An M&A transaction can become even more complicated for both seller and buyer alike when a cyber breach occurs during the deal, experts at NetDiligence Cyber Risk Summit shared.
Due diligence and adequate representations and warranties (R&W) coverage during the M&A process will ensure a smooth transition between the time of sale and the integration of the two companies, experts said.
For the purchaser, global regulatory sanctions could become an issue in the event of a cyberattack.
“It’s not a great situation where there’s an ongoing negotiation, or maybe the deal has already been signed, and then you realize that the target entity is being breached,” said David Krebs, partner at Miller Thomson LLP. “That throws a whole wrench into your plans…because what if there’s a ransom request during that process?”
Krebs says sanctions can become an issue during ransom payment, especially if the purchaser does business in a different country than the seller. Cyber sanctions essentially criminalize companies or financial institutions from making extortion payments to ransomers. Sanctions differ by country.
One panellist shared an example of a company that didn’t do their due diligence and ended up paying a ransom to a sanctioned threat actor, which ultimately backfired against the company.
“We have a particular case where they’d been through a ransom situation in the middle of a deal and they decided to pay a ransom with another company and there were actually a labelled terrorist group,” said Daniel Tobok, CEO of Cypfer, a cyber security response team. “That actually killed the professional liability protection (PLP) because nobody wanted the liability of dealing with it.”
For the seller, an M&A breach can become complicated because purchasers or stakeholders may have their own opinions on how best to handle the breach.
“[If] you’re in that situation…[of] getting breached, you’re going to have a lot of folks in your business, because it’s no longer just your choice,” said Krebs. “But ultimately, it is [your choice]. It’s still your company.
“You’re negotiating, you’re trying to make sure that the deal goes through. But a lot of other parties are going to have an opinion on how to deal with that. And ultimately, you [may be] doing everything that you think is [how] the purchaser wants to handle it, [but if] they pull out…pre-signing and you didn’t deal with it in the way that you would have, then you’re left holding the bag.”
Companies can mitigate M&A losses during a cyber breach.
For example, sellers should begin their due diligence process by exercising their cyber security, and attempt to find any…vulnerabilities in their system as soon as possible, suggests Sam Thomas, VP transactional risk at Chubb.
“Oftentimes when there was an incident five years ago, the sellers almost start that due diligence process from the [point of the] incident —where they mediate or fix the incident that happens — and then they put in protocols quarterly, every half year, or a year,” he said. “It’s very different when you have a buyer doing, for example, a penetration test for the first time at the time of acquisition, versus when you have a target or a seller, who’s been doing penetration tests every year or twice a year for the past five years.
“The sellers can really start that due diligence process [early], and you can have less unknowns coming out of [it].”
For companies with an existing cyber insurance policy, they should ensure the adequacy of their existing limits and acknowledge any gaps in their cyber coverage, suggests Alicia Panditharatne, assistant vice president of private equity and mergers and acquisitions at Hub International.
Sellers should also ensure they have R&W insurance coverage, panellists share.
“When buyers come in, their job is really doing that independent, deep dive themselves to verify that that what the seller saying is true — and for sellers to have programs and proof of what they’ve done to increase their security. That makes that process easier,” said Thomas.
Feature image by iStock.com/JuSun