In 2015, we have seen several important cybersecurity breaches in the industry. Some of them have been extensively mediatized while others remained less known by the general public. Recently, the online dating website Ashley Madison was hacked and the identity of millions of users revealed all around the world. Even more recently, we learned that over 500 million users' Yahoo accounts had been hacked in 2014 and this news came out shortly after the acquisition of Yahoo by telecom giant Verizon. Can these attacks jeopardize your upcoming transaction? They absolutely can. As a matter of fact, Verizon asked for a $1 billion discount off its initial offer of $4.8 billion to acquire Yahoo and just recently said that it has a reasonable basis to believe that the massive data breach of email accounts represents a material impact that could allow Verizon to withdraw from the deal. The burden seems to now be on Yahoo to demonstrate the full impact of the breach.

These attacks raise an important question: are companies aware of the importance of conducting thorough cybersecurity due diligence in their M&A transactions? Here are a few tips that could be helpful when it comes to assessing the cybersecurity risk of a targeted company:

  1. Do not wait until the end of your due diligence. Start assessing the risk at the earliest stage of the due diligence process. It is important to ask the target what its most important and useful IT systems are and the most common risk associated with them. Are they covered by complete and extensive IT policies? Are they regularly updated and evaluated by IT experts? Those are examples of questions that need to be asked while conducting your IT due diligence.
  2. Know exactly the most important systems that need to be considered. Since due diligence in cybersecurity can be very expensive for the buyer, it is important to identify what systems or technologies are most at risk of being subject to a cyber-attack. By tailoring your risk assessment, you are controlling the cost while making sure to investigate the proper systems with a higher risk of being hacked that will endanger the success of your transaction.
  3. Do not engage in any cybersecurity risk assessment if your company does not have internal IT experts or extensive knowledge in this area. It is no easy task when it comes to estimate the cost of a potential cybersecurity problem within the target's systems. Not only is it important to discover such problems but it is also very important to be able to evaluate how such problem could negatively impact the transaction and what the best way to fix those problems is, before engaging in further discussions or negotiations. If your company does not have the internal team to proceed with the cybersecurity due diligence, you should consider retaining the services of external IT specialists.
  4. Consider the importance of obtaining cyber insurance. Since cyber-attacks can be highly expensive for a company, the importance of cyber insurance (not only in the specific context of an M&A transaction) is rising for many companies throughout the market. According to an IBM survey conducted in 2016, the average cost of a data breach reached $6.03 million this year, which represents a 12.5% increase compared to 2015. The software-maker McAfee estimated that the total cost of cybercrime in the global economy can reach up to US$575 billion per year. The costs are high and most of the time very difficult to estimate so that is why companies should consider having cyber insurance in order to protect themselves from such costs and uncertainty. Cyber insurance policies can cover a wide range of risks from network security liability to regulatory defense and penalties and network extortion.

For more, please see our previous posts on how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction and the ways regulatory bodies have begun managing these risks.

The author would like to thank Vincent Belley, articling student, for his assistance in preparing this legal update.

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.