In my opinion, when two companies merge or are acquired, data privacy and cyber security become essential issues to consider. Any firm that obtains PI about its customers, clients, employees, business representatives, or users will have to follow the concerned privacy laws in the geographical location where it works.
I firmly believe that after a merger or acquisition, it’s common to find security problems or breaches that need to be reported. More than a third of merger-and-acquisition companies reported cybersecurity issues during integration. For example, Verizon discovered a data breach at Yahoo! after acquiring the company.
Recent Events of Significance in Cybersecurity & Acquisitions
The Verizon-Yahoo story highlights the importance of data privacy, cybersecurity, and data breach risks in mergers and acquisitions. The legal, financial, reputational, and operational risks of cybersecurity should be a crucial part of any M&A.
Cybersecurity risks are becoming more complex, and lawyers who do due diligence on a company they want to buy often do not understand these risks. Hackers are now using a more comprehensive range of methods to acquire money and information. These methods are becoming more stealthy and complex, making it harder to find these attacks. Attackers can use advanced techniques that allow covert surveillance to watch and steal a lot of information.
Cybersecurity threats come in many different forms, and companies must be prepared to address them quickly. Customers, regulators, and investors can scurry to address threats, and a company that takes too long to find and report data breaches may face public criticism and legal trouble. Financial institutions must follow security standards and controls and report incidents quickly. Firms that manage credit card data through mobile apps or e-com platforms must comply with PCI DSS.
Factors Businesses Should Keep in Mind When Considering an Acquisition
When considering an acquisition, it is vital for the buyer to identify any data privacy or crucial cybersecurity liabilities and/or risks the whole transaction may create. Cybersecurity and data privacy should be considered when making any acquisition. It is important to note that the seller firm may not know of any previous or current compromises that are important. This means the buying company must find other ways to conduct due diligence.
In my opinion, the buyer must ask about due diligence and request information to:
- Identify the PI obtained by a seller. The buyer needs to know how much and where the seller collects, stores, uses, shares and processes PI.
- Examine the seller’s privacy and disclosure policies. The buyer needs to evaluate the seller’s policies related to privacy disclosures and give enough information about data collection methods and ways.
The buyer needs to ask the seller what steps they have taken to follow privacy laws for their business. The buyer needs to also judge all vendors and third party the seller works with. They should look at the seller’s management of risk procedures, as well as any agreements with third parties, to see if there are enough safeguards in place.
Also Read: IPUs: The Associated Values & Issues of Using Them in Trade Transactions.
Complications You Need To Know About
A data breach or security incident can happen even if a company isn’t required to report it. The buyer needs to be told about security incidents as well as data breaches that may have occurred. The buyer needs to also look at the seller’s information security policies and procedures to make sure they have the right policies in place to protect personal information.
Since data encryption, working from home, and access to personal information are all important topics when considering a business purchase, it is crucial to know what the selling company’s policies are in regard to these items. Additionally, it is necessary to be aware of any legal and ethical compliance issues of the seller. By doing your due diligence in researching this information, you can make an informed decision about whether or not to buy the business.
When considering an acquisition, it is my advice that you do thorough and thoughtful due diligence on the selling company’s cybersecurity situation. This will help you determine the risks and liabilities you are taking on and to understand whether those risks are relevant to determine the target company’s value.
Trade finance advice provides news, case studies and research articles on trade finance organizations. Visit https://www.tradefinanceadvice.com/ for more articles.