You are using your old good due diligence checklist, right? I have some news: time for an update. Here the legal implications of the so-called cyber-threats and suggestions on how to manage cybersecurity risks when addressing a M&A process.

Cyber-what? For many, cybersecurity is an initiatic expression that lies at the borders of the ordinary knowledge. What everybody knows is that cybersecurity has to do with measures to prevent risks associated to the use and misuse of computers, the internet and, notably, the transmission of malevolent softwares (“malwares”) and intrusions from hackers (“cyberattacks”). Here I do not mean to be too technical on how they work but I will rather focus on the implications of such risks (but click here for some quick wiki-background).

What can cyberattacks do to you? They can steal, encrypt, manipulate or erase data, disable software programmes, single computers or entire IT networks, intercept communications, and many other bad things. Why? to steal money, identities, secret information, intellectual property, freeze business operations or just create a damage. Cyberattacks may not only harm your company’s operations, but also the relationships with your company’s regulators, clients and suppliers and, ultimately, the company’s reputation.

Civil liability implications. Of course, there is also a civil liability angle in cybersecurity. Indeed, apart from their obvious criminal nature, cyberattacks may trigger a number of liability issues for the victim company: stolen third party data and intellectual property may give rise to serious legal claims and fines from regulators. Frozen IT systems may block operations which may result in business interruption and contracts not being fulfilled. In this respect, on top of having systems and processes in place to prevent threats, having a cyber-disaster action plan ready seems a good idea, and a good cyber-security lawyer may be able to give useful inputs about that (see a Cybersecurity presentation from our experts here.)

So….would you buy a cyber-risk? Let us move to the M&A world for a second. Would you buy a company with cybersecurity issues? Certainly not. Although banks, financial services, on-line retailers and defense companies are natural targets for cyberattacks, no organization is really safe. Recently, the UK newspaper The Guardian reported a scary trend in attacks on small businesses (click here for the article). So, why is it that nobody seems to care about cybersecurity issues in M&A? I am not sure, but I suspect that M&A guys and IT guys do not really talk to each other. In my case, being a M&A lawyer and a tech geek at the same time helps (but having a strong cybersecurity practice where I work helps more). Below you can find some initial suggestions on how to manage cybersecurity risks when addressing a M&A process.

IT security due diligence. Surprisingly, real risks seldom leave documental evidence behind them. That is why sending a cybersecurity expert on the field reveals a very smart move. A cybersecurity expert is basically an IT guy that not only checks the target’s IT design and architecture, software and hardware protections, but also assess whether its IT policies and response plans are effective, if they have any. Internal policies are actually important: many cybersecurity incidents are due to employees’ negligence rather than the hackers’ ability.

Legal due diligence. The cybersecurity legal due diligence should address the following issues: (i) Internal cybersecurity policies, including internet usage policy, IT risk management, data recovery plans, attack response plans (ii) cyberattacks records; (iii) cybersecurity insurance policies and business interruption insurance policies; (iv) cybersecurity clauses in procurement contracts (notably IT procurement).

Interim period rules and MAE clauses. Once risks have been detected through a vigorous due diligence, a key point to be considered is how to manage a cybersecurity issue occurring during the interim period between signing and closing the deal (the length of which typically depends on the conditions precedent to closing, such as antitrust clearances). Normally, a M&A agreement provides for a set of rules that the parties (and notably the vendor) shall observe during the interim period. That would be the perfect location for an additional rule on how to manage a serious cybersecurity issue (e.g. a loss of clients’ financial data). An even bigger issue is what to do if an attack takes place such to affect the value of the deal. Here MAE clauses may come handy. A MAE (material adverse event) clause is a remedy that allows the buyer to withdraw from the deal in case certain events occur.

R&W. Unfortunately, not all issues can be detected through a one-time due diligence check. And what about past attacks that have not been disclosed during the due diligence review? So here the usual set of representations and warranties from the vendor may be enlarged to include statements in respect of any past incident, loss of data or related third party claim. Here, the manner in which post-merger integration is managed may be key in identifying cybersecurity issues in the target company soon rather than later.

Indemnities and other remedies. The violation of an interim period obligation or a representation typically involves the payment of an indemnity, which is typically subject to certain deductibles and caps with the exclusion of any other remedy. However, in case of undisclosed cybersecurity issues, the damage may be such that a cap would not be appropriate. A high risk of undisclosed cybersecurity issues may also suggest more radical remedies, such as post-closing termination rights.
Copyright Giorgio Mariani 2016. All rights are reserved.