Privacy and cybersecurity (referenced together as “cyber” in this article) risks and opportunities in M&A deals continue to attract increased attention as countries, including Canada and the U.S., introduce new and more stringent privacy-related requirements. These include increased powers for regulators to levy substantial fines or impose other sanctions for violations1.
Meanwhile, cyber risks have only grown during COVID as people work from home, expanding the avenues through which hackers can gain access to data as well as through the broad digitization and datafication of everyday life.
It's now a simple statement of fact that all companies are now data companies, so it's no surprise that the risks and opportunities of data in M&A transactions are also becoming a more significant and integrated matter of corporate governance during the deal process. Careful steps and planning must be taken by all parties in a transaction before it begins, during negotiations and deal execution, and after closing to protect the integrity of the M&A deal process and to ensure parties get what they bargained for.
- The deal process to negotiate and document a transaction can present significant cyber risks. For example, systems used to share confidential documents and information regarding a transaction can be hacked or compromised; deal communications can be compromised; and participants can be targeted by phishing attacks or fraudulent messages intended to lure individuals to disclose deal-related information. To address these risks, participants should plan for appropriate security and apply necessary controls (e.g., with secure data rooms).
- Buyers should also be mindful in this phase that a target can become aware of their interest sooner than intended through, for example, analysis of website traffic patterns that reveals increased visits from the buyer.
- Sellers in the pre-transaction phase may wish to consider privacy house cleaning by reviewing the status of their IT systems, cybersecurity posture, and data holdings. While the opportunity to correct issues may be limited, a clear and current understanding of the company's data resources, cybersecurity infrastructure, and known points of risk2 will help assess the company's value and may help reduce friction during diligence and negotiations.
Transaction: negotiation and diligence
- Understanding the target's business and data practices is critical, as these largely determine the types of cyber risk to which the company may be exposed. All companies process some level of data, so it is always necessary to determine the types of data collected, their sources, and how they are used. It cannot be assumed that a non-data company (e.g., a manufacturer or resource company) does not collect and process significant amounts of data.
- Consideration must also be given to the basis on which the company processes the data (e.g., consent or other legitimate basis under applicable law), the third parties with which it shares the data, and the company's retention practices. Risks may also arise from aspects of a company's organization itself, including from the nature of the workforce (employees or contractors, on-site or remote), legacy IT systems, and the distribution of IT assets.
- In order to assess the inherent risks that the target and its data present, the applicable privacy laws must be identified. Risks are heightened in some jurisdictions. In the EU, substantial fines can be levied for breaches of the applicable regulations; in Canada, improper electronic marketing practices can attract significant penalties. The assessment of inherent risk can be challenging and often more of an approximation than a precise calculation, as it depends on the level of detail provided by the target about its data and business practices.
Just as transaction data needs to be protected throughout the deal, companies and their lawyers and bankers must be mindful of the risk of common cyber scams targeting large deals.
- Questions should be asked about the company's technical and
organizational measures to protect data and ensure compliance with
applicable laws. The company's overall cybersecurity posture
should be assessed to determine if it is appropriate for the volume
and sensitivity of data it handles. Ideally, information will be
provided about the technical infrastructure, including about the
target's security and threat detection systems, and backup
and disaster recovery plans.
In order to assess the effectiveness of these systems, the target should be asked about its breach history and, just as importantly, its history of testing of these systems (e.g., penetration and vulnerability testing, backup plan testing, and internal or external audits of the privacy program and infrastructure). Where available, testing and similar reports should be reviewed.
The company's privacy governance should also be investigated. While it is preferable for a company to have a dedicated privacy officer and compliance function, smaller or growing companies often distribute responsibility for privacy among various groups—in particular, the IT and HR functions. While this may not be a material issue as a matter of course, it may hint at a lack of sufficient organizational controls, particularly in a company that has experienced rapid growth and especially if that growth includes expansion into jurisdictions with more stringent privacy requirements such as the EU. If that is the case, further investigation should be undertaken. Other factors to consider in assessing the target's data governance posture are its employee training, internal policies and procedures, and its audit function.
- Once the analysis of cyber risks has been completed, the purchase agreement should be drafted to reflect the risks. Buyers should resist the temptation to rely on general compliance with laws and instead include specific privacy representations in the agreement that address the unique circumstances of the deal. This approach may help to force a target to disclose information needed to understand the cyber risks and may lead it to make additional disclosure about its historical practices.
- Representations, though, are vulnerable to being weakened by disclosures made against them. In these cases, covenants requiring the target to remediate known issues may be considered. These may be resisted, however, especially if they could lead to uncertainty about closing. A compromise may be to require remediation on a best effort basis pre-closing. Indemnification or representations and warranties insurance may also help to bridge any gap between buyer and seller.
Once the deal has closed, careful attention must be paid to integration of the target and its data and IT infrastructure. Two relate to a misalignment between the buyer's business and cybersecurity practices and those of the target. The third has to do with added cybersecurity risks.
- The first has to do with the buyer's use of the target's data. Many jurisdictions limit the use of data to the purposes originally consented to when the data was collected, to a defined set of legitimate uses, or to a combination of both. If such restrictions apply, the buyer may find that it needs to take additional steps to use the data as planned. One way to do this is by obtaining fresh consents to allow for the new uses of the data.
- The second issue that can arise is that the buyer's
privacy or security governance isn't aligned with the
obligations it is taking on as a result of the acquisition. For
example, a Canadian company acquiring an international data set may
inherit new, foreign privacy law obligations and industry
regulatory requirements. One pragmatic approach may be to assess
the target's data to see if deleting or anonymizing parts of
the data pool could address the issue, although any such steps
would need to be in accordance with applicable privacy and other
laws, including record keeping and retention requirements.
Alternatively, the buyer could upgrade its systems and governance
to provide the same level of protection committed to by the target.
This approach would make sense where the data is sufficiently
valuable to the buyer to warrant the expenditure.
A buyer could also try to address these issues through the purchase agreement by carving out the data it does not wish to receive or requiring the target to destroy certain data before closing.
- The post-closing phase of a transaction is also subject to cybersecurity risks. The integration of two or more companies' operations and systems may lead to new vulnerabilities through, for example, system incompatibilities or human error. The transfer of data between the parties is also a potential vulnerability, as is the risk of misconduct by employees of either the buyer or target, especially if the transaction was contentious. Thorough diligence likely will have highlighted at least some of these types of issues, but others may only become apparent in the course of time.
A final note
Just as transaction data needs to be protected throughout the deal, companies and their lawyers and bankers must be mindful of the risk of common cyber scams targeting large deals. In particular, wire transfer fraudsters may infiltrate the systems of companies or their advisors to provide false banking instructions for receipt of the purchase price. Amid the sprint of closing a transaction, those responsible for transferring funds should not rely on email instructions but rather should confirm banking details live, preferably over video call. Fraudsters may go to great lengths to falsify their voice on the phone.
1. In this article, we do not distinguish between the risks posed by different types of information. In general, however, privacy risks relate mostly but not exclusively to personal information of identifiable individuals.
2. For example, through a review of breach histories or by undertaking fresh privacy audits or testing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.