In this Business Law Breakdown, Richards Rodriguez & Skeith Partner David Rodriguez shares the major cybersecurity risks facing buyers during M&A transactions.
During due diligence, buyers should do a few things:
Primarily, the buyers should identify the seller’s high-value digital assets. If there are some of those high-value digital assets, buyers should consider retaining a cybersecurity expert to assist them with due diligence.
Another item for a buyer to consider doing is identifying the internal cybersecurity program used to protect those assets. They should also evaluate the seller’s cyber risk management efforts as they relate to third parties, and on which the seller depends for various services.
The buyer should also consider reviewing the seller’s prior breaches and evaluate its responses to those breaches. They should also review the status of the seller’s regulatory compliance. Finally, buyers should evaluate the seller’s overall ability to withstand a direct cyberattack on its digital assets.
Following due diligence, there are some specific things that buyers can do regarding definitive agreements. Buyers can use the results of the due diligence to obtain contractual protections or even risk allocations, to the extent of even a price reduction for privacy and cybersecurity issues. For example, buyers can require interim operating covenants requiring corrective actions and can require specific indemnities from known or unknown security vulnerabilities. They can also require well-drafted representations and indemnities for undisclosed issues that may arise after closing.
Considering the current regulatory environment, regulators are now becoming more aggressive as it relates to cyberattacks and privacy violations. When the IT system and the data protection practices of the seller are less secure and rigorous than those of the buyers, integration could eventually expose the buyer’s own data to a security breach. Therefore, any issues discovered during due diligence should ideally be addressed prior to closing, or in any event, before integration with the buyer’s data or systems.
As the cybersecurity landscape for M&A deal transactions continues to become more complex and cyber technology evolves and regulators gain more expertise, parties in M&A deals should carefully consider the potential risks and challenges at each stage of a transaction. This will enable parties to plan for and effectively address these risks before, during, and after the signing of the definitive agreements.
Defamation lawsuits are something that people are generally aware of, but they aren’t well understood. …
One of the latest developments impacting businesses is a federal panel’s decision to draft rules…
The Texas judicial system is distinct in both its structure and the broad range of…
TikTok creator Jools Lebron, who popularized the “very demure” catchphrase, found herself facing a legal…
In business litigation, it’s not uncommon for companies or individuals to be drawn into a…
In the wake of recent U.S. Securities and Exchange Commission (SEC) charges against companies like…