In this Business Law Breakdown, Richards Rodriguez & Skeith Partner David Rodriguez shares the major cybersecurity risks facing buyers during M&A transactions.
During due diligence, buyers should do a few things:
Identify High-Value Digital Assets
Primarily, the buyers should identify the seller’s high-value digital assets. If there are some of those high-value digital assets, buyers should consider retaining a cybersecurity expert to assist them with due diligence.
Identify Internal Cybersecurity Program
Another item for a buyer to consider doing is identifying the internal cybersecurity program used to protect those assets. They should also evaluate the seller’s cyber risk management efforts as they relate to third parties, and on which the seller depends for various services.
Identify Ability to Withstand Cyberattacks
The buyer should also consider reviewing the seller’s prior breaches and evaluate its responses to those breaches. They should also review the status of the seller’s regulatory compliance. Finally, buyers should evaluate the seller’s overall ability to withstand a direct cyberattack on its digital assets.
Following due diligence, there are some specific things that buyers can do regarding definitive agreements. Buyers can use the results of the due diligence to obtain contractual protections or even risk allocations, to the extent of even a price reduction for privacy and cybersecurity issues. For example, buyers can require interim operating covenants requiring corrective actions and can require specific indemnities from known or unknown security vulnerabilities. They can also require well-drafted representations and indemnities for undisclosed issues that may arise after closing.
Considering the current regulatory environment, regulators are now becoming more aggressive as it relates to cyberattacks and privacy violations. When the IT system and the data protection practices of the seller are less secure and rigorous than those of the buyers, integration could eventually expose the buyer’s own data to a security breach. Therefore, any issues discovered during due diligence should ideally be addressed prior to closing, or in any event, before integration with the buyer’s data or systems.
As the cybersecurity landscape for M&A deal transactions continues to become more complex and cyber technology evolves and regulators gain more expertise, parties in M&A deals should carefully consider the potential risks and challenges at each stage of a transaction. This will enable parties to plan for and effectively address these risks before, during, and after the signing of the definitive agreements.