Cyber security risk in acquisitions

Cyber risk may be invisible during initial discussions, yet once the transaction closes, the buyer might inherit a multitude of cyber security related risks and problems including:

• undisclosed breaches which may trigger regulatory investigations or litigation
• non-compliance with data protection laws such as GDPR or the UK Data Protection Act
• vulnerable and easily exploited IT infrastructure
• contracts with weak indemnities or excessive liability exposure

These risks don’t just affect operations; they can materially impact transaction value and post-acquisition focus and performance.

An obvious example is the Verizon-Yahoo acquisition. Yahoo’s failure to disclose two major data breaches led to a $350 million reduction in the purchase price and years of litigation. 

Similarly, Marriott’s acquisition of Starwood exposed it to a substantial GDPR fine after a legacy breach came to light post-transaction.

Cyber security is becoming a key transaction risk. 

Buyers must insist on robust cyber due diligence. This includes:

• full disclosure of past breaches, including regulatory responses and remediation efforts
• assessment of cyber security policies, incident response plans, and employee training
• review of third-party vendor relationships and supply chain vulnerabilities
• verification of compliance with applicable laws and industry standards
• evaluation of cyber insurance coverage, exclusions and claims history

Legal teams are unlikely to have the relevant expertise to assess cyber security risk as part of due diligence. They will work closely with other relevant experts instructed by the buyer to assist with cyber due diligence and then properly document any findings. 

Buyers should always aim to have issues identified during due diligence corrected before completing the transaction. If correction is not possible or practical, they can instead mitigate the inherited cyber risks through provisions in the transaction documentation, such as including:

• warranties which require the seller to make statements to the buyer as to the state of the business which if later found to be untrue, would give rise to a claim against the seller
• indemnities which ensure that any losses suffered after completion in respect of identified risks and issues are borne by the seller
• requiring retentions of the purchase price whilst issues are resolved to give comfort to the buyer that funds are available to pay any claims which do unfortunately arise

Increasingly, transaction documentation includes more comprehensive protections relating to cyber security, a trend that is unlikely to reverse any time soon. 

Even with strong due diligence and protection within the transaction documentation, buyers need to remain alert to risks post completion. 

Post completion integration by the buyer can give rise to cyber risk and buyers should seek to mitigate risks occurring by:

• establishing clear governance and procedures over cyber security in the combined entity
• conducting post-completion audits to identify and remediate risks, and then continue investigation into the cyber security affairs of the target