Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Michael Greene
May 20 — Buyer beware: Despite the lack of attention on the topic, cybersecurity issues can greatly impact M&A deals and should be considered a part of conducting due diligence, according to panelists at the “Cybersecurity Law Institute” May 20.
“The cybersecurity situation of the company you are acquiring affects the value of the company, it affects the liability you might be taking on, and it affect the costs you might have to incur,” Thomas J. Smedinghoff, of counsel at Locke Lord Edwards LLP, said during the conference hosted by Georgetown University Law Center and sponsored by Bloomberg BNA.
Acquirers should imagine trying to buy Target before its breach, Smedinghoff added. “That is the kind of scenario you really need to think about.”
During the session—“Top Cybersecurity Issues in Mergers and Acquisitions”—panelists discussed why cybersecurity issues are so important in the M&A context and what buyers should examine when conducting M&A transactions.
According to a Freshfields Bruckhaus Deringer survey of 214 dealmakers, “78 percent of the respondents believe cybersecurity is not analyzed in great depth or specifically quantified during the M&A due diligence process, despite 83 percent saying that a deal could be abandoned if previous cybersecurity breaches were identified and 90 percent saying breaches could reduce the value of the deal”.
These statistics show that dealmakers believe cybersecurity risks are important, but they are not doing much about it, said moderator Christine Ricci, senior counsel for General Electric Co.
In the past this issue really hasn't been well recognized, and certainly not well discussed, “but that needs to change,” Smedinghoff said.
He added that he is starting to a see a recognition by boards of directors, when they are looking at an acquisition, that part of their fiduciary obligations in conducting due diligence is looking at cybersecurity issues.
When asked about the type of due diligence that should be done prior to the letter of intent, Mark Leary, vice president and chief information security officer for Xerox Corp., said that the CISO should be seen as an advisor and included in the process at the earliest stage.
He added that the CISO must understand the purpose and reason behind the acquisition because this allows he or she to give the business development team and senior executives “a risk picture up front.”
The risk picture is not necessarily based on technology, but instead on what threats the company might occur by making the acquisition and on the potential liabilities, Leary said.
The panelists also provided some tips on assessing the cybersecurity of the acquired company.
Conducting a scan of the acquired company's system or penetration testing may not be possible, according to Smedinghoff.
However, although permission to conduct these types of tests may not be forthcoming, he said there are other options. For example, the seller may regularly conduct tests and scans, so the buyer may be able to look at those reports and achieve the same results.
Ultimately, Smedinghoff emphasized that what is important in evaluating a potential acquisition's cybersecurity is knowing whether they have a process-oriented approach to data security.
This process should involve: looking at what data is important; looking at where important systems are; figuring out what to protect; and then doing a risk assessment, he said.
Knowing whether a company has this type of process in place provides some basis for saying that a particular approach or control is appropriate, Smedinghoff said.
Interviews also can be important part in understanding whether a company's process are appropriate, Leary said. Sometimes companies do not have documentation on their processes, but having someone with expertise on the subject can pay dividends in understanding the companies' capabilities.
The panel also discussed measures that can be taken to ensure that the seller is protecting the intellectual property and assets they are about to sell.
Companies may want to go beyond including a standard clause that conditions the closing on the seller protecting its assets, Smedinghoff said.
Depending on what is learned during the due diligence process, companies may want to consider imposing a requirement that additional data security be implemented and provide evidence that it has been done as condition of closing, he advised.
In some contexts if data has been compromised, the loss can be quantified and damages be assessed. But in other cases—such as buying the formula of Coca-Cola—the value to the company being acquired could be completely compromised, Smedinghoff said.
What looks good on the day of closing may not two months after the closing, he said, adding that there is no such thing as a perfect guarantee.
To contact the reporter on this story: Michael Greene in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Ryan Tuck at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)