The heavy reliance on technology in today’s data-driven world means that cybersecurity threats must be taken seriously. More specifically, with respect to M&A transactions, a target’s cybersecurity mechanisms have become an important part of the due diligence consideration. Indeed, it is important to have a firm grasp on the nature and extent of a target’s cybersecurity vulnerabilities, the likelihood of a breach, and the procedure in place to remedy a breach, if necessary. These considerations have the power to significantly alter the value of a transaction, or even derail it entirely.
With the introduction of EU’s General Data Protection Regulation – which caused ripple effects of tightened privacy legislation in other jurisdictions – compliance with the regulatory regime is an important factor. This is particularly because some targets may not even know that they are subject to certain regulations, and may be acting offside. For example, the GDPR’s strict privacy legislation does not only apply to processors within the EU, but also to any processors that target European data subjects. That is quite a broad reach. Therefore, a compliance assessment is also an important factor in determining the value and viability of M&A transactions.
Furthermore, a target’s contractual obligations with respect to cybersecurity, and specifically regarding the transfer of proprietary data is significant. Such obligations are often connected to incidents of cybersecurity breaches and the associated indemnity in such an event.
Additionally, “employee cyber hygiene”, which refers to how internal personnel are trained with respect to cybersecurity best practices, is also an important consideration. Fending off hacking attempts and reporting suspicious activity are things that employees should be trained in, since their acts could directly impact the cybersecurity of the company. Therefore, the level of employee knowledge and training in this regard can be a telling risk factor.
One of the most important points, however, is knowing whether the target has been the victim of a cybersecurity attack that caused damage to its high-value digital assets without management’s awareness or a clear understanding of its implications to the business and its IP assets. Lack of proper due diligence in this area could result in the acquirer taking on the damages and liability from such incidents in the past.
As such, a holistic understanding of a target’s current cybersecurity mechanism, as well as a history of any past incidents, can impact the value of a transaction since this type of information will yield a more accurate risk analysis.
The author would like to thank Saba Samanian, articling student, for her assistance in preparing this blog post.
Stay informed on M&A developments and subscribe to our blog today.