The widespread impact of the COVID-19 pandemic (“pandemic”) continues to highlight the several ways in which M&A transactions have had to adapt to changing times, particularly by ramping up cyber-security measures in a digital world. Prior to the pandemic, there already existed a shift towards cyber-security due diligence since many businesses relied on digital assets. As a result, increased protection was paramount since a deficiency in the cyber-security measures of a target could lead to potential liability on the part of the buyer, after the transaction had closed.

Another Shift Caused By The Pandemic

The pandemic forced many businesses to quickly resort to a remote working environment and did not allow much time for a transition. New measures had to be put in place in real-time. As such, cyber-criminals have been able to infiltrate the information technology environments of targets, and increase their cyber risk profile as a result. This threat comes after an already increasing amount of phishing attacks in the past year, which, according to Microsoft, had increased by 70%. Therefore, the quick shift to remote working and online data rooms, coupled with a lack of a dedicated cyber team, presents increased risks and makes it easier for cyber threats to identify gaps and attack. Without proper incident protocols and response times, the impacts of such attacks can raise cyber risk profiles high enough such that the buyer no longer aims to acquire the target.

How Can Parties In M&A Transactions Respond?

The increased cyber threats make it vital for all businesses to make the necessary changes to the cyber-security incident protocols in order to ensure that response times are efficient and effective. Furthermore, it is important for buyers and sellers to have a strong understanding of the digital assets in the transaction, how they are protected, and the consequences in the event of a breach. If the relevant parties have these discussions early on in the life of a transaction, it could prevent hostile negotiations down the road.

Of particular importance is how information is communicated during the life of a transaction. Parties should feel comfortable with where the information is housed (e.g., a secure data room) and the team responsible for controlling and disseminating such information. If there are incompatible remote working abilities between in the parties, this should be addressed on a priority basis.

It is important to remember that these are not just temporary measures. On the contrary, effective cyber-security protocols and the learned ability to communicate the measures that are in place are assets that businesses can benefit from in the future, and ones that would give them enhanced negotiating advantage in transactions.

Will There Be A Trend In Software Security Acquisitions? 

As we close in on eight months of remote working, technology companies that support remote work have been in demand. These companies offer private network services, and most of them take a cloud-first approach. These companies are also working towards a potential hybrid work model in the future, which means that a portion of employees will be working from home while another subset of employees will be working at the office. Businesses with increased foresight want to ensure that they can provide employees with the same reliable access to all critical applications, and technology companies that offer those services are in high demand as a result. Furthermore, technology companies that are highly adaptable and flexible may become the targets of future acquisitions.


While the pandemic continues to shift the working model that many businesses have become accustomed to, it is important to think not only about preventative measures with respect to cyber-security breaches, but also about how businesses can best position themselves to use their strengthened response measures as an asset. These abilities will, likely, become important considerations in M&A transactions during, and after, the pandemic.