Cybersecurity Concerns Are Changing M&As: What It Means for In-House Lawyers

By Casey C. Sullivan, Esq. on November 02, 2016 | Last updated on March 21, 2019

Cybersecurity is becoming a significant concern for companies pursuing mergers and acquisitions. And it's not just with M&As in consumer-face industries, where lost credit card numbers, passwords, or medical information can lead to significant liability. Almost all businesses have some data security risks. Thus, looking into a company's cybersecurity practices is an increasingly important aspect of risk management and M&A due diligence.

Here's what that means for in-house attorneys.

More Emphasis on Cybersecurity

Companies are approaching cybersecurity with more seriousness when considering acquisitions. Morrison & Foerster's "M&A Leaders Survey," for example, reports that "concerns about potential liability due to cybersecurity (think: Verizon-Yahoo) are making buyers take a much closer look at companies they plan to buy." Eighty-two percent of executives, investors, and GCs surveyed now place more emphasis on cybersecurity than they did a year ago.

That responsibility is increasingly landing on the shoulders of in-house legal departments, too. MoFo partner and M&A Practice Group co-chairman Robert Townsend was quoted in Legaltech News saying that attorneys need to "understand the types of cybersecurity risks that can arise in the target company's industry" in order to deal with these new challenges.

Investigate, Identify, Solve

Jennifer Archie, a partner at Latham & Watkins, advises companies to begin looking in to cybersecurity at the engagement stage. That should include a survey of what types of data a company stores, where it stores it, and how it's protected, as well as investigation in to whether a company has legal counsel, internally or externally, regularly advising on cybersecurity measures.

Most importantly, companies need to take their investigation into M&A cybersecurity seriously. "If there was ever an era when minimizing or commoditizing assessment of cybersecurity risks in the M&A space was sensible, that time has surely passed," Archie says.

That does not mean all in-house lawyers need to go back for a cybersecurity LLM, though. Townsend recommends bringing in dedicated cybersecurity lawyers, who can "call on third-party forensic firms and technical advisers in their network, if the client wants a third-party technical viewpoint."

The key isn't solving every problem yourself, but knowing that it exists, and finding the right people and the right resources to solve it.

Looking for new talent? Post a job for free on Indeed, or search local candidate resumes.

Related Resources:

FindLaw has an affiliate relationship with Indeed, earning a small amount of money each time someone uses Indeed's services via FindLaw. FindLaw receives no compensation in exchange for editorial coverage.

Copied to clipboard