At a time when we are all dependent on our IT systems and when digital assets are of central importance, cybersecurity is one of the most critical aspects to protect our businesses, know-how and data from being stolen, disclosed, deleted and/or manipulated.
In light of the global threats that potentially could affect every business ("no one is safe"), public regulators have started adopting regulations on cybersecurity (e.g. the Austrian Financial Market Authority published guidelines for IT security in financial institutions). In addition, the GDPR specifically deals with data breach issues.1 Still, it feels that awareness of cybersecurity issues is lacking. This is particularly true for private M&A transactions.
A recent regulation of the New York Department of Financial Services ("NYDFS") now specifically addresses cybersecurity risks in M&A transactions. The NYDFS's regulation was issued in the context of the 2014 large-scale data breach of Yahoo! and Yahoo!'s failure to disclose the breach2 until September 2016, shortly before the sale of its operating unit to Verizon Communications Inc. The non-disclosure of the 2014 data breach had a direct impact on the sale, i.e. Yahoo! and Verizon agreed to a USD 350 million reduction in the acquisition price, among other things because Yahoo! had positively represented to Verizon in the publicly available stock purchase agreement that, to the best of its knowledge, there had been no security breaches3.
In its FAQ, the NYDFS now has clarified the importance of cybersecurity also in M&A transactions: "when Covered Entities4 are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions."
Now, the NYDFS regulation underlines that cybersecurity has become an issue to be also considered in M&A processes, namely in the due diligence and in the transaction documents.
Cybersecurity Due Diligence
The scope of cybersecurity due diligence needs to be assessed on a case-by-case basis. Still, the following categories could serve as a guideline for structuring (at least the first phase of) the cybersecurity due diligence process:
Status quo assessment
At first, acquirers need to assess which data and other digital assets are important to the business of the target company and how the target company processes and stores such data.
Assessment of internal rules and regulations
The target company should have internal rules and regulations on how to protect its digital assets. Acquirers should assess (i) whether such internal rules and regulations are appropriate in the circumstances and meet industry standards, and (ii) whether or not the target company has effectively implemented such rules and regulations (i.e. do they regularly train their employees? Are security measures actually implemented? Are they aware of any non-compliances?). It is very important to assess whether the target company is properly prepared to identify cyberattacks and to respond within the relevant timeframes5>.
Assessment of compliance with external regulations
Where applicable, acquirers should assess the target company's compliance with any external regulations governing cybersecurity issues.
Assessment of third-party relationships
Acquirers should investigate all (relevant/material) third-party relationships of the target company and assess whether the agreements with any vendors and other suppliers and contractors have appropriate contractual protection in place that ensure that the third party properly deals with the target company's data and has (at least) appropriate IT security systems in place. Third-party contracts should also provide for contractual notification obligations and emergency response mechanisms, as well as audit rights for the target company to verify compliance with the foregoing.
Assessment of past security breaches
Most importantly, acquirers should confirm with the target company whether there have been any past (known) security breaches and if yes, assess their scope and impact, e.g. what information has been obtained? Which information has been manipulated? Has the company complied with mandatory reporting/disclosure obligations? How did the company react to the breach? Has the leak been fixed?
If no breach has yet been identified, acquirers should ask for specific (positive) confirmation. However, acquirers must also acknowledge that businesses are often unaware that an attack has occurred or is still ongoing.
Cybersecurity in Transaction Documents
Cybersecurity risks should eventually also be dealt with in the final and binding transaction documents (e.g. share or stock purchase agreement):
Representations and warranties
Representations and warranties relating to the target company's business typically should cover (i) what has been disclosed during the due diligence and (ii) what has not been disclosed or cannot be assessed during the due diligence (e.g. absence of certain circumstances, e.g. security incidents). They typically protect the acquirer from unknown risks and confirm its assumptions for the deal.
Acquirers of a business should consider requesting appropriate representations and warranties, including on the absence of current and past security incidents, implementation of appropriate internal rules and regulations and compliance therewith, compliance with applicable data protection and data / IT security laws, and absence of disputes and investigations relating to cybersecurity and data breaches.
Indemnities are typically requested in relation to specific identified risks, such as pending litigation, or risks of a general nature, for which acquirers expect that issues will likely arise in the future, such as pre-closing taxes or, in some jurisdictions, environmental matters (concerning leaks that occurred prior to closing).
In relation to past (identified) breaches, acquirers will thus likely cover any risks via indemnities. It is to be seen whether cybersecurity risks will in the future be regarded as being on the same level as tax and environmental risks and whether acquirers will try to shift pre-closing cybersecurity risks to vendors.
Cybersecurity is a major, global risk that should also be taken into consideration in an M&A process. As part of the due diligence, acquirers should investigate the cybersecurity risks of the target company and should properly reflect the results of their due diligence in the transaction documentation.
1 E.g. Art. 33 GDPR (Notification of a personal data breach to the supervisory authority) and Art. 34 GDPR (Communication of a personal data breach to the data subject).
2 Altaba, formerly known as Yahoo!, has been charged with failing to disclose a massive cybersecurity breach and agreed to pay a USD 35 million penalty; this is the first enforcement action of the Securities and Exchange Commission of the United States against a public company relating to cyberbreach notification. Source: https://www.sec.gov/news/press-release/2018-71
3 "To the Knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller's or the Business Subsidiaries' information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data in Seller's or the Business Subsidiaries' possession, or other confidential data owned by Seller or the Business Subsidiaries (or provided to Seller or the Business Subsidiaries by their customers) in Seller's or the Business Subsidiaries' possession, in each case (i) and (ii) that could reasonably be expected to have a Business Material Adverse Effect. (...)";more information here
4 "Covered Entity" means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
5 E.g. Art. 33 para 1 GDPR: "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority (...). Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay." or Art. 34 para 1 GDPR: "When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.