The Ontario Securities Commission (OSC) recently published its
Statement of Priorities for the Financial Year to
End March 31, 2017 (the Statement). The Statement unveils a new
area which the OSC intends to focus its key resources and actions
on – cyber resilience. For many, this does not come as a
surprise, particularly given the high-profile cyber-attacks on
organizations ranging from Ashley Madison to J.P. Morgan. It is now
well-recognized that in a market where businesses are exponentially
increasing their dependency upon technology, the need to understand
and mitigate cyber-security risks is proliferated.
The Statement should serve as a call to action for all
businesses that bear cyber-security vulnerabilities –
especially those involved in M&A. One example which the OSC
points to is the growth of technology facilitated financial
services. The introduction of new technologies, such as block chain
based crypto-currencies and peer-to-peer lending, is influencing
large financial institutions to adapt through acquisition. These
transactions will unquestionably give rise to cyber-security
concerns. However, even a simple corporate transaction which
organically alters an entity's IT infrastructure can present
similar risks. Such cyber-security-related perils are present in
two forms: (1) risks to the purchaser and the target organization;
and, (2) risks in relation to phases of the M&A process.
It is critical to examine the cyber-security practices and
technologies of all merging entities during the due diligence
phase. Pre-merger planning should consider the risk of an
information security breach as well as potential financial and
legal liabilities. By gaining a better understanding of the
target's information security-related processes, the purchaser
can adequately evaluate legal compliance, identify risks and adjust
the purchase agreement accordingly. For instance, the presence of
cyber-security issues may justify a provision allowing for a
purchase price adjustments or mandate the inclusion of
cyber-security specific indemnities.
In addition to enabling a seamless integration, it is important
to ensure that both entities have secure IT policies designed to
avert cyber-attacks during the M&A process. Companies are
already in a vulnerable position when merging and insufficient IT
policies can significantly heighten this susceptibility. In the
midst of the M&A process, a cyber-attack can leak details of
previously undisclosed acquisitions or potential deals. If
successful, the attack can damage negotiation positions, cause
irreparable reputational damage, or at worse, cause the deal to
fail. As such, it is wise to treat the target company as a third
party. This may include separating, securing and protecting all
critical data systems. Similarly, both entities would be well
advised to identify key employees with knowledge of secure
information and ensure that sensitive information cannot be
accessed by unauthorized persons.
The cyber threat landscape clearly requires information security
to be a key factor for companies contemplating a merger or
acquisition. With that being said, a company who knows its risks
and actively seeks to address them can prevent costly mistakes
before signing on the dotted line.
The author would like to thank Joseph Palmieri, Summer
Student, for her assistance in preparing this legal
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the
world's preeminent corporations and financial institutions with
a full business law service. We have 3800 lawyers and other legal
staff based in more than 50 cities across Europe, the United
States, Canada, Latin America, Asia, Australia, Africa, the Middle
East and Central Asia.
Recognized for our industry focus, we are strong across all the
key industry sectors: financial institutions; energy;
infrastructure, mining and commodities; transport; technology and
innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global
business principles of quality, unity and integrity. We aim to
provide the highest possible standard of legal service in each of
our offices and to maintain that level of quality at every point of
Under the Income Tax Act, the Employment Insurance Act, and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions or GST.
While most are well aware that the sale of a business is generally a complex process, even sophisticated business owners are surprised by just how much cost and effort is required to complete the sale.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).