The world we live in is increasingly data-driven. From an M&A perspective, an essential part of an organisation’s value is its ability to store, manage and protect its data safely and effectively. Buyers take on the liabilities and assets of the target organisation, so an understanding of a its track record of cybersecurity measures is paramount. Buyers must consider the target’s cybersecurity readiness in two crucial contexts: during the due diligence process and as part of drafting and negotiating the purchase agreement.
Due Diligence
The impact of cyber-attacks on an organisation’s worth can be both swift and significant. It harms its reputation and, in the instance of a company operating in a regulated industry, can severely lower the value of its share price.
With corporate-scale cyber-attacks frequency on the rise, an organisation’s cyber security readiness should be part of an M&A due diligence. This could include confirming if the organisation has ever been the victim of a data breach or cyberattack, paid any ransoms to third parties in connection with such an occurrence or been obliged to report a data breach to any regulator, government department, or agency.
It’s also recommended that a thorough examination of its data governance rules, procedures and its cybersecurity practices (including controls) should be undertaken. An enquiry into the frequency with which the entity evaluates its cybersecurity risks and whether the target company’s current security procedures suit the sector in which it operates. Buyers should assess how the target organisation handles data for security and permission needs, limits access, and tracks the movement of information to and from outside the company, including related companies and unconnected third parties.
Additionally, many organisations use third-party platforms that handle or otherwise access their data. Therefore, it’s suggested that buyers think about whether the key third-party partners, suppliers and vendors of the target entity have adequate cybersecurity practices and whether the target organisation’s current contracts with such entities contain adequate legal language regarding such cybersecurity considerations. When evaluating potential third-party partnerships, buyers should also determine how the target company evaluates risk.
Contractual Protections
By negotiating contractual protections in the potential purchase agreement, buyers can also reduce their own cybersecurity risks.
For example, a buyer may need to spend money implementing the necessary modifications to bring the target up to an adequate level of cybersecurity preparedness if the due diligence process discovers serious cyber vulnerabilities or obsolete technology and other systems. To cover these expenses, a buyer could negotiate a lower purchase price. To cover the costs of cybersecurity remediation after the acquisition, a buyer can obtain a holdback on the purchase price that would be paid to the seller.
Buyers can also employ legal representations and warranties to address risk. Buyers value targets on the assumption that representations and warranties are accurate. If the statements and warranties are inaccurate, a buyer may be entitled to cancel the agreement or seek further compensation. Even in cases when a buyer performs thorough due diligence, a seller is in a better position to understand the organisation. The purchase agreement’s carefully crafted representations and warranties can serve as a backup, shielding the buyer from cybersecurity problems that the due diligence procedure might not have revealed. For cybersecurity-related topics, representations and warranties should ideally not be subject to significant materiality or knowledge limitations.
A buyer could, for example, request the following representations and warranties:
- The target has not had a data or security breach, including any breach that necessitated reporting the occurrence to a government institution, regulator, or other third party.
- That specifically approved security standards, procedures, and practices are adhered to by the target (or exceed them, where appropriate).
- And, as specifically stated in the purchase agreement, the target organisation has always operated in accordance with all relevant privacy and data protection legislation.
A general indemnity that enables the buyer to recoup losses for breach of representations and warranties is typically included in purchase agreements in Australia. It’s also advisable to include specific privacy and cybersecurity indemnities in larger acquisitions. Finally, since privacy/cybersecurity flaws might not become apparent until long after completion of the deal, it might be reasonable to have the representations and warranties relating to them last longer than other representations and warranties.
These approaches will help buyers better understand a target organisation’s vulnerabilities, develop a plan to address critical cybersecurity flaws, create a more thorough cybersecurity regime for the target entity after the acquisition, and deal with issues if they arise.