Cyber security is an important consideration in mergers and acquisitions. This is because you could be buying an enormous amount of unknown liability. Cyber security is becoming a key factor in analyzing the amount of risk that a financial strategic buyer will take on after an acquisition. A company’s ability to effectively protect its systems and data and mitigate its exposure will have a direct effect on how much a potential buyer is willing to pay for an acquisition.
What is the cyber risk in and M&A transaction? While acquisition specific, in a nutshell it could be the following:
- Theft of intellectual property or trade secrets
- Loss of sensitive business information and strategies
- Loss of customer/employee data
- damages to reputation and employee/consumer confidence
- Litigation and compliance risk
- Remedial expenditures
- Loss of shareholder value
So, generally speaking, what should an acquirer look for when assessing a merger or acquisition?
- Ensure the seller has strong cyber security and data privacy programs and protection
- Identify and evaluate data risks
- Identify and evaluate regulatory risks
- Is there an emergency response plan in place, has it ever been implemented (or tested) in the past?
- What cyber security insurance coverage is in place?
- Identification of legacy systems
- Understand the liabilities the buyer may be assuming at closing
- Incorporate any liabilities into appropriate documents for the M&A transaction in the form of price adjustments, hold-backs representations, warranties, and indemnities.
To fully evaluate the cyber security risks in an M&A transaction specialized cyber security consultants should be hired along with legal counsel. Both the legal and technical risks need to be fully evaluated so that the risks can be properly allocated, the price can be properly adjusted and contingencies can be put in place before completing the transaction. The last thing a buyer wants is to find themselves to be the proud owner of a company facing a cyber security lawsuit. The attorneys at MLMW regularly handle M&A transactions and work with outstanding cyber security consultants and advisors.
Mallon Lonnquist Morris & Watrous, LLC, is a merger and acquisition law firm. Craig T. Watrous and Reed Morris are Colorado M&A attorneys and partners at MLMW, based in Denver, Colorado. Craig and Reed regularly represent clients on both sides of business purchases. Craig can be reached at cwatrous@mlmw-law.com and (303) 722-2165. Reed can be reached at rmorris@mlmw-law and (303) 927-0011