Introduction
M&A activity in India
Cybersecurity issues in India
Consequences of cybersecurity incidents in M&A context
Mitigation
Comment
In 2016, amid frenzied negotiations over a sale of Yahoo to Verizon, Yahoo revealed to the world what will remain one of the largest data breaches ever for a long time to come: hackers who had managed to compromise 1 billion Yahoo accounts, a number that later stood corrected to an estimate of 3 billion accounts. The coming to light of these data breaches caused Verizon to axe $350 million from the amount that it had originally planned to pay as consideration for this deal.
Since then, cybersecurity risks in an M&A context have only multiplied, both in number and complexity.(1) Hackers and ransomware perpetrators have come to recognise how critical M&A transactions are for the players involved. For target companies that are publicly traded, any leakage of price-sensitive information can have a devastating impact on the stock price. For all companies, suffering a cybersecurity incident amid a transaction may result in valuation adjustment, additional indemnities, escrow arrangements and other changes to deal terms.
In December 2021, the US Federal Bureau of Investigations (FBI) issued a private industry notification, warning businesses that hackers are specifically targeting companies on the verge of undergoing significant financial events such as M&A. The dangers of which this notification warned are by no means less relevant in the Indian context than they are in any other country.
In India, data and technology have become the most common driver of businesses and acquisition across sectors. Recent M&A deal activity in India is led by sectors such as:
- enterprise tech;
- fintech;
- edtech;
- health tech;
- ecommerce; and
- consumer services.
These sectors either comprise technology businesses or rely heavily on data, or both.
India's demography and the nature of Indian businesses make India and its corporates particularly attractive targets for cyberattacks. Examples of cyberattacks on Indian institutions include:
- the breach of the India government identity database, Aadhaar, which, by some accounts, was one of the largest ever data breaches and which potentially compromised the records of over a billion Indian citizens;
- the alleged data breach at India's key online grocery player, BigBasket, which is said to have impacted 20 million users;
- a data breach at Unacademy, the Indian edtech start-up, which is supposed to have compromised the data of anywhere between 11 million and 22 million users; and
- a cyberattack on Air India, India's largest international air carrier, which may have affected over 4.5 million users worldwide.
Consequences of cybersecurity incidents in M&A context
In the digital age, the volume and quality of data that a company possesses often directly correlates with its competitiveness. However, companies cannot afford to collect, store, process or delete data without considering the applicable laws that regulate how these functions may be performed with different types of data. In India, for example, rules framed pursuant to the Information Technology Act 2000 prescribe standards of care to be followed in relation to "sensitive personal information or data" such as passwords, financial information or medical records.
On 28 April 2022, the Indian Computer Emergency Response Team issued a set of directions that required an array of stakeholders to follow certain protocols relating to the timeframe for reporting cybersecurity incidents, the synchronisation of clocks, the maintenance of logs and the maintenance of know-your-customer and transaction information for crypto exchanges and virtual protocol network providers.(2) Depending on the sector in which a business operates, sector-specific regulations that specify additional requirements in relation to data protection may also apply.
In an M&A transaction that involves a transfer of data from one party to another, it is critical to ensure that such transfer:
- is authorised by the data provider;
- complies with the terms on which such data was provided; and
- is consistent with the transferor's privacy policy.
A cybersecurity incident that involves the leakage of any such data may result in:
- a violation of the terms on which such data was shared with it by the data provider;
- breaches of contract (particularly for commercial contracts involving confidential information);
- audit failures; and
- loss of business and reputation.
Of course, sharing of large volumes of data over the internet during an M&A due diligence process creates a surface rife for attack.
It is imperative for every company that uses the Internet or a network of computers in its day-to-day business functions to have a robust cybersecurity policy and to conduct timely self-assessment of the three critical components of its information technology infrastructure: hardware, software and networking. In an M&A context, the cybersecurity posture of the target and the acquirer often impacts valuation and other deal terms.
Cybersecurity due diligence, a quintessential part of any M&A due diligence process, should not only include a review of the legal and regulatory compliance of applicable cybersecurity and data protection standards, but also a review of the standards applicable under contracts entered into by a target. In this regard, it is important to identify and estimate penalties and other legal consequences that would be attracted if the target company were to suffer a cybersecurity incident in relation to the key datasets it manages. It is also important to involve the IT teams of the acquirer and the target, from an early stage of the transaction, to assess the compatibility of each other's cybersecurity systems and the costs and consequences of integration.
For sharing data virtually during an M&A transaction, only trusted document sharing solutions should be used. Extremely sensitive information may be provided only at an advanced stage of the transaction and should be subject to redacting and password protection as necessary. Where the cost of a cybersecurity incident would be very high, an independent cybersecurity audit of the target company's systems and network, including penetration testing, should be considered. In technology sector deals, parties should consider making the formation of a mutually agreed integration strategy and (post-closing) a cybersecurity risk management policy a condition precedent to closing.
Based on the findings of the due diligence process, the definitive agreements of a transaction should provide for adequate representations, warranties, covenants and indemnities in relation to cybersecurity matters. Representations and warranties should cover risks to a target from incidents that may be suffered by key IT vendors of the target. As with other key risk areas, in technology deals, the trend of procuring cybersecurity risk insurance as part of a transaction is becoming increasingly popular.
As Indian businesses go through a rapid phase of digitisation, cybersecurity threats will continue to proliferate. The sectors that are witnessing burgeoning M&A activity in India are predominantly technology- and data-centric, which makes cybersecurity a more pressing concern.
While regulations setting strong cybersecurity protocols can be a blessing in disguise for businesses that are lax in how they manage their IT and data systems, instances of large-scale data breaches may spur knee-jerk reactions from regulators that may leave stakeholders scrambling for clarity.
Regardless of whether regulation requires companies to take cybersecurity seriously, the reputational, business and valuation risks that come with cybersecurity incidents should prompt prudent players to assess the state of their IT systems and take mitigation measures to address risks before, during and after an M&A deal.
For further information on this topic please contact Hemant Krishna at Lakshmikumaran & Sridharan by telephone (+91 11 4129 98000) or email ([email protected]). The Lakshmikumaran & Sridharan website can be accessed at www.lakshmisri.com.
Endnotes
(1) Cybersecurity incidents can occur in many forms and frequently involve a data breach of some kind. The most common types of cybersecurity incidents that companies encounter include:
- phishing;
- malware;
- drive-by downloads;
- SQL injections;
- denial-of-service attacks; and
- privilege escalation attacks.
(2) These directions raised privacy concerns and came under heavy criticism for potentially enabling worse outcomes in case of cyberattacks by imposing highly onerous data-maintenance requirements, among others. Due to the concerns, the directions were followed up with certain FAQs and an extension was issued to certain categories of stakeholders for the implementation of the protocols.