Over the last year, U.S. companies have been hit with a wave of new data security regulations and agency guidance, ranging from the SEC’s Guidance on Public Company Cybersecurity Disclosures to the European Union’s General Data Protection Regulation (GDPR).
But financial services and insurance companies with New York ties that are considering M&A activity must now look beyond their own data security practices. In recently issued guidance, the New York State Department of Financial Services (DFS) announced the “need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions.” DFS further explained that it expects covered entities to “do a factual analysis of how the regulatory requirements apply” to a “particular acquisition.” At a minimum, DFS says that acquiring companies must consider “the target company’s risk for cybersecurity,” “its availability of PII [personally identifiable information],” its “safety and soundness,” and “the integration of data systems.”
And the acquiring company’s obligations will not end at the pre-acquisition due diligence stage. For instance, the DFS regulation requires that a company update its required data security risk assessment “as reasonably [as] necessary to address changes to” a company’s “business operations.” Likewise, the regulation requires that any change to a company’s risk assessment will require updates to its cybersecurity program, policies, and guidelines. For smaller entities, a merger might also push the surviving company over the revenue and employee thresholds to fit within the regulation’s “limited exemption.” In which case, the company “shall have 180 days” from the “most recent fiscal year end” to comply “with all applicable requirements.”
These potential regulatory pitfalls to a merger are not limited to the DFS regulation. For instance, companies considering cross-border mergers and acquisitions will need to determine whether the target company is in compliance with GDPR. Likewise, New York is not alone in regulating data security, and companies acquiring out-of-state entities will need to consider the dramatically varying cybersecurity laws.
Nor are cybersecurity issues purely a question of regulatory compliance. A recent survey found that nearly a third of companies that conducted pre-merger-cyber diligence found the target vulnerable to inside attacks.