Corporate Transactions: Diligence and Agreements Should Address Cybersecurity and Privacy

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Bar News
December 15, 2021

All businesses maintain at least some information electronically, and the value of many depends on the information they have about operations, products and services, clients and customers, vendors, employees, etc. Cybersecurity is one of the largest and most prevalent risks businesses face. Thus, as attorneys, we need to work with clients anticipating potential acquisition to address cybersecurity compliance and liability long before any transaction occurs. Similarly, we need to work with acquirers to anticipate how significantly the value of the acquired business depends on its information, how to conduct due diligence that effectively identifies cybersecurity and privacy compliance and liability concerns, and how to address any such issues that arise in the terms of the transaction.

Businesses in regulated industries should expect acquirers to conduct extensive due diligence concerning cybersecurity compliance. Examples include businesses involved (either directly or as vendors to other businesses) in health care, banking, defense contracting, publicly traded entities, and a wide variety of professional services, including financial, accounting, tax preparation, legal, and insurance services. Even if not involved in regulated industries, almost all businesses operate using at least some (if not a significant amount) of information covered by general state cybersecurity laws, particularly companies that either operate in Massachusetts or New York or engage in business with residents of those states.

Large acquirers – as well as investment banks, private equity firms, and special purpose acquisition companies (SPACs) – also are increasingly concerned about compliance by the acquired business with certain the emerging domestic privacy laws from states like California, Colorado, and Virginia, and foreign privacy laws from the European Union, Canada, Australia, and China. These laws extend across state and international borders to local companies that engage in business with individuals who reside in those other jurisdictions.

Achieving cybersecurity and privacy compliance for purposes of a transaction typically requires at least a year for a business that has not previously addressed those matters, and several months even for a business that has done so. Thus, starting to address cybersecurity and privacy long before a transaction occurs is important. Additionally, businesses that foresee acquisition should have compliance documentation ready to go, to ease the due diligence process.

All businesses are not equal with respect to cybersecurity and privacy compliance and liability. Acquirers need to understand just how significant such issues are to the value of the acquired business, and specifically tailor due diligence to the circumstances. For example, if the value of the acquired business is not highly dependent on such factors, then it could be sufficient to review only the acquired business’ internal and external cybersecurity and privacy policies, certifications of compliance with industry standards, workforce training and testing materials, documentation about prior incidents and breaches, and insurance policies, as well as relying on appropriate representations and warranties in the transactional agreements.

By comparison, if the value of the acquired business depends meaningfully on its cybersecurity and privacy compliance and liability, then the acquirer should obtain much broader and deeper due diligence, and retain professionals capable of understanding the materials. Examples include (a) work product (even if privileged) from the past three to five years of cybersecurity and privacy assessments and mitigation processes, (b) interviews of information technology (IT) personnel and managed IT providers of the acquired business, (c) review of contracts between the acquired business and its customers, vendors, and other third parties concerning cybersecurity and privacy, and due diligence that the acquired business produced or performed with respect to them, (d) detailed information concerning all incident, breach, and financial crime incidents and claims, and (e) detailed information concerning cyber liability insurance renewals for the past three to five years, including answers to questionnaires, premium adjustments, policies, and non-renewals. If the value of the acquired business is highly dependent on cybersecurity and privacy compliance and liability, the acquirer should consider retaining a third party to conduct the acquirer’s own risk assessment of the acquired business.

Cybersecurity and privacy issues might impact the value of an acquired business, but rarely should derail an acquisition. If foreseen and properly addressed in the letter of intent or other initial documentation, these issues can be adequately resolved in the transactional agreements. Mechanisms to address these issues include specifically tailored representations and warranties, provisions concerning liabilities retained by the acquired business, adjustments to the purchase price, provisions for the hold back and qualified release of a portions of the purchase price, cyber liability tail coverage, and separate insurance concerning cybersecurity and privacy representations and warranties made by the acquired business.

The values of many businesses depend on their cybersecurity and privacy compliance and liability. As attorneys for acquired businesses, we must prepare our clients by starting to address these issues long before potential transactions. If we represent acquirers, we have more nuanced obligations to help our clients understand how significantly the value of the acquired business depends on its information, conduct due diligence that effectively identifies cybersecurity liability and compliance concerns, and address any such issues that arise in the initial and ultimate transactional agreements.