The prospect of a cyber-attack is an ever increasing concern: cyber-criminals are sophisticated, clever and have no respect for geographical boundaries. But during M&A transactions, are buyers, sellers and advisers being diligent enough about taking account of this fast-evolving “super-risk”?
Through the due diligence (DD) process, buyers should, amongst other things, undertake the difficult task of formulating a cyber-risk profile of the target business.
- Buyers should bring cyber-security to the table early on in the M&A process: appoint the right team (internal and/or external) to ask a bespoke set of cyber-security questions which will allow a full and careful analysis of the target’s cyber-security systems, processes and past-history.
- Sellers should be prepared to present a sophisticated response and set out the operational reality of a (hopefully) mature cyber-risk management strategy.
Cyber-governance is not just about technology. It relies on operational and commercial safeguards too. Buyers will want to see that cyber-risk is consistently managed across each level of the business. If the results of cyber-security DD are unsatisfactory, they could seek to re-negotiate key terms, include indemnity protection, or even abandon the deal.
It may therefore seem attractive to sellers to withhold details of past, current or likely future cyber-infringements; and in the UK at least, there is no obligation to reveal them. However, as the results of DD will be supported by warranty statements in the sale and purchase agreement, a full and proper disclosure exercise is in sellers’ interests. Inadequate disclosure of cyber-security infringements or weaknesses in the target’s cyber-security processes and procedures, may result in significant damages claims against sellers if a buyer suffers related losses after completion as a result of circumstances which constitute a breach of warranty. But no claim will lie against sellers who have properly disclosed the facts which give rise to the breach of warranty.
A huge amount of sensitive data is shared, collated, reviewed and negotiated in the cyber-space during the M&A process. How can parties and their advisers maximise its security?
- Cyber-security policies and procedures should be carefully reviewed and updated by each party at the outset of the deal to ensure compliance with current best practice.
- Project names and party pseudonyms should be used carefully and consistently, especially in email traffic which can be voluminous and rapid.
- Confidentiality agreements should be cautiously drafted and tailored around the specific organisational and technological channels facilitating the deal. The degree of care extended to the security of the sellers’ data by the buyers should be at least that applied by the buyers to their own confidential information (and sellers should carry out reverse due-diligence to check that the buyers’ policies and processes are sufficient). Any obligation on buyers to flow-down contractual confidentiality protections to advisers or employees who are permitted to receive the sellers’ confidential information should be strictly implemented.
- Virtual datarooms are an efficient way to control and manage the flow of information. However, by their very nature they are cyber data-sharing tools, so bring with them a whole host of cyber-risk concerns. In mitigation, most platforms are hosted by the sellers and password protected, with individual accesses (including the ability to download, print or copy) restricted to specific areas and relevant documents. DD enquiries can be presented, updated and responded to all within the secure platform. Wherever possible, data should be shared exclusively within the dataroom, avoiding less secure channels such as email.
- Personal data should be anonymised to the fullest extent possible before sharing. Parties within Europe should also consider the change to the EU data protection regime (applicable from May 2018), which will require the disclosure of personal data breaches to regulators. Details of actions taken by regulators as a result will become publicly available and financial penalties for breaches of personal data security will massively increase. The new regime may impact on timing, cost and deal-confidentiality if infringements occur during negotiations.
- Cyber-security insurance is still in its relative infancy but demand for explicit protection is increasing, particularly in response to the shocking financial and reputational impact of some recent (and very public) cyber-infringements. Whilst this a great opportunity for insurers, there is currently no correlation between the terms of one cyber-policy and another, with no ability for businesses to compare like for like, and no established expectation of what will be covered or excluded. It is therefore essential when considering a cyber-policy, to ensure that the terms adequately address the specific cyber-risks inherent in the target business (which may differ pre and post-completion). For example:
- Damage to business and loss of profits – is this covered and, if so, how long for?
- Territorial limits - cyber-risk is an unpredictably-international threat. However, some policies only cover damage arising from cyber-attacks carried out in specified territories
- Cyber terrorism exclusions – insurance definitions of terrorism are often broad, and may well encompass cyber-attacks. Check definitions carefully to ensure no unexpected exclusions apply
Sellers should ensure that proposed buyers and advisers are also adequately covered by cyber-security insurance, where appropriate, before sharing data with them.
Cyber-security should be considered at every stage of an M&A process; both in terms of risk within the target and risk within the deal process itself. It is not just a risk for buyers. Sellers, targets and advisers also need to stay alert to the potential for cyber-attacks and work together to mitigate the risk. Post-closing opportunities to strengthen cyber-security within a target should be addressed and explored by buyers early on in the process, and most importantly, everyone must remember to constantly re-evaluate their cyber-risk management plans.
First published in Intercontinental Finance & Law, January 2017