Given the ubiquity of electronic data, an acquirer must have a comprehensive understanding of a target company’s data privacy and cybersecurity risks. Such an understanding can minimize transactional risks and post‑closing liabilities.
A key due diligence task is determining the adequacy of the target company’s data privacy and cybersecurity practices given its legal obligations and the type and volume of information it collects. As with any due diligence exercise, the goals are to inform, validate and quantify. Accordingly, an acquirer’s cybersecurity due diligence should investigate the target company’s data privacy practices and procedures, evaluate the risks addressed by those practices and procedures and seek to eliminate (or at least reduce) those risks post closing. The process entails categorizing the type of data collected by the target, identifying its data centric vulnerabilities and reviewing its key technology vendor relationships. As cyberattacks often involve unintentional downloading of malware, a prudent buyer acquirer should also review the target company’s employee educational and training programs.
Once the cybersecurity due diligence is completed, an acquirer should consider including a cybersecurity representation (tailored to the target’s specific business) in the purchase agreement. Such a cybersecurity representation could read as follows:
Finally, an acquirer should explore any existing and available insurance policies that may cover losses arising from a cybersecurity or data breach. These policies may cover, in whole or in part, costs incurred due to business interruption, system failure, cyberextortion, breach notification requirements and digital asset restoration.