By Sam Syska
Remember the Ice Age when dinosaurs walked the planet until a huge freeze took over the world? Well, now the age is back, except this time it’s hackers roaming around and cybersecurity taking over. Probably a dramatic comparison, but companies (with a love tap from regulators) are seriously ramping up cybersecurity controls to prevent unauthorized users from gaining access to company files, client data, and their deepest, darkest secrets. Hackers no hacking, hackers no hacking! Several industry practices have lived and learned regarding data breaches, which has sparked a change in cybersecurity measures, as evidenced in the world of mergers and acquisitions (“M&As”).
While some M&A practitioners are cybersecurity connoisseurs, several companies have been caught in cybersecurity battles with regulators because they failed to implement M&A best practices. Bummer. Let’s take a look at a few ways cybersecurity is taking-over hackers in the M&A world, shall we? Reality is, practitioners must consider cybersecurity as part of their due diligence when two companies decide to join forces and become one big, happy family.
Companies looking to merge or acquire another business are only going to offer up the big bucks if the ducks are in order. Buyers have become increasingly sophisticated regarding cybersecurity risks and are aware of the negative implications of acquiring a company lacking proper controls. Think Yahoo data breach in 2014 that only surfaced after Verizon purchased the company in 2016. Yeah, not good. Verizon is probably wishing they never took that deal or at least wishing they offered a lower price to factor in the additional costs it’s going to take to recover and ensure security for all that data. Verizon could have used a few extra reps and warranties surrounding the state of Yahoo’s privacy and security.
So who are these “M&A practitioners” in charge of implementing cybersecurity measures? Attorneys, duh. This is that whole “issue spotting” thing from your law school exams, but now it’s real life because an attorney’s job is to recognize the risks and respond appropriately. To mitigate and respond to cybersecurity incidents, M&A attorneys must be well versed in all things security. In today’s technological society, this includes knowledge of the fast-growing and ever-changing cybersecurity risks that exist in each target company’s industry. That’s a whole lot of info!
Lastly, regulators have recently increased their efforts to ensure companies are properly mitigating their cybersecurity risks. Even if it was the target company who failed to investigate cybersecurity vulnerabilities, the acquiring company may be in the dog house with regulators if discovery of the security incidents are discovered after the deal is complete. Regulators have increased their standards and they’re expecting big things out of companies, such as strong risk investigations, adequate security standards, back-flips, etc.
Herein lies the problem. The legal industry is not exactly known for its cutting-edge technology and digitally trendy members. Rather, the industry is filled with intelligent folk who operate by reading large books and sending notices via snail mail. In fact, it is unlikely that many attorneys would recognize a digital data breach, let alone identify risks to preemptively prevent a hack. How are regulators expecting attorneys to keep up with industry practices and trends, if the technology (and thus cybersecurity) simply wasn’t a thing when they were in law school? I spy a gap, and not the kind where you can buy the latest denim and basic tees.
As a PSA to the legal industry, and particularly the legal departments of companies who may engage in mergers and acquisitions, higher some fresh, tech-savvy, innovative attorneys to help navigate the world of cybersecurity. As mentioned before, attorneys are responsible for identifying the risks and responding with the appropriate resources. If regulators are going to expect M&A attorneys to be “trendy” regarding security breaches, companies need to bring in attorneys solely dedicated to cybersecurity. After all, the hackers are going to keep hacking!
Student Bio: Sam is a Lead Note Editor on the Journal of High Technology Law. She is currently in her third year at Suffolk University Law School. She possesses a B.S. in Business Management from Roger Williams University.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.