In a previous post, we discussed how to
manage cyber security risks during the negotiation and due
diligence stages of an M&A transaction. In this post, we
discuss the ways regulatory bodies have begun managing these risks
and the significance of these efforts to M&A participants
engaging in substantial data asset transfers.
On February 18, 2016, the Investment Industry Regulatory
Organization of Canada (IIROC) released its
Compliance Priorities Report. Following this, in March 2016, the
Ontario Securities Commission (OSC) released its
Draft Statement of Priorities for 2016/2017. These reports, which
constitute summaries of issues and action plans identified by the
regulators, share a common focus on the systemic risks posed by
insufficient cyber-security and recognize that our growing
dependence on digital connectivity enhances exposure to
Cyber-security weakness at any level can jeopardize a
company's position during the M&A process.
Information loss during or after transactions and data transfers
can have dire effects on stakeholder interests. If legal
responsibilities and data security problems are left unaddressed,
issues such as damaged reputations or the forfeiture of customers
and future sales can result is serious losses.
The OSC and IIROC are positioning themselves to take a central
role in enhance cyber-security resilience by undertaking oversight
initiatives to promote proper due diligence in relation to internal
breaches and intrusions from external parties. The agencies hope to
achieve this by:
improving collaboration and communication between parties;
assessing cybersecurity resilience through targeted
providing guidance on cybersecurity preparedness; and
publishing notices of participant and infrastructure
What then can participants in the M&A market expect? When
dealing with public companies, participants should bring higher
expectations, in terms of cyber-security, to the table. The
standards that will guide these expectations are yet to be
announced by regulators. However, even after regulations are put in
place, acquirers should review all the work their targets have done
to satisfy cyber-security requirements.
While regulators focus on establishing stable standards to
enhancing cyber-security resilience amongst market participants
generally, parties to M&A transactions can be diligent in
safeguarding their own interests by:
identifying digital assets to be transferred;
backing up any data prior to transfer;
transferring legal ownership of data quickly; and
planning for continuity in the event of data loss.
These steps should be taken as early as possible in the M&A
process. As secure data transfers have become particularly
important, early communication of duties and responsibilities is
the safest way to combat the threats posed by cyber-attacks.
The author would like to thank James Parker, articling
student, for his assistance in preparing this legal
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the
world's pre-eminent corporations and financial institutions
with a full business law service. We have more than 3800 lawyers
and other legal staff based in more than 50 cities across Europe,
the United States, Canada, Latin America, Asia, Australia, Africa,
the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the
key industry sectors: financial institutions; energy;
infrastructure, mining and commodities; transport; technology and
innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global
business principles of quality, unity and integrity. We aim to
provide the highest possible standard of legal service in each of
our offices and to maintain that level of quality at every point of
Under the Income Tax Act, the Employment Insurance Act, and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions or GST.
Under the Income Tax Act, the Employment Insurance Act, the Canada Pension Plan Act and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).