AT A GLANCE
- Realizing value and managing risk in investments and acquisitions of digital assets businesses means assessing the most critical areas of the target's business—among them, cybersecurity, intellectual property, data privacy, and regulatory positions.
- This is particularly challenging in light of the pace of innovation in digital assets, as well as the intersecting, evolving laws that apply to these businesses.
- As valuations increase and investment capital flows into the digital assets sector, the cost of missteps in these areas—especially the risks of cybercrime, regulatory penalties, sanctions, and even criminal consequences—have also expanded significantly.
As applications and use cases for digital assets and their blockchain infrastructure grow and become more sophisticated, investments and valuations for businesses in these areas have grown as well. The growing number of opportunities have attracted a diverse group of investors and lenders. Global financial institutions and some of the world's largest institutional investors are among those pursuing acquisitions and equity financings in digital assets businesses.
No matter who the buyer is—and no matter the size of the investment—understanding the assets, revenue streams, and risks of a target digital assets business is critical to capturing and realizing value in any equity investment or M&A deal. Given the complexity and nuance of digital assets businesses, this requires a deep dive into several key subject areas. In order to validate an investment thesis, confirm valuation, and manage risk, an early step in any proposed acquisition or investment in a digital assets business should be a careful analysis of the target in these key areas.
In Part 1 of our series on deals in the digital assets sector, our team examines two of these areas—cybersecurity and intellectual property.
CYBERSECURITY
While every company in the world should be concerned about cyberattacks, digital assets businesses are especially high-risk. Digital-native businesses exist primarily in cyberspace, which means that a serious cyber threat is also an existential one. Cybercriminals also disproportionately target digital assets because digital assets can usually be transferred globally, seamlessly, and irreversibly, which makes stealing them especially attractive to cybercriminals. And while the use of distributed ledger technology—the backbone of digital assets—has certain inherent security benefits (as compared to centralized networks), there are still security vulnerabilities that arise through the security (or lack thereof) of individual participants and end-users, among others.
The cost of a cyber incident can be severe. To name just a few possible consequences:
- Attackers that are able to access private key or bank account information can reroute payments or currency (fiat or digital), often to opaque jurisdictions or untraceable accounts.
- Opportunistic hackers may take advantage of an exploit in a business's blockchain software, any underlying software the business relies upon, or the blockchain itself, in order to either steal and launder funds or demand a bounty.
- Theft of data, trade secrets, and/or other IP can result in a business's “special sauce” being lost to competitors or bad actors.
- Loss of trust can destroy future revenues and cause reputational damage that is difficult (or impossible) to repair.
To guard against this, an investor or acquirer must have a thorough understanding of the target's cyber risk and cybersecurity program. An effective cybersecurity program should start with a risk assessment based on a complete inventory of digital assets and technology assets (such as data, algorithms, and software) of the target business. This is especially true for any data and software that will be integrated with or otherwise linked to an acquirer's IT infrastructure.
A target company's vulnerabilities will become the acquirer's vulnerabilities. We are aware of instances where an acquirer also “acquired” an intrusion because the threat actors were inside the target's systems at the time of the acquisition and then spread into the network of the acquirer.
Even if an investor is only taking a minority equity stake in a target, there is potential for the target's cyber risk to spread to its new owners—especially if there are business or commercial arrangements that accompany the investment that lead the acquirer to connect its network to the target. The security, trustworthiness and ultimately the market position of a target digital assets business will be key drivers of the utility and value of a commercial arrangement with its acquirer or investor. In addition, the potential negative impact of reputational damage from a cyberattack on a digital assets business—and its owners, investors and vendors—cannot be overstated. In highly competitive markets, reputational damage can sometimes be impossible to overcome.
As a result, the physical and digital security of the target and its digital assets themselves are critical to realizing deal value and mitigating the risk of damages, loss and theft. A few examples of areas of specific focus for digital assets businesses include:
- The cybersecurity program and the governance, reporting, and tracking built into the program.
- Whether the target has adequate cybersecurity staffing and expertise.
- Whether there have been cyber breaches—keeping in mind that these can be unreported, or even undetected, for long periods of time.
- Scope of the target business's internal testing of its cybersecurity program—including penetration testing and vulnerability assessments.
- Methods and/or locations for storage and custody of digital assets, including the individuals that have access to multisignature wallets and cold storage devices.
- Auditing of any smart contracts utilized by the target business, including understanding how open source software is used.
INTELLECTUAL PROPERTY
Even more so than most target businesses, digital asset business are built on intellectual property (IP), including innovative software and algorithms and proprietary data. For that reason, IP should be a major part of diligence.
A key part of this effort is a careful review of the types of IP relevant to a target business – this can include software, hardware, trade secrets (such as processes), AI-generated content and code, and “soft IP” such as brand names and copyrights. There are different legal rights and considerations (and risks!) that relate to each one.
For example, the U.S. Copyright Office and the U.S. Patent and Trademark Office have each been asked to protect works or inventions created, in whole or in part, with AI. At present, these offices do not recognize AI programs as “authors” of copyrightable works or “inventors” of patentable inventions. As a result, these offices will not register works whose traditional elements of authorship are produced solely by a machine, such as when an AI program receives a prompt from a human and generates complex written, visual, or musical works in response. This results in a key, unanswered question: if works produced by generative AI are not eligible for copyright, what is their legal status? As of now, such a work is, in practice, part of the public domain, from a US copyright perspective (although their use could still violate a binding agreement governing the work's use). Similarly for AI-created inventions, US law does not currently protect them (absent substantial contribution from a human inventor).
To the extent the digital assets business relies on AI, another key area to watch is court systems that are hearing disputes over IP rights in training data and how those disputes evolve. These types of cases are already showing up in courts and these lawsuits and their outcomes can have wide-ranging impacts on these types of risks.
Another area to focus on is open-source software use, particularly in connection with smart contracts. The trend in the digital assets industry—particularly in the Ethereum developer ecosystem—has been to open source the foundational smart contracts that provide core infrastructure for on-chain businesses. If the target business relies on smart contracts as part of its business, it is important to identify and review both inbound and outbound open-source licenses for all relevant smart contracts, in order to confirm that such licenses are compatible with ongoing use in accordance with the business's interests, as they may evolve overtime.
Finally, IP-related activities on blockchains—such as selling rights to IP on a blockchain through smart contracts—can increase the risk of IP theft or misappropriation, damage to brands through misuse and fraud, and loss in market value of the business. As businesses create valuable IP and digital assets on-chain—including NFTs and digital brands—there is the risk of failing to properly protect or manage that IP. If legal rights for these valuable assets are not clearly defined and recorded, businesses may not have protections in place to maintain the value in their digital assets IP. Consumers may, likewise, be misled regarding the nature and extent of the rights they are purchasing in connection with such on-chain assets.
WRAPPING UP
With the massive amount of attention being given to digital assets by global companies, financial institutions, central banks, and investors, it's no surprise that deal activity and valuations have significantly accelerated. For investors and acquirers to realize the strategic and economic value of their investments in digital assets—and to prevent damaging ripple effects from missteps in diligence and deal execution—it will be important to closely examine these (and other) key areas of any target digital assets business. Part 2 of our series will cover some of these additional areas.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.