The M&A market is breaking all records again. 5.9 trillion USD were turned over by M&A transactions worldwide in 2021. Damages caused by cyber attacks also reach record levels. 6 trillion USD in 2021. Poor or missing cyber security is currently by far the biggest threat to all companies. Despite this, companies are currently not consistently screened for cyber risks in M&A transactions. This is because no standard has yet been established for auditing and the possible handling of audit results.
Cybersecurity in M&A transactions
While classic audit points of the target company are analysed during a company acquisition, for example through business, tax or legal due diligence, and thus become a tangible part of a transaction process, this does not apply equally to cyber risks. Cyber security is still a difficult task for many companies to solve. Therefore, this aspect is predominantly ignored in the M&A process. This is mainly due to the fact that there are no (legally) recognised standards in this regard so far, and therefore few competences have been formed on the market side to remedy this circumstance. The risks and resulting damages affect all parties to the transaction. The buyer acquires a company that may not be protected against a major threat, the seller subsequently faces warranty, withdrawal and damage claims from the buyer. Mirroring these risks, a coherent and stable system for the defence against cyber risks established in the course of a cyber due diligence is a real value factor that has to be examined in the transaction process and adequately assessed by the parties in the purchase price.
Content of a Cyber due diligence
A cyber due diligence carried out by qualified professionals and adequately considered by legal advisors in the transaction process is an indispensable part of any transaction in today’s world. The result of the cyber due diligence is, depending on requirements, a report on the results or instructions for action by the service provider commissioned for this purpose. The cyber due diligence is ideally started with a penetration test. With the help of this simulated analogue and digital attack, the status quo of cyber security in the target company or its current defence capability is analysed. Following on from this, the target’s data protection concept and the existing cyber risk management system (“CRMS”) should be examined. In this context, the management, in particular the CEO, CISO and data protection officers, must also be interviewed in cooperation with the cyber security service provider and the legal advisor of the transaction parties. The scope (holistic or selective) and the accentuation of the CRMS on essential, operationally relevant assets and processes of the company are particularly relevant. At least with respect to the assets and processes, a cyber security incident response plan (“CIRP”) should also be in place to ensure the continuity of the company’s operations in the event of realised cyber risks. To the extent that a Target does not have a CRMS or CIRP, one must be developed with the service provider and made an essential contractual basis of the transaction. In addition, the human factor, by far the highest security risk, must be assessed with regard to the employees, any existing cyber insurance policies and their insurance exclusions. In order to safeguard the target company during the transaction, it is advisable to have it monitored by Cyber Defence Operation Centres (“CDOC”) at very short intervals or permanently for the duration of the transaction. The CDOC reflects the security situation of the target to the transaction parties in real time (“cyber monitoring”). This meaningfully addresses the increased risk of a cyber attack as a result of the corporate transaction itself, as a virtual data room is usually set up with all confidential transaction data, which can be a target for ransomware attacks.
Cyber security in the M&A contract
There are several ways to consider the findings of a cyber due diligence in the M&A contract adapted to the needs of the parties. First, strong cybersecurity can be considered as a value factor in the purchase price. If, on the other hand, cyber security is more of a risk factor, additional contractual clauses can be included in the contract. Consideration can be given to indemnification agreements for the realisation of certain cyber risks, an independent seller’s warranty with regard to the cyber security of the target or a material-adverse-change-clause formulated as the buyer’s right of withdrawal in the event of significant negative changes between the conclusion of the contract and the actual takeover of the company. In addition, a Warranty & Indemnity insurance can also be concluded for the M&A contract, whereby the cyber due diligence is used as the basis for the risk assessment with regard to cyber security.
In view of the ever-increasing number of cyber attacks and the high financial and reputational damages of such an attack, cyber due diligence is highly recommended for a secure corporate transaction. Strong cyber security is a value driver. A lack of cyber security is not necessarily a knock-out criterion, but can be addressed fairly and in line with interests by correct wording in the purchase agreement. Legal advice and the work of a service provider with regard to cyber security should be done in tandem for the optimal satisfaction of needs and protection of the transaction parties.
¹ M&A Report 2022 by Bain & Company, available at https://www.bain.com/insights/topics/m-and-a-report/.
² Tagesschau from 18.01.2022, available at https://www.tagesschau.de/wirtschaft/unternehmen/cyberattacken-unternehmen-risiken-101.html.
³ FedEX, the Marriott Group and Verizon are just three prominent examples where a lack of cyber due diligence in the course of a transaction led to losses in the millions.
⁴ In detail on cyber due diligence, Grieger WM 2022, 1865 ff.