This post is a follow-up to January’s cybersecurity post discussing the cybersecurity considerations in performing due diligence in M&A transactions. The previous discussion can be found here. This post addresses two contractual provisions, the closing conditions and indemnification, which, if properly utilized, can protect acquiring companies from taking on too much cybersecurity risk in M&A transactions.
Closing Conditions
The period between a transaction’s signing and its closing is a time when the parties wait with bated breath, hoping that some catastrophic event does not occur that could bring the entire deal to a screeching halt. To allow an acquiring company to escape the deal if such an event should occur, the deal document often includes closing conditions requiring the target company to be free of any “material adverse event” during the relevant closing period. “Material adverse event” is usually a defined term that has some degree of generality, allowing the parties to argue whether a specific event triggers the ability to escape. However, even with businesses’ heightened cybersecurity sensitivity, the definition of “material adverse event” often does not consider potential cybersecurity breaches. Therefore, in the event of a cybersecurity breach of a target company, there may be uncertainty as to whether the parties are obligated to close the deal.
A simple solution to this uncertainty is to add a closing condition to the deal document requiring the absence of cybersecurity breaches prior to closing. As discussed in the previous post, cybersecurity vulnerabilities can easily go undetected, and this single provision can protect the acquiring company from being forced to acquire a business with potentially unquantifiable liability. A closing condition that addresses cybersecurity breaches is important for businesses operating in almost every industry, including those that handle consumer data, industries dependent on technology, and industries that use electronic payment systems. In order to conform with the specifics of a transaction, the closing condition can be crafted to the particular needs of any given industry or the size of any particular deal. For example, the condition may be tied to the expected number of customers impacted by a cybersecurity breach or tied to the breach of a specific system that is especially valuable to the parties. However, the specific parameters of this closing condition will be subject to negotiation, with the target looking to limit the breadth of a cybersecurity breach that could trigger the provision, and the acquiring company looking to include some generality to the provision, giving it flexibility to escape the deal when faced with a variety of potential cybersecurity liabilities.
Indemnification
It is in the acquiring company’s interest to negotiate for indemnification should a cybersecurity breach occur at the fault of the target or seller. The acquiring company’s most important consideration for such an indemnification provision is to adequately account for all losses that can stem from a cybersecurity breach. As discussed in the previous post, losses associated with cybersecurity breaches can be difficult to predict, may result in millions of dollars of liability, and often exceed insurance coverage. Therefore, the acquiring party will want to negotiate for indemnification that encompasses all losses associated with the cybersecurity breach, including the costs of complying with notification procedures mandated by state and federal law, remedying the underlying security failure, and defending against multiple lawsuits that are bound to arise from the compromise. Due to the unpredictability of potential losses, it will be in the acquiring party’s interest to remove cybersecurity losses from standard baskets and caps that may be found in other indemnification circumstances. On the other hand, the seller or target company will make all attempts to cap its indemnification requirement at some reasonable amount. In the end, the negotiation for indemnification will be decided on the parties’ respective confidence in the target’s cybersecurity protections and policies. Additionally, in cases where a breach triggers a closing condition as discussed above, the parties may decide to reset and renegotiate the indemnification provisions with shifted negotiating leverage.
The Key to Success
A party that adequately addresses cybersecurity issues in all aspects of an M&A transaction will be resistant to the volatile cybersecurity landscape that has developed in today’s business world. Although most companies have begun to implement cybersecurity policies in their business operations, the same degree of mindfulness is not always exhibited when parties negotiate for the sale of a business. In order to ensure a successful acquisition, the parties and their lawyers must be aware of cybersecurity risks and must be cognizant of the appropriate precautions to take when drafting deal documents.
PartnerChris Brinkman practices in the firm's Business Representation & Transactions Group with a concentration in venture capital transactions, start-ups & growth companies, securities, and mergers and acquisitions.
Chris ...
PartnerMark Musekamp is an intellectual property lawyer who advises companies of all sizes and individuals on technology transactions and intellectual property matters relating to trademarks, copyrights, and trade secrets. In this ...
Subscribe
RSS Feed
Follow us on Facebook
Follow us on Twitter
Follow us on LinkedInTopics/Tags
Select- SEC
- Securities Law
- Clawback Rules
- Corporate Transparency Act
- Cybersecurity and Privacy Law
- Securities Regulation
- Nasdaq
- Corporate Law
- IRS
- Coronavirus
- Cybersecurity Regulation
- EDGAR
- EDGAR Next
- Tax Planning
- SEC Enforcement
- Taxation
- Dodd-Frank
- Mergers & Acquisitions
- Paycheck Protection Program
- JOBS Act
- Corporate Tax
- Corporate Governance
- FAST Act
- Economic Sanctions
- Ohio LLC Act
- Consumer Protection Act
- Proxy Access Rules
- Securities Litigation
- Crowdfunding
- Conflict Minerals
- Cryptocurrency
- Hedging
- Real Estate Law
- Emerging Growth Companies
- Investors
- Pay Ratio Disclosure
- Whistleblower
- Private Offerings
- Intellectual Property
- Technology
- Opportunity Zone
- LIBOR
- Executive Compensation
- Health Care Act
- Accredited Investors
- Sales Tax
- United States Supreme Court
- Online Trading Platforms
- Wall Street Reform
- IPO
- Registration Statement
- Annual Reports
- Ohio Foreclosure Reform
- Director Compensation
- Family-Controlled Entities
- Gift and Estate Transfers
- Board of Directors
- Director Independence
- Cyber Insurance
- Data Breach
- Lenders
- Receivership Statute
- Regulation A
- Regulation D
- Total Shareholder Return
- Compensation Committee Certification
- Government Shutdown
- CDEs
- CDFI Fund
- Community Development Entities
- Community Development Financial Institutions Fund
- New Markets Tax Credit
- NMTC
- NMTC Financing
- Regulation Fair Disclosure
- Social Media
- Marketing
- Benefits
- Healthcare Reform
- Litigation
- Public Company Transition Rules
- Employment Incentives
- HIRE Act
- Social Security Tax
- Tax Credit
Recent Posts
- Checking the Box(es): SEC Issues New Guidance Clarifying Clawback Expectations
- Pay vs. Performance and Cybersecurity Disclosure Rules: Will the SEC Retract Rulemaking?
- Corporate Transparency Act Update: FinCEN Eliminates Reporting Obligations for U.S. Companies and U.S. Persons
- Corporate Transparency Act Update: FinCEN Will Not Enforce the CTA Until Interim Rule is Effective
- Corporate Transparency Act Update: Injunction Lifted - Corporate Transparency Act Back in Effect
- Corporate Transparency Act Update: FinCEN Says Reporting Obligations Remain On Hold
- Next Up in 2025: EDGAR Next
- Corporate Transparency Act Update: Supreme Court Stays Nationwide Injunction – CTA Reporting Obligations Back in Effect
- Corporate Transparency Act Updates: Fifth Circuit Vacates the Stay and Preliminary Injunction Reinstated
- Corporate Transparency Act Reporting Deadline Back in Effect; FinCEN Grants Deadline Extension