The Ontario Securities Commission (OSC) recently published its Statement of Priorities for the Financial Year to End March 31, 2017 (the Statement). The Statement unveils a new area which the OSC intends to focus its key resources and actions on – cyber resilience. For many, this does not come as a surprise, particularly given the high-profile cyber-attacks on organizations ranging from Ashley Madison to J.P. Morgan. It is now well-recognized that in a market where businesses are exponentially increasing their dependency upon technology, the need to understand and mitigate cyber-security risks is proliferated.
The Statement should serve as a call to action for all businesses that bear cyber-security vulnerabilities – especially those involved in M&A. One example which the OSC points to is the growth of technology facilitated financial services. The introduction of new technologies, such as block chain based crypto-currencies and peer-to-peer lending, is influencing large financial institutions to adapt through acquisition. These transactions will unquestionably give rise to cyber-security concerns. However, even a simple corporate transaction which organically alters an entity’s IT infrastructure can present similar risks. Such cyber-security-related perils are present in two forms: (1) risks to the purchaser and the target organization; and, (2) risks in relation to phases of the M&A process.
It is critical to examine the cyber-security practices and technologies of all merging entities during the due diligence phase. Pre-merger planning should consider the risk of an information security breach as well as potential financial and legal liabilities. By gaining a better understanding of the target’s information security-related processes, the purchaser can adequately evaluate legal compliance, identify risks and adjust the purchase agreement accordingly. For instance, the presence of cyber-security issues may justify a provision allowing for a purchase price adjustments or mandate the inclusion of cyber-security specific indemnities.
In addition to enabling a seamless integration, it is important to ensure that both entities have secure IT policies designed to avert cyber-attacks during the M&A process. Companies are already in a vulnerable position when merging and insufficient IT policies can significantly heighten this susceptibility. In the midst of the M&A process, a cyber-attack can leak details of previously undisclosed acquisitions or potential deals. If successful, the attack can damage negotiation positions, cause irreparable reputational damage, or at worse, cause the deal to fail. As such, it is wise to treat the target company as a third party. This may include separating, securing and protecting all critical data systems. Similarly, both entities would be well advised to identify key employees with knowledge of secure information and ensure that sensitive information cannot be accessed by unauthorized persons.
The cyber threat landscape clearly requires information security to be a key factor for companies contemplating a merger or acquisition. With that being said, a company who knows its risks and actively seeks to address them can prevent costly mistakes before signing on the dotted line.
The author would like to thank Joseph Palmieri, summer student, for her assistance in preparing this legal update.
Stay informed on M&A developments and subscribe to our blog today.