The heavy reliance on technology in today's data driven world means that cybersecurity threats must be taken seriously. More specifically, with respect to M&A transactions, a target's cybersecurity mechanisms has become an important part of the due diligence consideration. Indeed, it is important to have a firm grasp on the nature and extent of a target's cybersecurity vulnerabilities, the likelihood of a breach, and the procedure in place to remedy a breach, if necessary. These considerations have the power to significantly alter the value of a transaction, or even derail it entirely.

With the introduction of EU's General Data Protection Regulation – which caused ripple effects of tightened privacy legislation in other jurisdictions – compliance with the regulatory regime is an important factor. This is particularly because some targets may not even know that they are subject to certain regulations, and may be acting offside. For example, the GDPR's strict privacy legislation does not only apply to processors within the EU, but also to any processors that target European data subjects. That is quite a broad reach. Therefore, a compliance assessment is also an important factor in determining the value and viability of M&A transactions.

Furthermore, a target's contractual obligations with respect to cybersecurity, and specifically regarding the transfer of proprietary data is significant. Such obligations are often connected to incidents of cybersecurity breaches and the associated indemnity in such an event.

Additionally, "employee cyber hygiene", which refers to how internal personnel are trained with respect to cybersecurity best practices, is also an important consideration. Fending off hacking attempts and reporting suspicious activity are things that employees should be trained in, since their acts could directly impact the cybersecurity of the company. Therefore, the level of employee knowledge and training in this regard can be a telling risk factor.

One of the most important points, however, is knowing whether the target has been the victim of a cybersecurity attack that caused damage to its high-value digital assets without management's awareness or a clear understanding of its implications to the business and its IP assets. Lack of proper due diligence in this area could result in the acquirer taking on the damages and liability from such incidents in the past.

As such, a holistic understanding of a target's current cybersecurity mechanism, as well as a history of any past incidents, can impact the value of a transaction since this type of information will yield a more accurate risk analysis.

The author would like to thank Saba Samanian, articling student, for her assistance in preparing this blog post.

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see

Law around the world

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.