Cybersecurity Concerns Are Changing M&As: What It Means for In-House Lawyers
Cybersecurity is becoming a significant concern for companies pursuing mergers and acquisitions. And it's not just with M&As in consumer-face industries, where lost credit card numbers, passwords, or medical information can lead to significant liability. Almost all businesses have some data security risks. Thus, looking into a company's cybersecurity practices is an increasingly important aspect of risk management and M&A due diligence.
Here's what that means for in-house attorneys.
More Emphasis on Cybersecurity
Companies are approaching cybersecurity with more seriousness when considering acquisitions. Morrison & Foerster's "M&A Leaders Survey," for example, reports that "concerns about potential liability due to cybersecurity (think: Verizon-Yahoo) are making buyers take a much closer look at companies they plan to buy." Eighty-two percent of executives, investors, and GCs surveyed now place more emphasis on cybersecurity than they did a year ago.
That responsibility is increasingly landing on the shoulders of in-house legal departments, too. MoFo partner and M&A Practice Group co-chairman Robert Townsend was quoted in Legaltech News saying that attorneys need to "understand the types of cybersecurity risks that can arise in the target company's industry" in order to deal with these new challenges.
Investigate, Identify, Solve
Jennifer Archie, a partner at Latham & Watkins, advises companies to begin looking in to cybersecurity at the engagement stage. That should include a survey of what types of data a company stores, where it stores it, and how it's protected, as well as investigation in to whether a company has legal counsel, internally or externally, regularly advising on cybersecurity measures.
Most importantly, companies need to take their investigation into M&A cybersecurity seriously. "If there was ever an era when minimizing or commoditizing assessment of cybersecurity risks in the M&A space was sensible, that time has surely passed," Archie says.
That does not mean all in-house lawyers need to go back for a cybersecurity LLM, though. Townsend recommends bringing in dedicated cybersecurity lawyers, who can "call on third-party forensic firms and technical advisers in their network, if the client wants a third-party technical viewpoint."
The key isn't solving every problem yourself, but knowing that it exists, and finding the right people and the right resources to solve it.
- Here's Why Cybersecurity Should Be a Key Part of M&A Due Diligence (Business Insider)
- Sniff Out a Company's 'Data Hygiene' as Part of Your Due Diligence (FindLaw's In House)
- The Greatest Threat to Your Data Security May Be Yourself (FindLaw's In House)
- When It Comes to Data Security, Corps Turn to Outside Counsel (FindLaw's In House)
FindLaw has an affiliate relationship with Indeed, earning a small amount of money each time someone uses Indeed's services via FindLaw. FindLaw receives no compensation in exchange for editorial coverage.