Cybersecurity in M&A transactions: common representations & warranties

M&A in the digital era cannot ignore cybersecurity and its implications on a deal. Properly evaluating the cyber risks and seeking adequate contractual protection are essential for transactions where the value lies in digital assets.

Cybersecurity has long been vital for business and has become an even more critical expenditure in recent years. As most technology experts tend to admit, no system can be engineered to be perfectly secure or absolutely trustworthy.

In an increasingly data-driven world, businesses must focus on keeping their high-value and equally cyber-vulnerable digital assets intact. A cyberattack can quickly and substantially reduce the value of a deal and, if not identified in time, may carry-on the risks and contaminate the acquirer's systems as well.

Just as it takes over debt and liabilities, a buyer looking to acquire shares will inherit all the business's cyber vulnerabilities. Hence, an acquirer must be wary not only of failing to obtain the full value of what it seeks, but also of belatedly finding the target to be burdened by cybersecurity shortcomings that create risks for the buyer.

Cyber due diligence

Considering the risk associated with cyberattacks, security should be considered throughout all stages of the process. A check on the target's cybersecurity preparedness should be as customary as assessing a target's financial, legal, operational or reputational risks.

If the due diligence reveals vulnerabilities, previous incidents or generally outdated systems, the buyer should anticipate the need for additional costs being allocated to the target to enhance its security systems. This may prompt the buyer to negotiate a lower purchase price or establish a holdback/escrow mechanism for part of the price to secure cyber remedies post-completion.

A cyberattack occurring between signing and closing may represent a material adverse change in the respective business, which should allow the buyer to reassess the terms of the deal or even walk away.

But even the most thorough due diligence may not be able to confirm a target's compliance with the requirement of the absence of incidents compromising data security. Hence, buyers may also seek protection against cyberthreats through representations and warranties. Since representations and warranties are ultimately about risk allocation, sellers will want to limit their risk of warranties being breached by introducing qualifiers such as their knowledge (i.e. give the warranty based on the knowledge of a certain group of individuals) or "material" qualifiers (i.e. limit the warranty to matters that are material to the value of the transaction) or by generally limiting the warranties to a certain look-back period.

Regardless of the negotiation tactics, a prudent buyer of digital assets will request representations and warranties covering at least the existence of and adherence to data security policies, compliance with contractual obligations regarding data security, the absence of unauthorised access to the target's data, the absence of security incidents, and the existence of security measures to protect systems and information.

Conclusion

Cybersecurity is not just a technical term. It is a legal obligation for companies and, when high-value digital assets are at stake, can be a factor that makes or breaks an M&A deal. Cybersecurity should therefore be a persistent concern throughout an M&A deal, from the early stages of due diligence to the final agreement containing representations, warranties and indemnities aimed at covering possible cyber risks, and eventually to the full-scale safe integration of businesses.

author: Mădălina Neagu