Mergers And Acquisitions: Considerations In The COVID-19 Era – Corporate/Commercial Law

To print this article, all you need is to be registered or login on

This is part six of a series focusing on current M&A
trends, opportunities and challenges

Cyber risks are an important consideration regarding all merger,
acquisition and financing (“M&A”) transactions.
Cyber risks can affect the viability and value of an M&A
transaction, influence the nature and terms of a transaction, and
in some circumstances cause the parties to abandon a transaction.
In addition, parties to an M&A transaction and their directors
and officers (if applicable) might be legally obligated to address
cyber risks in connection with the transaction and incur
potentially significant liabilities if they fail to do so. For
those reasons, parties to an M&A transaction should
appropriately address cyber risks throughout the transaction life

Understanding cyber risks

Cyber risks are risks of losses, costs and liabilities suffered
or incurred by an organization as a result of a cybersecurity
incident (i.e., an incident that adversely affects the
confidentiality, integrity or availability of data in the
organization’s custody or control, or the information
technology systems used by or on behalf of the organization or its
business partners and advisors). Cybersecurity incidents can result
from internal sources (e.g., employees, contract workers, and
system failures) or external sources (e.g., nation-states,
terrorists, competitors, hackers, and fraudsters).

Losses caused by a cybersecurity incident can include business
interruption loss, loss of critical data, trade secret disclosure,
loss of revenue and other financial loss, loss to stakeholder
value, brand depreciation, and harm to reputation and customer
loyalty. Costs and liabilities resulting from a cybersecurity
incident can include incident response and remediation costs,
regulatory investigation costs, litigation costs, fines, and
financial liabilities to stakeholders, business partners, and

Cyber risks are relevant to every organization, regardless of
size, industry or public profile, because all organizations
(directly or indirectly through their business partners) use or
depend on information technology systems and data for their
day-to-day operations. While large, high-profile organizations
might be the most obvious targets for cyber attacks, cybercriminals
are increasingly targeting small and medium sized organizations to
obtain information about their customers and as a way to access the
information technology systems and data of their business

Effective cyber risk management is an enterprise-wide risk
management and compliance challenge that requires a comprehensive,
multidisciplinary approach based on three pillars – people,
processes and technology. Appropriate cybersecurity controls
– processes and technologies designed to prevent, detect, and
respond to cybersecurity incidents – are of fundamental

Cyber risks and M&A transactions

Cyber risks are relevant to almost all M&A transactions and
important to all transacting parties (e.g., buyers, sellers, and
lenders/investors) for both business and legal compliance reasons.
Well-known M&A transactions that have been adversely affected
by cybersecurity incidents include:

  • Verizon/Yahoo!:  Data security incidents
    at Yahoo! discovered before the completion of Verizon’s
    USD $4.83 billion acquisition of Yahoo! resulted in a $350
    million reduction in the purchase price and an allocation to Yahoo!
    of liability for costs resulting from the incidents.
  • PayPal/TIO:  A data security incident at
    TIO discovered after PayPal’s CAN $302 million
    acquisition of TIO resulted in PayPal shutting down TIO’s
    services and winding down TIO.
  • Spirit AeroSystems/Asco:   The terms
    of Spirit’s proposed acquisition of Asco were substantially
    amended after Asco’s business was disrupted by a ransomware
    attack. Ultimately, the transaction was cancelled.
  • Marriott/Starwood:  A data security
    incident at Starwood Hotels that began two years before
    Marriott’s acquisition of Starwood and was not discovered
    until after the acquisition was completed resulted in a £18.4
    million fine imposed on Marriott by the U.K. Information
    Commissioner’s Office.

According to an October 2020 M&A Trends
Survey conducted by Deloitte, cybersecurity threats are
the top concern for more than half (51%) of respondents as they
manage M&A transactions virtually.

Business considerations

Cybersecurity incidents and cyber risks can dramatically reduce
the present and potential future value of the business or assets
that are the subject of an M&A transaction and impose
potentially significant costs and liabilities on the transacting
parties after the transaction is completed. Certain assets (e.g.,
brand, reputation, and customer goodwill) can be particularly
vulnerable to harm caused by a cybersecurity incident. In some
circumstances, significant cyber risks can cause the parties to
negotiate substantial changes to the value and structure of a
proposed M&A transaction or to abandon the transaction.
Cybersecurity incidents can also impair the transacting
parties’ ability to negotiate and complete an M&A

Legal compliance considerations

Failure to appropriately address cyber risks in connection with
an M&A transaction can expose the transacting parties, and in
some instances their directors and officers, to potentially
significant legal compliance costs and liabilities after the
transaction is completed. Common legal compliance considerations
include obligations under personal information protection laws,
corporate directors’ and officers’ duties of care,
reporting issuers’ continuous disclosure obligations, and
contractual obligations.

Personal information protection

Canadian personal information protection laws regulate the
collection, use, disclosure, and retention of personal information
by private sector organizations in Canada. Those laws impose
restrictions and requirements for the sharing of personal
information in connection with a prospective or completed M&A
transaction. In addition, the transfer of control over personal
information in connection with a completed M&A transaction can
result in the transfer of accountability for safeguarding the
personal information and expose the transacting parties to
potentially significant legal compliance costs
(e.g., improving personal information safeguards) and
liability to individuals and organizations affected by a personal
information security incident.

Corporate directors’ and officers’

Under Canadian law, corporate directors are obligated to manage
or supervise the management of the business and affairs of their
corporation and corporate officers are responsible for their
corporation’s day-to-day operations. Canadian regulators and
authoritative organizations have emphasized that corporate
directors must be engaged and take an active role in their
corporation’s cyber risk management activities and must
ensure that corporate management has properly implemented
appropriate policies and practices to manage cyber risks and
respond to cybersecurity incidents. Corporate directors’ and
officers’ responsibilities regarding risk management include
managing cyber risks in connection with M&A transactions.
Failure to do so might not only result in harm to the corporation
but also expose its directors and officers to potentially
significant liability.

Reporting issuers – continuous disclosure

Canadian securities laws require reporting issuers
(i.e., corporations whose shares are publicly traded) to make
continuous disclosure of material information about their business
so that investors have equal access to information that might
affect their investment decisions. Continuous disclosure
obligations require timely disclosure of material cybersecurity
risks and cybersecurity incidents. Those obligations might require
a reporting issuer participating in an M&A transaction to
identify and assess the cyber risks associated with the transaction
and accurately describe those risks in the reporting issuer’s
continuous disclosure documents.

Contractual obligations and quasi-contractual

Commercial agreements (e.g., supplier agreements, service
provider agreements, and merchant agreements) often impose
contractual obligations to protect data (e.g., business data,
customer data, and cardholder data) and report data security
incidents. Cybersecurity obligations might also result from
quasi-contractual assurances given by an organization in various
kinds of published policies (e.g., privacy policies) and
promotional communications. The parties to an M&A transaction
should consider the cyber risks resulting from those kinds of

Managing cyber risks in M&A transactions

There is no one-size-fits-all solution for effectively managing
cyber risks in connection with an M&A transaction. The
importance of cyber risks to an M&A transaction, and how those
risks might be addressed and allocated effectively and
appropriately, will depend on the circumstances, including:

  • the nature of the transacting parties and their business
  • the industries and legal jurisdictions in which the parties
  • the kind of transaction (e.g., asset sale or share sale);
  • the nature, amount, and timing of the consideration paid;
  • the nature and importance of the parties’ respective
    information technology systems and data;
  • the parties’ post-transaction plans;
  • each party’s risk tolerance; and
  • applicable representation/warranty insurance.

To effectively manage cyber risks in an
M&A transaction, the transacting parties and their
advisors should consider cyber risks throughout the transaction
life cycle: deal processes, due diligence, transaction agreement,
and post-transaction activities. Following are some comments and

Deal processes

The deal processes used by transacting parties and their
advisors to negotiate and document an M&A transaction can
present potentially significant cyber risks. For example:
(1) technologies used to share confidential documents and
information regarding a transaction can be hacked or harmed by
malware or ransomware; (2) the security of deal-related
communications can be compromised; and (3) participating
individuals can be deceived by fraudulent messages. For those
reasons, the parties to an M&A transaction and their advisors
should implement appropriate agreements and security controls
(e.g., secure online data rooms and communication protocols) to
mitigate cyber risks inherent in M&A deal processes.

Cyber risk due diligence

M&A due diligence refers to investigations and assessments
of a transacting party and its business and assets to discover and
verify information relevant to a proposed transaction and identify
and assess risks associated with the proposed transaction.
Customary M&A due diligence will usually identify some cyber
risks. Nevertheless, for most M&A transactions it will be
appropriate to engage in due diligence specifically directed to
cyber risks to obtain the information necessary for the transacting
parties to make informed decisions about the transaction and
post-transaction activities, negotiate an M&A agreement that
appropriately addresses cyber risks, procure adequate
representation/warranty insurance, and comply with applicable

Effective cyber risk due diligence is not a simple check-the-box
process. It requires a collaborative effort by business, technical,
and legal advisors with the experience and expertise necessary to
identify and assess cyber risks material to the transaction and
recommend appropriate strategies to mitigate those risks. To the
extent practicable, cyber risk due diligence should be conducted by
and under the direction of legal counsel, so the transacting
parties can appropriately assert legal privilege over due diligence

The cyber risk due diligence strategy for an M&A transaction
should be tailored to the particular circumstances of the
transaction. Cybersecurity frameworks and best practices guidance
for conducting cyber due diligence should be used with reasonable
business judgment based on accurate information and expert

M&A agreements

M&A agreements invariably contain provisions that allocate
among the transacting parties various risks arising from the
transaction, including circumstances occurring before or after the
transaction is completed. Many of those provisions will apply to
cyber risks and related losses and liabilities. Nevertheless, for
many M&A transactions, it will be appropriate to include in the
M&A agreement provisions that specifically address cyber risks,

  • representations and warranties about cyber risks, including
    risks identified during due diligence and issues relevant to
    representation/warranty insurance;
  • covenants that impose obligations, before and after the
    transaction is completed, regarding cyber risks;
  • special indemnities, holdbacks and insurance obligations
    regarding cyber risks; and
  • specific remedies if a cybersecurity incident occurs or is
    discovered before or after the transaction is completed.

Post-transaction issues

Parties to an M&A transaction should plan and prepare for
additional or increased cyber risks after the transaction is
completed, including risks relating to the integration of the
parties’ business operations and information technology
systems, the sharing of data between the parties, and innocent
errors and intentional misconduct by the parties’ personnel.
Transacting parties should be mindful of post-transaction legal
compliance obligations relating to cyber risks
(e.g., compliance with personal information protection laws,
continuous disclosure obligations for reporting issuers, and
corporate risk management generally) and costs associated with
remediating both known and unknown cybersecurity problems.
Transacting parties should also determine whether an M&A
transaction affects their existing cyber insurance coverage or
results in a need for additional cyber insurance.

Key takeaways

The importance of cyber risks to an M&A transaction, and how
those risks can be addressed effectively and appropriately, will
depend on the circumstances and might require the transacting
parties to contend with, and sometimes anticipate, rapid changes in
cyber threats, evolving cybersecurity best practices, and new legal
compliance obligations and liabilities. For those reasons, parties
to an M&A transaction should obtain appropriate business,
technical, and legal advice about cyber risks to properly inform
their risk-based business decisions about the transaction and help
address cyber risks throughout the transaction life cycle.

Following is a summary of key steps for managing cyber risks in
connection with an M&A transaction:

  • Implement cybersecurity controls (e.g., data
    confidentiality/security agreements, secure online data rooms, and
    communication protocols) for the deal processes to be used by the
    transacting parties and their advisors and to protect commercially
    sensitive and regulated information (e.g., personal information)
    disclosed during negotiations and due diligence.
  • Implement a strategy to help assert legal privilege over cyber
    risk due diligence results.
  • Conduct appropriate cyber risk due diligence of each relevant
    transacting party to identify and assess cyber risks relevant to
    the transaction and post-transaction activities.
  • Document the use of cyber risk due diligence results by or at
    the direction of transaction decision-makers (e.g., corporate
    directors and officers) to evidence their compliance with legal
    obligations (e.g., corporate directors’ and
    officers’ risk management duties and continuous disclosure
    obligations, if applicable).
  • To the extent appropriate and practicable, mitigate identified
    cyber risks before the transaction is completed and plan to address
    cyber risks after the transaction is completed.
  • Consider cyber risk due diligence results when negotiating the
    nature and terms of the transaction, and include in transaction
    agreements appropriate risk allocation provisions –
    representations and warranties, covenants, indemnities and remedies
    – to address cyber risks.
  • After the transaction is completed, implement cybersecurity
    controls to address cyber risks identified during due diligence and
    additional or increased cyber risks resulting from the transaction,
    and consider procuring additional cyber insurance.

About BLG

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.