Mergers and Acquisitions: Don’t Forget Cybersecurity Due Diligence
When a buyer is acquiring a company, the buyer is acquiring all of the seller’s data or digital assets—such as customer data, trade secrets, know-how and business plans. These digital assets are subject to theft and destruction and may trigger compliance with cybersecurity and privacy mandates from regulators in the United States and overseas, which would subject a company to liability if such mandates are not complied with. As a result, today’s buyer risks acquiring a company whose data may have already been compromised or otherwise assuming liabilities for past noncompliance with cybersecurity and data privacy laws. This is why cybersecurity due diligence has increased in importance over the years.
The following are three key areas to consider in cybersecurity M&A due diligence:
1. Review of the target company’s current cybersecurity policies. First, the diligence team should try to understand the current cybersecurity practices and procedures the target company currently has in place. This cyber risk assessment involves interviews of key staff at the target company (e.g., risk officer, CTO, CIO, CEO) and a review of relevant documents (e.g., security programs and procedures, crisis management and incident response plans, reports of vulnerability assessments and responses to incident reports, vendor audits and any resulting remedial measures). In addition, the diligence team should focus on the maturity and suitability of the target company’s cybersecurity governance and vendor management, the terms of any cyber insurance policies, the existence of any past cybersecurity incidents and how such incidents were handled and whether the target company has interacted with regulators or law enforcement with respect to potential cybersecurity incidents.
2. Review of the target company’s network security conducted by an outside firm. If the target company has never engaged a third-party forensic firm to conduct vulnerability assessments and penetration testing, the buyer may want to retain a third-party firm to undertake its own cybersecurity risk testing on the target company’s network. Such testing could even include searches on the dark web to see whether the target company’s customer data or intellectual property is already compromised and available for sale. This cybersecurity risk testing typically involves a two to four week engagement depending on the situation.
3. Deal terms in the acquisition document. The representations and warranties concerning cybersecurity in the purchase agreement should be drafted to require the target company to disclose as much as possible about any potential cybersecurity violations and should be tailored to the target company’s industry and regulatory environment. In addition, the representations and warranties should cover compliance by the target company of applicable cybersecurity and data privacy laws, its own internal and external privacy policies and the absence of unauthorized access to the target company’s network.
Indemnities may also be used to hold the target company responsible for its representations and liable for hidden or undisclosed cybersecurity and data privacy liabilities that arise after closing. If the transaction involves an executory period in between signing and closing, the purchase agreement may include a covenant requiring the target company to implement ongoing safeguards of sensitive information during such period. Due diligence findings may also require the addition of certain tailored closing conditions requiring the target company to take steps to address noncompliance issues or to implement missing IT safeguards.
To conclude, M&A due diligence is important in uncovering and protecting against key risks in a transaction. In our data-driven economy, cyber risk must not be overlooked and should be included as standard M&A due diligence.