In today’s digital landscape, privacy and cyber security risks are key considerations in all M&A transactions. They can affect the viability of a transaction and influence its nature and terms, and they may even cause a party to abandon a transaction. Therefore, it is critically important both to identify any cyber security and data breach risks in M&A transactions and to take action to detect and address these risks.
A. Risks and consequences
Data breaches, ransomware attacks, and other cyber security incidents may cause reputational damage. This erodes consumer trust and harms the brand and image of the target company, potentially leading to significant loss of value. Additionally, cyber security incidents can trigger class action lawsuits and legal claims from data owners and sanctions and operating restrictions from regulatory authorities. Regulatory authorities are increasingly vigilant about cyber security compliance.
Several cases over the past years demonstrate the risks and consequences. In one case in the European market, after an acquisition had taken place a massive data breach involving the personal data of the target’s clients was discovered. The data protection authority with jurisdiction issued a fine in the millions, millions of data subjects brought two class actions lawsuits, and the company was required to implement a comprehensive security program to settle Federal Trade Commission charges (including the payment of a penalty in the millions). The data breach occurred years before the acquisition, but the buyer had only been able to carry out limited due diligence on the target’s data processing systems and databases and therefore failed to detect the breach.
Cyber security risks have implications beyond immediate legal and financial concerns. This is even more true for private equity fund investment. Time to exit and evaluations are critical for the investor, which has a limited (and often quite short) time to prepare its target for a successful exit. Discovery of a cyber security or data breach issue would likely have impact on timing and conditions. A history of data breaches or unresolved cyber security incidents can severely impact a target company’s future exit strategies and returns for investors (whether in a secondary buyout or an IPO (initial public offering)) and an exit valuation may be directly negatively affected by liabilities due to sanctions or capex to be made to ensure resolution of breaches or compliance with applicable rules and best practices.
B. Practical tips: Potential ways to identify breaches and mitigate consequences
Cyber security and privacy risks can be identified and mitigated in multiple ways throughout the M&A process. This may occur through due diligence or representations and warranties and indemnification and insurance provisions in transaction documents. The type of business conducted by the companies involved is key—the more the business depends on data, including personal data, the more extensive the investigation of cyber security and data risks should be.
Legal and technical due diligence on IT systems
When it comes to managing and mitigating cyber security risks during M&A transactions, the role of due diligence cannot be underestimated. It is key to identifying risks. Legal and technical due diligence processes must be rigorous and thorough. Legal due diligence should encompass examination of the target company’s compliance with relevant data protection laws, policies, and procedures. This includes evaluating the cyber security frameworks and protocols that the target has in place.
Likewise, technical due diligence must assess how sophisticated and robust the target’s IT systems are and should do the same for any sourced from third-party service providers. It is critical to ascertain whether these systems are state-of-the-art and to identify any necessary enhancements or upgrades. Any gaps and findings from this evaluation must be addressed prior to finalizing the transaction to minimize exposure to future risks.
In general, legal and technical due diligence on IT systems is needed to evaluate the target’s cyber security preparedness and uncover vulnerabilities, previous incidents, and outdated IT systems.
How to deal with prior breaches
If due diligence reveals issues with the target’s IT system, options available to the buyer depend on the nature of the issues identified in the context of the due diligence activity. If due diligence reveals previous data breaches, it is essential to obtain detailed documentation outlining the actions and solutions implemented by the target company. This documentation allows the buyer to assess whether the target company has taken proper action to remedy data breaches and consequently removed any potential future risks—including the risk of sanctions. For instance, if a data breach involved personal data, due diligence should further investigate whether the target company reported the breach to the Italian Data Protection Authority, informed the data subjects, or made an assessment and confirmed that those actions were not required based on the specifics of the case.
How to deal with weak IT systems
If due diligence reveals a vulnerable or outdated IT system, the buyer should anticipate the need for additional costs being allocated to the target to enhance its security systems. This may prompt the buyer to lower the purchase price or request specific representations and warranties and indemnities on data protection and cyber security with holdback and escrow mechanism, in order to protect itself against identified or unidentified cyber risks.
Some examples of these types of representations and warranties include:
- target compliance with any applicable rules pertaining to processing personal data, such as the General Data Protection Regulation (the GDPR) and the Italian Data Protection Code;
- the target company’s IT system being in standard working condition and adequate protection of data in possession of the target company, including implementation of appropriate system security, continuity, and recovery procedures;
- the absence of cyberattacks and/or other incidents that determine data loss, removal, corruption, or compromise;
- the absence of claims from third parties or pending proceedings relating to the target company’s personal data processing.
Representations and warranties insurance policy
To cover a buyer against losses from a seller’s breaches of representations and warranties on data security and privacy provided by the seller in the transaction documents, the buyer may obtain a representations and warranties insurance policy. Although a representations and warranties insurance policy can be a useful tool for execution of a transaction, it usually does not cover cyber security risks fully. To maximize coverage of the representations and warranties insurance policy, an insurance broker may require the insured (i.e., the buyer) to carry out in-depth legal and technical due diligence on the IT systems. It may also request a specific standalone insurance policy covering the target company against unknown cyber security risks and specific due diligence on the cyber security insurance policy. Coverage of the warranty and indemnity policy will only be in excess of the existing cybersecurity insurance policy. The same goes for privacy risks, for which the representations and warranties policy requires thorough legal due diligence. In both risk areas, economic restoration of future liabilities under contractual representations and warranties (even if covered by the insurance and indemnity policy) is usually capped and otherwise limited. In the case of major liabilities, it may not provide adequate protection for the buyer. Therefore, especially for private equity transactions, the due diligence carried out prior to acquisition must be especially thorough. The same is true for audits of the target’s cyber security and data management systems during the holding period. These are key to identifying, managing, and mitigating risks in this area in general and specifically with regard to private equity investment.
