At a time when we are all dependent on our IT systems and when digital assets are of central importance, cybersecurity is one of the most critical aspects to protect our businesses, know-how and data from being stolen, disclosed, deleted and/or manipulated.
In light of the global threats that potentially could affect every business ("no one is safe"), public regulators have started adopting regulations on cybersecurity (e.g. the Austrian Financial Market Authority published guidelines for IT security in financial institutions). In addition, the GDPR specifically deals with data breach issues. Still, it feels that awareness of cybersecurity issues is lacking. This is particularly true for private M&A transactions.
A recent regulation of the New York Department of Financial Services ("NYDFS") now specifically addresses cybersecurity risks in M&A transactions. The NYDFS's regulation was issued in the context of the 2014 large-scale data breach of Yahoo! and Yahoo!'s failure to disclose the breach until September 2016, shortly before the sale of its operating unit to Verizon Communications Inc. The non-disclosure of the 2014 data breach had a direct impact on the sale, i.e. Yahoo! and Verizon agreed to a USD 350 million reduction in the acquisition price, among other things because Yahoo! had positively represented to Verizon in the publicly available stock purchase agreement that, to the best of its knowledge, there had been no security breaches.
In its FAQ, the NYDFS now has clarified the importance of cybersecurity also in M&A transactions: "when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions."
Now, the NYDFS regulation underlines that cybersecurity has become an issue to be also considered in M&A processes, namely in the due diligence and in the transaction documents.
Cybersecurity Due Diligence
The scope of cybersecurity due diligence needs to be assessed on a case-by-case basis. Still, the following categories could serve as a guideline for structuring (at least the first phase of) the cybersecurity due diligence process:
Status quo assessment
At first, acquirers need to assess which data and other digital assets are important to the business of the target company and how the target company processes and stores such data.
Assessment of internal rules and regulations
The target company should have internal rules and regulations on how to protect its digital assets. Acquirers should assess (i) whether such internal rules and regulations are appropriate in the circumstances and meet industry standards, and (ii) whether or not the target company has effectively implemented such rules and regulations (i.e. do they regularly train their employees? Are security measures actually implemented? Are they aware of any non-compliances?). It is very important to assess whether the target company is properly prepared to identify cyberattacks and to respond within the relevant timeframes.
Assessment of compliance with external regulations
Where applicable, acquirers should assess the target company's compliance with any external regulations governing cybersecurity issues.
Assessment of third-party relationships
Acquirers should investigate all (relevant/material) third-party relationships of the target company and assess whether the agreements with any vendors and other suppliers and contractors have appropriate contractual protection in place that ensure that the third party properly deals with the target company's data and has (at least) appropriate IT security systems in place. Third-party contracts should also provide for contractual notification obligations and emergency response mechanisms, as well as audit rights for the target company to verify compliance with the foregoing.
Assessment of past security breaches
Most importantly, acquirers should confirm with the target company whether there have been any past (known) security breaches and if yes, assess their scope and impact, e.g. what information has been obtained? Which information has been manipulated? Has the company complied with mandatory reporting/disclosure obligations? How did the company react to the breach? Has the leak been fixed?
If no breach has yet been identified, acquirers should ask for specific (positive) confirmation. However, acquirers must also acknowledge that businesses are often unaware that an attack has occurred or is still ongoing.
Cybersecurity in Transaction Documents
Cybersecurity risks should eventually also be dealt with in the final and binding transaction documents (e.g. share or stock purchase agreement):
Representations and warranties
Representations and warranties relating to the target company's business typically should cover (i) what has been disclosed during the due diligence and (ii) what has not been disclosed or cannot be assessed during the due diligence (e.g. absence of certain circumstances, e.g. security incidents). They typically protect the acquirer from unknown risks and confirm its assumptions for the deal.
Acquirers of a business should consider requesting appropriate representations and warranties, including on the absence of current and past security incidents, implementation of appropriate internal rules and regulations and compliance therewith, compliance with applicable data protection and data / IT security laws, and absence of disputes and investigations relating to cybersecurity and data breaches.
Indemnities are typically requested in relation to specific identified risks, such as pending litigation, or risks of a general nature, for which acquirers expect that issues will likely arise in the future, such as pre-closing taxes or, in some jurisdictions, environmental matters (concerning leaks that occurred prior to closing).
In relation to past (identified) breaches, acquirers will thus likely cover any risks via indemnities. It is to be seen whether cybersecurity risks will in the future be regarded as being on the same level as tax and environmental risks and whether acquirers will try to shift pre-closing cybersecurity risks to vendors.
Cybersecurity is a major, global risk that should also be taken into consideration in an M&A process. As part of the due diligence, acquirers should investigate the cybersecurity risks of the target company and should properly reflect the results of their due diligence in the transaction documentation.