Firms engaged in mergers and acquisitions need to ensure from the outset that their communications are taking place in a cyber-secure environment. Online data rooms are rich targets for cyber criminals. The flow of information between buyers, targets and their consultants is particularly tempting, so a secure online data room is essential, but in and of itself, may not be enough.
Cybersecurity in the context of M&A is about much more than keeping the process secure: it is key to the value of the deal. The acquisition of one firm by another requires that the buyer determine the value of the target corporation. This necessarily includes an assessment of risk and compliance issues. The extent to which a target corporation has maintained a cybersecurity strategy, and has the requisite systems and processes in place, is a major risk and compliance consideration.
No buyer wants to acquire a business whose systems may be compromised, or whose system security has not been maintained to a high level. The issue is not just risk, but valuation as well. It follows that M&A due diligence in today’s digital environment necessarily involves inquiry into and assessment of the target corporation’s cybersecurity history, systems and processes.
Due diligence should not be limited to M&A. In our note “How Much Cybersecurity is Enough”, BLG partner, Ira Nishisato discussed the need to identify a company’s applicable standard of care, which acts as the dividing line between conduct that renders it liable, and that which does not. Once identified, this standard can be realized through the planning and development of tailor-made internal systems and processes. A written, formalized response plan is a case-in-point.
Written cybersecurity policies are useless unless they are successfully implemented. They need to meet the applicable standards, not only on paper, but in fact, and on an ongoing basis. Best of class cybersecurity strategies ensure that policies are implemented, and remain implemented, with compliance audits that are conducted on a regular basis. It is not uncommon to see requirements for compliance audits in cyber insurance policies. Nor is it uncommon to see them in vendors’ contracts, especially where the vendor’s product or service is critical to the purchaser’s business, or where the vendor has access to the purchaser’s servers or communication systems.