M&A Due Diligence Checklist: Cyber Security ranked as Number 1?
According to wallstreetprep.com, training provider for the world’s top financial institutions, the Material Adverse Change (“MAC”) is “one of several legal mechanisms used to reduce risk and uncertainty for buyers and sellers during the period between the date of the merger agreement and the date the deal closes”.
Definition of a “Material Adverse Change” in its essence is any material adverse change in the business, results of operations, assets, liabilities, or financial condition of the Seller, as determined from the perspective of a reasonable person in the buyer’s position.
Whilst digital transformation is now top of mind of every board of directors, it also increases the digital footprint, thus intensifying the attractiveness for cyber criminals. However, the attention at board level regarding cyber security efforts is not at all proportionate to the risks cyber accidents or criminality can cause to the operations, the financials, and ultimately to the value of the company.
For sure, the merger or acquisition target looks attractive from an innovative, financial, growth outlook, current leadership team… point of view. A decent due diligence process covers all these typical aspects. And for many years, this approach appeared sufficient.
Times are changing: cyber security is threatening M&A
What about your company data and your intellectual property stored on a server somewhere? Who has access to those systems: employees, ex-employees, 3rd parties? What type of access do they have: read? read/write? People seem to forget that digital information (a “file”) can easily be copied, emailed, printed… often without the company’s knowledge, permission… So, it bears the question: is there a blind spot here that companies fail to appropriately consider in light of the risks and damages involved?
Anno 2019, a lot of M&A deals are still proceeding on the basis of a simple cyber security self-assessment. These are often one-pagers with standard questions, and in most cases, no evidence is required. The reason? Lack of interest? Lack of awareness? Or is it a lack of understanding of how to deal with digital assets and their protection?
There’s a reason why regulators are more and more enforcing cyber security technical and organizational measures into legislation (e.g. GDPR, NIS, the new EBA outsourcing guidelines for financial institutions).
Add cyber security to your list of USPs
Buyers often impose the inclusion of clauses in the share /asset purchase agreement that allows them either to back out of a purchase or renegotiate the conditions of the sale to protect them against existing, but not yet uncovered risks, or new risks. Many agreements also contain escrow provisions by application of which a substantial amount of the sale price is parked on a bank account for a number of years, and that can be clawed back by the buyer under certain circumstances if the results have not evolved as anticipated.
As a seller, you really don’t want the buyer to invoke the Material Adverse Change clause or to walk away after the computer systems of your company got hit by a cyberattack or a hack potentially causing substantial operational, financial and reputational damage. Imagine the economic loss a company would suffer if new designs, descriptions of inventions, outlines of new products were stolen and publicly disclosed/sold to the competition?
Having invested so much in building a company, growing it, bringing good products or delivering premium services to your customers, does it make sense to risk losing it all in a snap of a finger for lack of having implemented a robust and well-thought cyber security strategy?
The good news: implementing cyber security the right way, might even result in addition to your list of USPs (unique selling propositions). Basically, the reason why they should invest in you and not your competitor. Why? Cyber security, in essence, is all about knowing your risks and how to mitigate them. Fewer risks mean potentially more (or faster) money on the table.
Know what you invest in as a buyer
Are you active as a private equity firm, a hedge fund, a venture capital investor or are you a company that simply wants to grow its business through the acquisition of an interesting target?
As a buyer, investing in a company without having an in-depth overview of their cyber risk management is like being the captain on the Titanic – it is an accident waiting to happen. It’s a simple matter of when. Not if.
So proper screening of cyber security-related items during the M&A due diligence is a must if you want to minimalize post-transactional risks, associated fines (private/public), and costly remediations.
Both seller and buyer have similar interests to consider. In the end, it’s all about protecting your assets, whether digital or financial, your company’s brand reputation and ultimately its value.
One will never be 100% protected against cyber criminals. Even if done does remediate all discovered cyber security related risks. But one can for sure minimize the impact, the damage and the time needed to reboot the company’s operations and thus preserve the company’s value doing nothing, and hoping to get away with it, is really no longer an option. Hope is not a strategy.
Kenneth A. Adams, A Legal-Usage Analysis of “Material Adverse Change” Provisions, 10 FORDHAM J. CORP. & FIN. L. 9, 21 (2004)