How Cyber Breaches Will Shape Your Next M&A Deal

Buyer’s cyber due diligence should further consider how companies are preparing for future threats. This includes the technical and IT related tools utilized for defense, and also staff training, policies and procedures and regulatory compliance – areas too often over-looked.

Buyers can also protect themselves with the appropriate reps and warranties in the transaction document.

The deal itself is a perilous time for cyber security and can be a magnet for hackers, as further detailed below. Buyers, then, should take responsibility for ensuring that systems, policies and procedures on both sides of the transaction are prepared to identify and defend against attacks before any public announcements.

Advice for everyone

Just as doctors must take precautions because their work exposes them to infectious disease, the entire deal-making community—from boards and the C-suite, to their lawyers, public relations consultants and investment bankers—must be aware that they are an active and on-going target of scammers and hackers. Precautions are warranted.

The period between announcing and closing a transaction is especially ripe for attacks. Hackers know that companies are not only exchanging confidential information but that attention may be diverted to completing the deal.

Transactions move quickly, and often involve late-night emails on tight deadlines from less-familiar parties with important-looking attachments. This environment is ripe for “spear-phishing,” a technique hackers use to mimic trusted senders, in hopes an unsuspecting target reveals information that can later be used to penetrate information systems.

Next, hackers use that information to deploy ransomware attacks, which block access to information systems, or alternatively, threaten to reveal sensitive data, if a ransom is not paid. In fact, ransomware is the fastest-growing weapon in the cyber-criminal arsenal. These tactics are especially effective during an M&A transaction, when time is already of the essence. Hackers know that some companies may be willing to make a problem go away to ensure the transaction moves forward.

Consequently, every organization should ensure its cyber security training is up-to-date. Companies should also consider regular warnings and refresher courses for employees before transactions. During deals, special precautions should be taken. Emails with sensitive information should be encrypted and virtual data rooms should meet the latest security standards, including two-factor authentication.

In today’s information-driven economy nearly every company faces some cyber security risk. As a result, proper cyber defense, training, policies and procedures should be an everyday focus, not simply left until a deal is on the horizon.

But when that time comes, a comprehensive cyber examination by both buyer and seller ensures that any issues can be properly incorporated into the deal negotiation, instead of killing it outright.

Without such best practices, dealmakers leave themselves vulnerable to all manner of infectious cyber dangers.

Read more: How Boards Can Increase Engagement On Cybersecurity

David R. Owen leads the privacy and cyber security practice at Cahill Gordon & Reindel LLP. He is qualified as a Certified Information Privacy Professional (CIPP-US) by the International Association of Privacy Professionals (IAPP), the largest and most comprehensive global information privacy community. Kimberly Petillo-Décossard is a partner at Cahill, where she advises corporations, boards and private equity firms on complex business law matters, focusing on domestic and cross-border public and private mergers and acquisitions and related financing transactions.