer-
ings or technology development cycle;
The acquisition of the technology will enhance the acquirer™s corporate
branding;
The acquirer sees long-term investment value by acquiring the technology at
what the acquirer regards as fair market value; and
The acquirer sees benefits in terms of positive public perception of the acqui-
sition that would result in a better market price for its shares.
Investors typically insist on having a very clear view of the strengths and weak-
nesses of the technology in the overall corporate and industry context. R&D
houses may also use technology due diligence to assess or validate their per-
formances while technology start-ups may use the result of technology due dili-
gence for their own self-assessment or evaluation for the purpose of fundraising.
The ultimate aim of any technology due diligence exercise is to use it as a man-
agement tool that helps increase the probability of a successful investment, a
partnership or a merger and acquisition. As with all due diligence exercise, a
risk assessment has to be made.
In a technology due diligence process, the purchaser or investor typically
would want to achieve one or more of the following objectives:
To identify technology asset strengths and weaknesses that would help in
closing the deal successfully;
To remedy any identifiable flaws in a way that will be conducive to further
negotiations but often in the hope that it will reduce the acquisition cost for
the acquirer or purchaser and secure better terms in general; and
To ensure the eradication or minimisation of all if not most legal risk expo-
sures from the acquisition of that technology.
The main assessment that the advisor has to make typically revolves around the
key questions that are set out below, they are acting for:
An acquirer intending to purchase a technology company; or
An investor taking up an equity stake in a technology company; or
Parties to any transaction with a technology component.
The questions cover:
Whether the technology that is the primary asset of the company being acquired
does what it is supposed to do: its capabilities must be evaluated and verified;
Whether the acquirer can verify that it would be able to extract business
value from acquiring the technology in particular and whether the manage-
ment team responsible for the creation of the technology can deliver what the
Part B “ Overview of the Economic Aspects of Business Risk
260



technology purports to be able to do for businesses; in short, the commercial
prospect of the technology;
Whether the owner of the technology does legally own all the rights to the
technology;
The nature and magnitude of legal risks that the acquirer would be assuming
if the acquisition is made; and
What the true measure of the value of the technology being acquired is, that
is, its strengths, weaknesses and therefore its real worth.
Given the primacy of intellectual assets in the New Economy and the essence of
such assets being the technology itself, the issue of protection of such assets is of
paramount importance. In a technology due diligence, managing legal risk expo-
sures in relation to the intellectual property rights of the company is always one
of the primary concerns of parties. Therefore this central aspect of technology
due diligence, that is, the evaluation of and the risk assessment of intellectual
property rights issues, both internal and external to the company or individual
owning the technology, is considered below.


Ongoing risks
In internet-based commercial transactions where technology risks such as sys-
tems failure or attacks are particularly accentuated and the ˜risk turnaround
time™ is much faster, the need to design and develop a proactive and structured
legal protection regime has become a corporate imperative. A legal risk man-
agement system to assist internet commerce at both the strategic as well as the
operational level that would protect enterprises from legal problems that might
flow from information security risks is essential.


Information security
As has been seen above, in a world of increased security risks and threats,
information security in internet commerce has assumed a centre stage
role. With advances in information technology and with an increasing
number of consumers relying on internet-based services, intrusions and
other forms of attacks on IT systems will not only continue but are likely
to increase in frequency.



The internet has become an essential and integral aspect of most information
technology systems today. The internet, which can be described as the global
network of networks, has shaped and is continuing to shape the industrial
landscape where internet-based transactions are becoming increasingly com-
mon. The IT systems, which include the networks and databases, have now
become an integral part of most nations™ critical infrastructure and this infra-
structure is increasingly linked to the internet. Within this huge internet-based
system, internet commerce has emerged as one key sector.
Chapter 11 “ Information technology (IT) and e-commerce 261



The scope and reach of information technology systems in the business
sector, particularly those with internet connectivity, have expanded greatly in
recent years. We are also likely to witness an increasing degree of sophistica-
tion in attacks of systems. At risk is the potential criminal violation of data and
assets of consumers particularly in sensitive sectors involving banks and finan-
cial institutions. As a consequence, technology risk management particularly
in relation to information security breaches has become even more important.
At the same time, the deployment of such technologies has become more com-
plex thereby making technology risk management even more difficult.
Dealing with information security breaches can be complex as the attacks
are difficult to detect. The fact that it is not always clear whether certain types
of activities are necessarily illegal creates further problems in prosecution. Also
when computer crimes are committed across borders and digital evidence is by
nature transient and fragile, the problem becomes compounded.


Technology services in internet commerce
Enterprises need to take pre-emptive measures to prepare them against cyber
attacks as well reactive measures after an incident has taken place to limit
their losses and to pursue the perpetrators of the attack. Most types of risks
inherent in internet commerce are not fundamentally different from traditional
commerce. However, given the very nature of internet commerce “ which is
much more technology dependent than traditional commerce “ technology
risks have become increasingly prevalent and accentuated in complexity and
magnitude.
Commercial enterprises typically provide internet-based systems through
two basic sources:
Primary sources, from the enterprise™s own internal system and applications
which may be developed internally; and
Secondary sources, such as systems and applications provided through
service providers typically outsourced from external partners or providers.
In the development of such systems in the past, enterprises tend to deploy pro-
prietary or closed-loop networks which pose less of a risk from attacks via the
internet. However, the increasing use of internet technologies in an open envi-
ronment in the commercial sector has created new risks and created greater
vulnerabilities and threats.
On the part of the customers of enterprises, they in turn expect the deploy-
ment of internet technologies to mean greater access and quicker service turn-
around. In internet commerce, customers tend to expect that such enterprises
deliver their online services on a continuous, consistent and timely basis. As
indicated above, particularly during peak times, customers of online commer-
cial enterprises expect:
Continuous service on a 24 7 365 basis; and
Short transaction processing cycle.
Part B “ Overview of the Economic Aspects of Business Risk
262



The higher risk in providing internet-based commercial services coupled with
customer expectation of quicker, more accessible but nevertheless more secure
systems continue to pose a major challenge to the senior management of corpo-
rations in providing quality effective service.

Nature of technology risks in internet commerce
Technology risks in internet commerce like in other internet-based systems
include any potentially adverse outcome in the form of damage or loss that
results from failure or disruption arising from the use of or reliance on informa-
tion technology systems including hardware, software, equipment, devices,
systems, applications and networks. Such risks typically could result from any
of the following three forms of risk events, namely:
Attacks such as intrusions, malicious hacking and fraudulent actions;
Systems flaws such as processing errors, software defects, operating mistakes,
hardware breakdowns, systems failures, capacity inadequacies, network vul-
nerabilities, control weaknesses and information security shortcomings; and
Management failure to provide adequate recovery capabilities such as the
absence of a disaster recovery plan.
Such risks can arise from within and outside the organisation with the risks being
higher if the threat is internal. While most spending on IT security tends to focus
a lot more in developing a perimeter defence to ward off external attackers from
penetrating IT systems, there is a realisation that resources also need to be pro-
vided to prevent an attack from within, which could be far more disastrous.
While protecting IT systems “ which includes the network, hardware and
software “ is very important, it is the data that resides within the system that is
far more important than the system or infrastructure itself. In the internet com-

<<

. 51
( 131 .)



>>