In today’s M&A transactions, cybersecurity deficiencies in a target company pose potentially significant financial and regulatory risks to the acquiring company. For this reason, new measures must be implemented in M&A transactions to protect both companies from today’s emerging cybersecurity epidemic.
Effective Due Diligence
Both companies must strive to ask and answer the right questions through the due diligence process. Through diligence, the acquiring company should become familiar with not only the written cybersecurity policies of the target company, but also the importance the company places on those policies. If upper management or even basic employees of the target company are not well-versed on the company’s cybersecurity policies and how they affect day-to-day operations, then it is likely that the target company does not sufficiently prioritize its cybersecurity. Additionally, the acquiring company will want to obtain assurances from management of the target company that the company does not have a history of cybersecurity breaches, is in compliance with payment card industry (PCI) regulations, and has protections in place to prevent competitor and insider theft.
However, just because the target company has not identified a cybersecurity breach or risk does not mean the risk or breach does not exist. Take Home Depot for example. With Home Depot, a hacker used a vendor’s username and password to obtain access to Home Depot’s network where the hacker was able to pull payment card information of up to 56 million customers. The hacker collected this information by sitting in Home Depot’s system undetected for six months. Clearly an acquiring company must go beyond mere assurances from management, and should conduct its own investigation of the policies to determine whether the target company has cybersecurity measures mature enough to identify risks and breaches as they occur. If cybersecurity concerns are identified in diligence, deal terms can be arranged that require funding for third-party independent assessments and implementation of expert recommendations.
Representations and Warranties
The acquiring company will want to obtain adequate representations and warranties to shield it from liabilities stemming out of an undiscovered or hidden cybersecurity risk. The protections should apply to all the various types of cybersecurity risks in play, including (i) non-compliance with PCI regulations, (ii) the breach of sensitive information through rogue hackers, government espionage, competitor espionage, and insider theft, and (iii) potential losses or interruptions in business caused by the implementation of new cybersecurity technology (unforeseeable consequences of switching to a chip-reading payment system, for example). Additionally, the target company should have adequate insurance to cover potential cybersecurity issues. Home Depot, for example, recorded $63 million in pretax expenses related to its cybersecurity breach, but that amount was only offset by $30 million of expected insurance proceeds. Without the proper representations and warranties in place, an acquiring company could potentially be on the hook for millions of dollars in damages and the potential of decades of FTC reporting requirements, all stemming from the acquisition and continuation of business practices of a target company with inadequate cybersecurity protections.
Both the target company and acquiring company in an M&A transaction will benefit from taking a hard look at the cybersecurity measures of each company. The acquiring company may find itself the victim of a data breach through the use of acquired hardware, or the linking of its network with a poorly-secured target. The target may find itself with unfavorable deal terms if it does not have effective cybersecurity policies and knowledgeable cybersecurity personnel in place. If the businesses involved are heavily information- or retail-based, there is a strong incentive to obtain the guidance of cybersecurity experts and legal counsel proficient in such issues. In the end, these experts may be the saving grace that causes the implementation of certain network protections, the wiping of compromised computers and hardware, or the abandonment of a disastrous deal.
Please contact a member of our KMK Cybersecurity & Privacy Team to assist with any aspect of due diligence, risk management, information governance plans, policies, procedures and technologies, and defense of litigation arising from cyber-attacks and data breaches.
Rob Lesan is co-leader of the firm’s Business Representation & Transactions Group. He has broad experience in mergers, acquisitions and divestitures encompassing both public and private acquisitions, dispositions ...
Joe Callow, Litigation Partner
email@example.com or 513.579.6419
Rob Lesan, Business Representation & Transactions Partner
firstname.lastname@example.org or 513.579.6939
- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Cybersecurity Regulation
- Cyber Insurance
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- GDPR Compliance: What is Privacy Shield 2.0?
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation
- Cybersecurity Remains a Top Concern