- Questions should be asked about the company's technical and organizational measures to protect data and ensure compliance with applicable laws. The company’s overall cybersecurity posture should be assessed to determine if it is appropriate for the volume and sensitivity of data it handles. Ideally, information will be provided about the technical infrastructure, including about the target’s security and threat detection systems, and backup and disaster recovery plans.
In order to assess the effectiveness of these systems, the target should be asked about its breach history and, just as importantly, its history of testing of these systems (e.g., penetration and vulnerability testing, backup plan testing, and internal or external audits of the privacy program and infrastructure). Where available, testing and similar reports should be reviewed.
The company’s privacy governance should also be investigated. While it is preferable for a company to have a dedicated privacy officer and compliance function, smaller or growing companies often distribute responsibility for privacy among various groups—in particular, the IT and HR functions. While this may not be a material issue as a matter of course, it may hint at a lack of sufficient organizational controls, particularly in a company that has experienced rapid growth and especially if that growth includes expansion into jurisdictions with more stringent privacy requirements such as the EU. If that is the case, further investigation should be undertaken. Other factors to consider in assessing the target’s data governance posture are its employee training, internal policies and procedures, and its audit function.
- Once the analysis of cyber risks has been completed, the purchase agreement should be drafted to reflect the risks. Buyers should resist the temptation to rely on general compliance with laws and instead include specific privacy representations in the agreement that address the unique circumstances of the deal. This approach may help to force a target to disclose information needed to understand the cyber risks and may lead it to make additional disclosure about its historical practices.
- Representations, though, are vulnerable to being weakened by disclosures made against them. In these cases, covenants requiring the target to remediate known issues may be considered. These may be resisted, however, especially if they could lead to uncertainty about closing. A compromise may be to require remediation on a best effort basis pre-closing. Indemnification or representations and warranties insurance may also help to bridge any gap between buyer and seller.
Post-closing
Once the deal has closed, careful attention must be paid to integration of the target and its data and IT infrastructure. Two relate to a misalignment between the buyer's business and cybersecurity practices and those of the target. The third has to do with added cybersecurity risks.
- The first has to do with the buyer's use of the target's data. Many jurisdictions limit the use of data to the purposes originally consented to when the data was collected, to a defined set of legitimate uses, or to a combination of both. If such restrictions apply, the buyer may find that it needs to take additional steps to use the data as planned. One way to do this is by obtaining fresh consents to allow for the new uses of the data.
- The second issue that can arise is that the buyer’s privacy or security governance isn’t aligned with the obligations it is taking on as a result of the acquisition. For example, a Canadian company acquiring an international data set may inherit new, foreign privacy law obligations and industry regulatory requirements. One pragmatic approach may be to assess the target’s data to see if deleting or anonymizing parts of the data pool could address the issue, although any such steps would need to be in accordance with applicable privacy and other laws, including record keeping and retention requirements. Alternatively, the buyer could upgrade its systems and governance to provide the same level of protection committed to by the target. This approach would make sense where the data is sufficiently valuable to the buyer to warrant the expenditure.
A buyer could also try to address these issues through the purchase agreement by carving out the data it does not wish to receive or requiring the target to destroy certain data before closing.
- The post-closing phase of a transaction is also subject to cybersecurity risks. The integration of two or more companies’ operations and systems may lead to new vulnerabilities through, for example, system incompatibilities or human error. The transfer of data between the parties is also a potential vulnerability, as is the risk of misconduct by employees of either the buyer or target, especially if the transaction was contentious. Thorough diligence likely will have highlighted at least some of these types of issues, but others may only become apparent in the course of time.
A final note
Just as transaction data needs to be protected throughout the deal, companies and their lawyers and bankers must be mindful of the risk of common cyber scams targeting large deals. In particular, wire transfer fraudsters may infiltrate the systems of companies or their advisors to provide false banking instructions for receipt of the purchase price. Amid the sprint of closing a transaction, those responsible for transferring funds should not rely on email instructions but rather should confirm banking details live, preferably over video call. Fraudsters may go to great lengths to falsify their voice on the phone.