Data Protection & CybersecurityPrivacy & Cybersecurity

Did you assess the cyber risk in corporate acquisition deals?

The cyber risk deriving from merger and acquisition corporate deals is often underestimated, even though it can significantly threaten their profitability.  Still, there are solutions able to reduce such risk exposure.

The renegotiation in 2017 of the deal regarding the sale of Yahoo!’s Internet-related business to Verizon with a reduction of the purchase price of USD 350 million, following the discovery of three data breaches impacting 3 billion accounts on the platform that had occurred in previous years, has become history.  Yet, the price reduction had not solved all the problems for Verizon because, in the years following the closing of the acquisition, they had to reach a settlement agreement with the victims of the data breaches of USD 117.5 million as a result of a class action lawsuit and had to invest as much as USD 306 million in security measures.

Fast-forwarding this scenario to five years later, we find ourselves in a situation where

  • 236.1 million ransomware attacks were identified in the first half of 2022, and since the beginning of the pandemic, there has been a 300 percent increase in cyber-attacks;
  • the average time required to identify and contain a data breach is 277 days i.e., nine months, and costs an average of USD 4.35 million, not including reputational and business loss damages;
  • as a result of the pandemic, there has been an increase in remote working and reliance on cloud computing platforms that have increased exposure to cyberattack risks; and similarly
  • customer relationships and business operations increasingly rely on
    • data that could be exfiltrated or made inaccessible through ransomware attacks due to remote relationships, and
    • machine learning and artificial intelligence systems that could be corrupted through data extraction practices that would result in altered systems behavior.

From this data, we understand that the risk of experiencing a cyber attack has increased significantly in recent years, the damages a company can suffer as a consequence of a cyber attack have also increased, and the time it takes to identify a cyber attack is exceptionally long.  As such, a buyer might purchase a business and eventually discover that the company’s value is considerably depauperated because a cyber attack occurred either before the closing or right after it when the buyer has not been able to put in place its policies and security measures within the target company.

To date, due diligence in a corporate acquisition is often purely document-based.   It does not take into account actual business operations without performing any technical and compliance assessment of business activities to ascertain the occurrence of a cyber attack that the vendor is also likely to ignore altogether.

Also, more than 82 percent of cyber attacks are due to human error, often caused by employee misconduct.  Thus, a company’s cyber security cannot be measured solely by ICT investments, and companies that invest more in internal compliance are less exposed to cyber risk.   In contrast, substantial technical investments commonly lead to a waste of resources.

This situation puts companies involved in corporate acquisition deals at significant risk of significantly losing the value of the acquired target due to a cyber attack that is not discovered until several months after closing the deal.  This risk is difficult to manage through contractual Reps & Warranties in the stock purchase agreement because the seller often limits them to information known to him and which has been the subject of due diligence.  Similarly, the vendor may not agree to delay the payment by almost a year.   The prescriptive timeframe for challenges by data protection authorities is, for instance, in Italy, five years.   In contrast, for claims of individuals that are victims of the data breaches, it is ten years with an even greater risk now with the new Italian class action.  And this situation comes in a context where the cost of cyber insurance to cover the risk is rising sharply and requires more stringent checklists to be completed.

However, a solution to minimize cyber risk in merger & acquisition transactions exists.  To meet our client’s needs, we have developed a solution that combines our expertise with that of other companies we have partnered with to provide a unique solution.  If you would like to know more information about this, please contact us.

On a similar issue, you can read the article “Have board directors any liability for a cyberattack against their company?“.

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button