
Cyber security risk in acquisitions
In today’s increasingly digital landscape, cyber security has become a critical and growing concern for buyers.
In this briefing, partner Thomas Clark explains the cyber security risks present in acquisitions, why comprehensive due diligence is essential, and how legal safeguards can be put in place.
What do buyers need to know before signing?
In transactions, buyers have traditionally focused due diligence on areas such as finance, tax and commercial matters, including commercial contracts. However, one risk that is increasingly taking centre stage is cyber security.
Acquiring a business with poor cyber hygiene or a history of breaches can expose buyers to significant legal, financial and reputational damage.
What risks may exist beneath the surface?
Cyber risk may be invisible during initial discussions, yet once the transaction closes, the buyer might inherit a multitude of cyber security related risks and problems including:
- undisclosed breaches which may trigger regulatory investigations or litigation
- non-compliance with data protection laws such as GDPR or the UK Data Protection Act
- vulnerable and easily exploited IT infrastructure
- contracts with weak indemnities or excessive liability exposure
These risks don’t just affect operations; they can materially impact transaction value and post-acquisition focus and performance.
When can cyber risk affect profits and value?
An obvious example is the Verizon-Yahoo acquisition. Yahoo’s failure to disclose two major data breaches led to a $350 million reduction in the purchase price and years of litigation.
Similarly, Marriott’s acquisition of Starwood exposed it to a substantial GDPR fine after a legacy breach came to light post-transaction.
Cyber security is becoming a key transaction risk.
What should buyers demand from due diligence?
Buyers must insist on robust cyber due diligence. This includes:
- full disclosure of past breaches, including regulatory responses and remediation efforts
- assessment of cyber security policies, incident response plans, and employee training
- review of third-party vendor relationships and supply chain vulnerabilities
- verification of compliance with applicable laws and industry standards
- evaluation of cyber insurance coverage, exclusions and claims history
Legal teams are unlikely to have the relevant expertise to assess cyber security risk as part of due diligence. They will work closely with other relevant experts instructed by the buyer to assist with cyber due diligence and then properly document any findings.
What legal safeguards can be built within transaction documentation?
Buyers should always aim to have issues identified during due diligence corrected before completing the transaction. If correction is not possible or practical, they can instead mitigate the inherited cyber risks through provisions in the transaction documentation, such as including:
- warranties which require the seller to make statements to the buyer as to the state of the business which if later found to be untrue, would give rise to a claim against the seller
- indemnities which ensure that any losses suffered after completion in respect of identified risks and issues are borne by the seller
- requiring retentions of the purchase price whilst issues are resolved to give comfort to the buyer that funds are available to pay any claims which do unfortunately arise
Increasingly, transaction documentation includes more comprehensive protections relating to cyber security, a trend that is unlikely to reverse any time soon.
What risks arise after completion and how can buyer’s mitigate them?
Even with strong due diligence and protection within the transaction documentation, buyers need to remain alert to risks post completion.
Post completion integration by the buyer can give rise to cyber risk and buyers should seek to mitigate risks occurring by:
- establishing clear governance and procedures over cyber security in the combined entity
- conducting post-completion audits to identify and remediate risks, and then continue investigation into the cyber security affairs of the target
Conclusion: cyber risk is real
Investigation into the affairs of a target as part of the due diligence process is no longer a tick box exercise; it is becoming more and more important, especially given the risk and cost associated with breaches.
The message is clear: make comprehensive and well-structured enquiries during the due diligence process, demand transparency, and structure transactions with cyber risk in mind.
About Thomas
Thomas Clark is a partner in the corporate and commercial team advising clients on a wide range of matters with a focus on acquisitions and disposals. He routinely assists clients with business reorganisations and restructures, shareholder agreements and articles of association as well as corporate governance and risk.
Get in touch
If you would like to speak with a member of the team you can contact our corporate and commercial solicitors by telephone on +44 (0)20 3826 7511 or complete our enquiry form.