The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Mergers & Acquisitions

  • From Vol. 4 No.8 (Apr. 18, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: Vendors and M&A (Part Three of Three)

    Effective cybersecurity strategy requires the legal and security functions to work together when assessing third parties, either in the context of hiring a vendor or merging with or acquiring a new company. “I don’t think they’re coordinating very well,” Akin partner Michelle Reed told The Cybersecurity Law Report. With insight from Reed and technical experts, this third installment of our three-part series on when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program tackles coordination between the two teams on vendor assessments, M&A due diligence and combatting insider threats. Part two examined how both teams can coordinate on incident response and to assess risk and privacy impact. Part one covered how to structure corporate governance for optimal collaboration between these two groups. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017) and “Mitigating Cyber Risk in M&A Deals and Third-Party Relationships” (Jul. 6, 2016).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure

    Following cyber due diligence, acquiring companies should focus on carefully drafting M&A transaction documents, as many boilerplate reps and warranties regarding cybersecurity and privacy lack sufficient specificity. In addition, companies should develop a process governing internal due diligence and how and when to disclose cyber risks and events to the SEC. Proskauer partners Lauren Boglivi and Julie Allen provided guidance on these critical issues of documentation and disclosure at a recent event. In a companion article, we covered Boglivi and Allen’s remarks, in addition to those of Proskauer partners Kristen Mathews and Jeff Neuburger, about strategies for conducting cyber diligence on a target. See also “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    How to Mitigate the Risks of Open-Source Software (Part Two of Two)

    Companies may be unaware they are using open-source software in their operations. This can be significant because while OSS is inexpensive and reliable, it does carry with it significant cybersecurity and intellectual property risks that should be addressed. A recent Strafford program offered a comprehensive primer on OSS and insights on designing appropriate compliance controls for its use. The program featured James G. Gatto, a partner at Sheppard Mullin Richter & Hampton and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part two of our coverage discusses where attorneys encounter OSS challenges, how to identify whether a company is using OSS, best practices for OSS governance, and patent issues that OSS presents. Part one explained the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    Cyber Due Diligence Strategies During Acquisitions

    Telstra, Avaya and TalkTalk are among high-profile companies to have discovered breaches at targets only after the acquisition, illustrating the need for comprehensive cybersecurity and privacy due diligence. At a recent panel, Proskauer partners discussed strategies for how acquirers can best assess and handle cyber issues at target companies. See “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End

    For cybersecurity advisors, whether legal or technical, knowing the structural and business characteristics of a mergers and acquisitions target is just the beginning of an intense due diligence process. Operating somewhat furtively on a “need-to-know” basis within the limitations of any transaction, advisors need to gather information quickly and thoroughly so that they can provide input on whether and how a deal should move forward. It is an intense and exciting process fraught with responsibility and pressure. In a session at the recent Georgetown Cybersecurity Law Institute moderated by Jennifer Archie, a partner at Latham & Watkins, panelists Jay Brudz, a partner at Drinker Biddle, Christopher Hale, senior counsel for cybersecurity at Raytheon Company and David McCue, president of boutique advisory service McCue, Inc., provided their suggestions on work flow and processes along with a few war stories from the field. See “Cybersecurity Due Diligence in M&A Is No Longer Optional” (Aug. 24, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    How the Financial Services Industry Can Handle Cybersecurity Threats, Acquisition Diligence and Breach Response

    The financial services sector is often praised as having some of the most mature cybersecurity practices, but it also holds especially sensitive data and is one of the most common targets for malicious hackers. Asset managers in particular are confronted with general cybersecurity risks while navigating industry nuances. At a recent panel hosted by Major, Lindsey & Africa, Debevoise partners Luke Dembosky and Jim Pastore, both former federal prosecutors, addressed emerging cybersecurity threats, risks from vendors, potential breaches in a pre-acquisition and post-acquisition context, breach response and special considerations for breaches of investor or consumer data. Much of the advice is relevant to all companies grappling with data security risks and breach consequences. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Essential Cyber Due Diligence Considerations in M&A Deals Raised by Yahoo Breach

    Yahoo’s 2014 massive data breach, made public only two months after Verizon announced its plans to acquire Yahoo for $4.83 billion, highlights the necessity for proper cybersecurity due diligence in advance of an acquisition, and for the acquiring company to account for an undetected breach as part of the value of the transaction. There probably needs to be “a little more cybersecurity homework done before pulling the trigger on an acquisition. We hope this situation brings that conversation to the forefront,” Milan Patel, a managing director in K2 Intelligence’s cyber defense practice, told The Cybersecurity Law Report. In this article, with insight from attorneys and technical consultants, we examine current contingencies in Verizon’s deal with Yahoo and detail steps companies should be taking to identify and mitigate cyber risk through due diligence and how to structure a deal to account for those potential risks. See “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015). 

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Managing Data Privacy Challenges While Conducting Due Diligence and Investigations in China (Part Two of Two)

    For companies doing business in China, understanding data privacy and cybersecurity legal requirements under Chinese law is critical. But once a company is familiar with these basic legal contours, more practical concerns dominate the ability to successfully conduct internal operations and external transactions. In this article, the second in a two-part series on China’s data privacy and cybersecurity laws, we share insights from practitioners working in China on how companies can manage the actual challenges of running their businesses while staying on the right side of the law. The first article in the series explained the basic structure of the data compliance regime in China, including criminal law, civil law, industry regulations and the draft Cybersecurity Law. See also Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016).  

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    Cybersecurity Due Diligence in M&A Is No Longer Optional

    The heightened importance of cybersecurity in the corporate environment has made it vital for potential acquirers to assess the IT systems of target companies to determine their value and risk. Despite an increased awareness of the importance of cyber due diligence, many companies lack the proper personnel to conduct thorough analyses, according to a new study by West Monroe Partners and Mergermarket that surveyed top-level corporate executives and private equity partners about their companies’ practices. The results provide a window into the trends that shape the diligence process, as well as insights into the ways it can be improved. We summarize the study’s key findings. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Mitigating Cyber Risk in M&A Deals and Third-Party Relationships

    Ensuring that a target, or a third–party vendor, has adequate cybersecurity controls before the company takes on the risks of that entity is of paramount importance in today’s cyber threat environment. At a recent PLI panel, counsel at Tiffany & Co. and EY shared advice for conducting M&A due diligence, including specific questions to ask, and presented a five-step plan for assessing and addressing data security and privacy risks that accompany third-party vendor relationships. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part Two of Two)

    The role of general counsel and compliance officers in pre-transaction due diligence is becoming increasingly integral in companies’ acquisitions processes.  Relatively new on their growing list of due diligence items are cybersecurity and data privacy issues.  For some deals, discovering problems in those areas will prompt a party to end the process.  But in other transactions, the parties will tackle the issues and find a solution to finalize the deal.  This article, the second in our two-part series on M&A cybersecurity best practices, examines how to handle cybersecurity problems when they are discovered, when to walk away and how to manage risk, remediation and integration when the deal does move forward.  Part one focused on cybersecurity and data privacy due diligence.  It also discussed proactive measures each side can take to facilitate a smooth transaction.  See also “Cybersecurity and Information Governance Considerations in Mergers and Acquisitions,” The Cybersecurity Law Report, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)

    Ensuring a target company has strong cybersecurity and data privacy programs is quickly becoming a pillar of merger and acquisition due diligence.  In this two-part article series, we explain how these issues can be handled before, during and after the deal to ensure that a company’s data remains safe, compliant and in line with any privacy policies or other agreements.  Part one focuses on cybersecurity and data privacy due diligence and proactive measures an acquiring company, as well as a target, can take to facilitate a smooth transaction, with examples from companies such as Disney and Instagram.  Part two will examine how to handle cybersecurity problems when they are discovered; when to walk away; and how to manage risk, remediation and integration when the deal does move forward.  See also “Cybersecurity and Information Governance Considerations in Mergers and Acquisitions,” The Cybersecurity Law Report, Vol. 1, No. 7 (Jul. 1, 2015).

     

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Cybersecurity and Information Governance Considerations in Mergers and Acquisitions

    The growing impact of cyber incidents has led to a heightened need to conduct a thorough cyber due diligence both before and after an M&A deal.  In a recent webinar, Reed Smith partners Anthony J. Diana, Courtney C.T. Horrigan, Mark S. Melodia and Richard D. Smith shared insight on how cybersecurity affects the valuation of certain assets and offered advice on how to focus due diligence to detect and assess cyber risks pre-transaction, including litigation risks that can arise from data breaches.  They also recommended specific steps for planning post-closing data integration and evaluating the adequacy of insurance coverage.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).  There has been a flurry of data breach activity over the past 10 years, and “it is only increasing in pace,” Melodia noted.  A company’s cyber risk can directly affect its value in an M&A context.  This is where “cyber risk meets the deal,” he said.

    Read Full Article …