In today’s M&A transactions, cybersecurity deficiencies in a target company pose potentially significant financial and regulatory risks to the acquiring company. For this reason, new measures must be implemented in M&A transactions to protect both companies from today’s emerging cybersecurity epidemic.
Effective Due Diligence
Both companies must strive to ask and answer the right questions through the due diligence process. Through diligence, the acquiring company should become familiar with not only the written cybersecurity policies of the target company, but also the importance the company places on those policies. If upper management or even basic employees of the target company are not well-versed on the company’s cybersecurity policies and how they affect day-to-day operations, then it is likely that the target company does not sufficiently prioritize its cybersecurity. Additionally, the acquiring company will want to obtain assurances from management of the target company that the company does not have a history of cybersecurity breaches, is in compliance with payment card industry (PCI) regulations, and has protections in place to prevent competitor and insider theft.
However, just because the target company has not identified a cybersecurity breach or risk does not mean the risk or breach does not exist. Take Home Depot for example. With Home Depot, a hacker used a vendor’s username and password to obtain access to Home Depot’s network where the hacker was able to pull payment card information of up to 56 million customers. The hacker collected this information by sitting in Home Depot’s system undetected for six months. Clearly an acquiring company must go beyond mere assurances from management, and should conduct its own investigation of the policies to determine whether the target company has cybersecurity measures mature enough to identify risks and breaches as they occur. If cybersecurity concerns are identified in diligence, deal terms can be arranged that require funding for third-party independent assessments and implementation of expert recommendations.
Representations and Warranties
The acquiring company will want to obtain adequate representations and warranties to shield it from liabilities stemming out of an undiscovered or hidden cybersecurity risk. The protections should apply to all the various types of cybersecurity risks in play, including (i) non-compliance with PCI regulations, (ii) the breach of sensitive information through rogue hackers, government espionage, competitor espionage, and insider theft, and (iii) potential losses or interruptions in business caused by the implementation of new cybersecurity technology (unforeseeable consequences of switching to a chip-reading payment system, for example). Additionally, the target company should have adequate insurance to cover potential cybersecurity issues. Home Depot, for example, recorded $63 million in pretax expenses related to its cybersecurity breach, but that amount was only offset by $30 million of expected insurance proceeds. Without the proper representations and warranties in place, an acquiring company could potentially be on the hook for millions of dollars in damages and the potential of decades of FTC reporting requirements, all stemming from the acquisition and continuation of business practices of a target company with inadequate cybersecurity protections.
Consider This
Both the target company and acquiring company in an M&A transaction will benefit from taking a hard look at the cybersecurity measures of each company. The acquiring company may find itself the victim of a data breach through the use of acquired hardware, or the linking of its network with a poorly-secured target. The target may find itself with unfavorable deal terms if it does not have effective cybersecurity policies and knowledgeable cybersecurity personnel in place. If the businesses involved are heavily information- or retail-based, there is a strong incentive to obtain the guidance of cybersecurity experts and legal counsel proficient in such issues. In the end, these experts may be the saving grace that causes the implementation of certain network protections, the wiping of compromised computers and hardware, or the abandonment of a disastrous deal.
Please contact a member of our KMK Cybersecurity & Privacy Team to assist with any aspect of due diligence, risk management, information governance plans, policies, procedures and technologies, and defense of litigation arising from cyber-attacks and data breaches.
- Partner
Rob Lesan co-leads the firm’s Business Representation & Transactions Group, bringing extensive experience in mergers, acquisitions, private equity investment, divestitures, joint ventures, and general corporate ...
Topics/Tags
Select- Securities Law
- SEC
- Nasdaq
- Corporate Transparency Act
- Cybersecurity and Privacy Law
- Securities Regulation
- Cybersecurity Regulation
- Corporate Law
- IRS
- Tax Planning
- Coronavirus
- Clawback Rules
- SEC Enforcement
- Taxation
- Dodd-Frank
- Mergers & Acquisitions
- Paycheck Protection Program
- JOBS Act
- Corporate Tax
- Economic Sanctions
- Ohio LLC Act
- FAST Act
- Corporate Governance
- Consumer Protection Act
- Proxy Access Rules
- Securities Litigation
- Crowdfunding
- Conflict Minerals
- Cryptocurrency
- Hedging
- Real Estate Law
- Emerging Growth Companies
- Investors
- Pay Ratio Disclosure
- Whistleblower
- Private Offerings
- Intellectual Property
- Technology
- Opportunity Zone
- LIBOR
- Executive Compensation
- Health Care Act
- Accredited Investors
- Sales Tax
- United States Supreme Court
- Online Trading Platforms
- Wall Street Reform
- IPO
- Registration Statement
- Annual Reports
- Family-Controlled Entities
- Gift and Estate Transfers
- Ohio Foreclosure Reform
- Director Compensation
- Board of Directors
- Director Independence
- Cyber Insurance
- Data Breach
- Lenders
- Receivership Statute
- Regulation A
- Regulation D
- Total Shareholder Return
- Compensation Committee Certification
- CDEs
- CDFI Fund
- Community Development Entities
- Community Development Financial Institutions Fund
- Government Shutdown
- New Markets Tax Credit
- NMTC
- NMTC Financing
- Regulation Fair Disclosure
- Social Media
- Benefits
- Healthcare Reform
- Litigation
- Marketing
- Public Company Transition Rules
- Employment Incentives
- HIRE Act
- Social Security Tax
- Tax Credit
Recent Posts
- Fifth Circuit Nixes Nasdaq Board Diversity Rules
- Corporate Transparency Act Update: Texas Federal Court Issues Nationwide Injunction
- SEC Fines Four Companies $7M for Violating Cyber Disclosure Rules
- FinCEN Issues Additional Guidance for Reporting Companies on Dissolved Entities
- Division of Corporation Finance Director Statement: The State of Disclosure Review
- FinCEN Issues Additional Guidance for HOAs and Trusts under the Corporate Transparency Act
- SEC Wins ‘Shadow Insider Trading’ Trial
- SEC Voluntarily Stays Climate Rules
- New SEC Climate Disclosure Rules – Temporarily Stayed
- Corporate Transparency Act Ruled Unconstitutional