In a previous post, we discussed how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction. In this post, we discuss the ways regulatory bodies have begun managing these risks and the significance of these efforts to M&A participants engaging in substantial data asset transfers.

On February 18, 2016, the Investment Industry Regulatory Organization of Canada (IIROC) released its Compliance Priorities Report. Following this, in March 2016, the Ontario Securities Commission (OSC) released its Draft Statement of Priorities for 2016/2017. These reports, which constitute summaries of issues and action plans identified by the regulators, share a common focus on the systemic risks posed by insufficient cyber-security and recognize that our growing dependence on digital connectivity enhances exposure to cyber-attacks.

Cyber-security weakness at any level can jeopardize a company's position during the M&A process.  Information loss during or after transactions and data transfers can have dire effects on stakeholder interests. If legal responsibilities and data security problems are left unaddressed, issues such as damaged reputations or the forfeiture of customers and future sales can result is serious losses.

The OSC and IIROC are positioning themselves to take a central role in enhance cyber-security resilience by undertaking oversight initiatives to promote proper due diligence in relation to internal breaches and intrusions from external parties. The agencies hope to achieve this by:

  • improving collaboration and communication between parties;
  • assessing cybersecurity resilience through targeted reviews;
  • providing guidance on cybersecurity preparedness; and
  • publishing notices of participant and infrastructure oversight.

What then can participants in the M&A market expect? When dealing with public companies, participants should bring higher expectations, in terms of cyber-security, to the table. The standards that will guide these expectations are yet to be announced by regulators. However, even after regulations are put in place, acquirers should review all the work their targets have done to satisfy cyber-security requirements.

While regulators focus on establishing stable standards to enhancing cyber-security resilience amongst market participants generally, parties to M&A transactions can be diligent in safeguarding their own interests by:

  • identifying digital assets to be transferred;
  • backing up any data prior to transfer;
  • transferring legal ownership of data quickly; and
  • planning for continuity in the event of data loss.

These steps should be taken as early as possible in the M&A process. As secure data transfers have become particularly important, early communication of duties and responsibilities is the safest way to combat the threats posed by cyber-attacks.

The author would like to thank James Parker, articling student, for his assistance in preparing this legal update.

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.