Canada’s burgeoning information technology (IT) sector is a standout in the Canadian mergers and acquisitions landscape. A recent report by Duff & Phelps illustrates that in the first half of 2019, IT was the third most active deal-making sector in Canada with over 104 closed transactions. Against this backdrop, three trends emerge:
- ‘Buying into’ privacy or cybersecurity risk. Buyers are becoming increasingly aware of the importance of conducting rigorous due diligence on a target company’s privacy and cybersecurity systems and practices. Marriott’s data breach in 2018, where about 383 million guest records globally were exposed to cybercriminals, highlights this. The Marriott breach occurred on IT infrastructure Marriott inherited through its acquisition of the Starwood hotels group in 2016. The vulnerability arose in 2014 when the Starwood hotels group’s IT systems were compromised by malware installed by cybercriminals. However, the exposure of customer information was not discovered until 2018. In handing Marriott a £99M fine for infringement of the European General Data Protection Regulation (GDPR), the UK Information Commissioner’s Office stated that organizations must be accountable for “carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” In Canada, generally, the Office of the Privacy Commissioner does not have the power to levy fines as large as what has been seen in the EU and US but has released its findings on several high profile data breaches. As a whole, these finding provide guidance, albeit limited, as to what Canadian regulators consider as reasonable security safeguards by accountable organizations. As privacy regulators globally align on stricter enforcement and larger penalties for data breaches, buyers of Canadian target companies will increasingly focus on mitigating privacy and cybersecurity deal risks.
- Dealing with competition law. There is an emerging global trend of anti-trust authorities becoming more aggressive with the technology sector. The Canadian Competition Bureau is similarly scrutinizing mergers involving technology targets. Typically, in Canada, most mergers in the technology sector do not meet the financial thresholds that require merging parties of potential mergers to notify the Bureau. Nevertheless, all merger transactions, whether or not they are notifiable, are subject to examination by the Commissioner of the Competition Bureau to determine whether they have, or are likely to have, the effect of preventing or lessening substantially competition in a definable market. The Bureau recently expanded the role of its Merger Notification Unit (now referred to as the Merger Intelligence Notification Unit (MINU)) to focus on active intelligence gathering on non-notifiable merger transactions that may raise competition law concerns. The Bureau is also encouraging parties to such transactions to voluntarily engage with the MINU well in advance of closing. To date, the Commissioner has challenged at least one completed acquisition, the acquisition of Aucerna by the private equity firm Thoma Bravo. Aucerna is a Canadian software company operating in the “relatively modest” and specialized Canadian oil and gas software market with annual revenues in the “tens of millions of dollars,” per the Competition Bureau’s statement. Thoma Bravo also has a portfolio company Quorum Business Solutions, that competed vigorously with Aucerna and was the only other licensor, aside from Aucerna, of reserves software used by Canadian oil and gas firms. On the basis that the acquisition would lead to an effective monopoly, the Commissioner required Thoma Bravo to divest the related software business of Quorum Business Solutions. In that vein, Bureau personnel have been actively following up with parties to non-notifiable transactions to request confirmation of certain information.
- ‘Acquiring’ an innovation strategy. Companies outside the technology sector are acquiring technology companies, whereas traditionally acquirers were large strategic technology companies. The motivation for this new breed of buyers is not consolidation, acceleration of market access, acquisition of cash-flows or any of the typical rationale for acquisitions. Rather, as part of their innovation strategies, these companies are realizing that it may often be cheaper or faster to acquire desired skills or technologies rather than building those, or having those built for, themselves. For example, significant deal activity in fintech can be attributed to financial institutions such as banks and insurance companies buying technology assets to transform their businesses and service offerings.
These trends are likely to shape IT transactions in several ways:
- At the outset of an IT transaction, parties to a merger involving technology assets will want to consider whether or not to engage early with the Competition Bureau where a contemplated transaction is non-notifiable.
- The due diligence stage will focus more deeply on a target company’s privacy and cybersecurity policies and practices. Given the scant guidance by Canadian regulators on what constitutes reasonable measures to avoid privacy and cybersecurity breaches, coordinated legal and technical due diligence is required to identify and analyze potential issues. Mitigation of these issues will involve strategic negotiation of the specific privacy and cybersecurity representations, warranties, covenants and indemnification, as well as pre-closing remediation of the same.
- The negotiation of ancillary deal agreements, such as transition service agreements that provide for services by the seller post-closing will should be considered early in the deal timeline where a buyer, outside the tech sector acquires a technology company as part of its innovation strategy. Typically, this buyer will lack the resources to quickly integrate the acquired assets within its infrastructure while the seller most likely will not want to provide transition services and such negotiation are likely to be lengthy.
In short, these emerging trends are likely to deepen and broaden the scope of due diligence, especially regarding privacy and cybersecurity and will likely impact the deal timeline if parties need to account for competition law issues or transition services.
Stay informed on M&A developments and subscribe to our blog today.