Merger and acquisition (M&A) activity is often the lifeblood of corporate growth. While whole treatises can be, and have been, written on cybersecurity and legal challenges during M&A activity, the following are a few key takeaways for federal contractors considering a merger or acquisition.
Don't let small changes endanger your facility clearances.
Contractors with certain facility security clearances are required to report a variety of events that may affect the status of their eligibility for access to classified information. See 32 C.F.R. § 117.8. While some of these reporting triggers are "big deal" events, like the loss or compromise of classified information, others are smaller corporate changes that will often arise in the M&A context. These include:
- A change in ownership that impacts control of the company
- A change in the name or address of the company
- A change of key management personnel
See 32 CFR § 117.8(c)(7)(i)-(iii).
If the transaction reasonably involves foreign ownership, control or influence (FOCI), don't wait until the transaction closes to report it.
It is natural to want to hold back on reporting corporate changes until you have certainty. What if the deal falls through or your cognizant security agency asks a follow-up question that you do not yet have an answer for? Similarly, both the buyer and the seller usually have business reasons for wanting to keep the possibility of a transaction close to the vest until it's a certainty. Ultimately, the rules do not allow for transactional certainty prior to making your report. If there are "discussions, consultations, or agreements that may reasonably lead to effective ownership or control by a foreign interest," the contract must report the information. See 32 C.F.R. § 117.8(c)(7)(v).
CMMC and FedRAMP readiness is increasingly important, even for contractors with FOCI obligations.
Others have already written extensively on how the 2020 National Defense Authorization Act Section 847 required the Department of Defense (DoD) to identify and address FOCI concerns, resulting in DoD Instruction 5205.87. For purposes of this article, a key takeaway is that FOCI risk assessments will no longer be primarily focused on the security of classified information. Security for Controlled Unclassified Information (CUI) is now also in scope. See, e.g., DoDI 5205.87 (definitions of "compromise" and "risk" encompassing CUI). Thus, acquisitions involving an entity that only touches CUI may still impact your FOCI risks if that entity does not have adequate controls in place.
There are multiple requirements to adequately protect CUI, depending on whether an entity processing covered defense information (CDI, which includes CUI) is a contractor or a cloud service provider being used by a contractor. Contractors processing CDI will find their requirements in the new Cybersecurity Maturity Model Certification (CMMC) program. CMMC 2.0 may be finalized (finally) by the close of 2024, and contractors handling CDI will be required to obtain CMMC certification before DoD awards a covered contract to that contractor. Where a contractor uses a cloud provider to process CDI, the contractor must validate that the cloud provider has achieved FedRAMP Moderate equivalency under DFARS 252.204-7012(b)(2)(D) (or that the cloud provider has obtained actual FedRAMP Moderate authorization). Achieving this equivalency has been made more challenging thanks to DoD's recent memo confirming that the cloud provider must achieve 100 percent compliance with the moderate control baseline and describing the body of evidence that a contractor must validate for the cloud provider to claim this status.
Practically speaking, this means that any M&A activity tied to the Defense Industrial Base or for entities with FOCI obligations should consider whether the seller (and possibly the seller's own vendors) have plans for CMMC 2.0 or FedRAMP Moderate compliance. This will help ensure that M&A activity does not endanger a contractor's pipeline of federal business.
Build a culture of collaboration between your business development and legal/compliance teams.
Business development or acquisition strategy teams often need to move with speed and agility. This need for speed can be at odds with the perception that too much early involvement from legal and compliance teams slows down the process. However, building a culture of close collaboration between these teams will actually improve the transactional outcome. As noted above, M&A in the procurement space has the potential to trigger a host of reporting obligations that could mean delays in your acquisition timeline. Close coordination between the business development and legal/compliance teams at early stages means you have earlier visibility into any anticipated reporting obligations and can build that into your acquisition timeline from the outset.
Prepare for the unknown.
Cybersecurity-related due diligence is complicated, and you will almost never have full visibility into your target environment before you close the deal and begin integration activities. While you may receive information like pen test results, Qualys scans, SOC reports or other cyber certification documents, patching and operating system details, or even a technical diligence report from a third party, you may never get access to security dashboards or an in-depth analysis of historical security alerts to see critical areas of vulnerability. Similarly, you will not have the ability to roll out your security tools to the target environment. Therefore, target your diligence efforts so you can build an integration plan that focuses on areas of greatest risk and gives you greater visibility into the true state of the new environment. Similarly, be prepared to rapidly respond to alerts and modify your integration plans as you begin to gain increased visibility.
Watch out for insider threats and lost knowledge.
Corporate change can often result in employee angst, and as most great rock songs illustrate, people driven by angst do not always make good choices. For that reason, work with your security teams to identify and monitor potential insider threat risks once the transaction is made public to both the buyer's and the seller's employees. This may mean that members of the security team be "read in" to the transaction before it is made public.
Similarly, corporate changes naturally result in turnover. However, such turnover can have significant cybersecurity impacts. For example, there may be a critical database or application for which only a small number of employees have the knowledge and skills to quickly restore that environment in the event of a system disruption. If these individuals leave the company without transferring this knowledge, the company may face a significant gap in its ability to quickly respond to a security or business disruption incident. Thus, it is important that M&A diligence and initial integration efforts identify employees with knowledge about key processes or critical skill sets and develop a plan for any needed knowledge transfer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.