Last updated on October 13, 2020
It should come as no surprise to anyone that the shift to remote work as a result of COVID-19 lockdown measures has resulted in increased cybersecurity threats and malicious action. Blakes takes a look at the impact that this activity has on the risk profile of M&A targets and outlines key considerations for preparing digital assets for a transaction and evaluating a target’s cybersecurity posture in the context of decentralized business operations.
In light of the pandemic, almost all organizations will need to review and revise their cybersecurity incident response plans to take into account their remote workforce.
At the beginning of the transaction, buyers and sellers should, at a minimum:
– Understand the data and other technological assets in the transaction, specifically the nature of the data and its level of sensitivity, whether data is encrypted or anonymized, how and where the data is stored and who has access to the data
– Determine to what extent the buyers and sellers’ systems are compatible and what expenditure is required to synchronize them
– Closely consider the target’s cyber security posture and determine whether it is robust and if any weaknesses must be updated
– Determine whether any existing cyber insurance policies are broad enough to cover the different consequences that could flow from a breach, and consider whether they will need to be renegotiated after closing
– Confirm what measures the sellers’ suppliers, contractors, subsidiaries or third parties have taken to strengthen their cyber defences, and their capacity to effectively respond remotely where cyber events occur
– Identify what data privacy laws apply to the seller and its subsidiaries and assess whether their policies comply with the relevant legislation
– Request information of any data breaches the seller, its subsidiaries or third-party affiliates have suffered. Sellers should prepare breach information and where breaches occurred, communicate to buyers what changes were made in response.