(Credit: Gajus/Shutterstock.com)

The disclosure of hackers compromising 500 million Yahoo user accounts in 2014 was surprising not only in scope, but also because it became public only months after Verizon had agreed to purchase the technology company this July.

For Verizon, it may have been a rude awakening. But for many mergers and acquisitions practitioners, it was yet another example of a company ignoring modern M&A best practices. For while the breach at Yahoo may have caught its buyers off guard, the modern M&A industry is far from asleep at the wheel as far as cybersecurity is concerned.

Here is a look at three ways cybersecurity is already changing the M&A world:

1. Cybersecurity Is Now a Standard Area of M&A Due Diligence

Cybersecurity has come a long way in recent years, going from a back-burner issue to a front-and-center risk. And the M&A space is no exception. Morrison & Foerster’s “M&A Leaders Survey” of 150 C-suite executives, investors, general counsel and other professionals found that 82 percent of respondents now place a greater emphasis on assessing the cybersecurity practices of target companies.

Christine Lyon, a partner at MoFo who focuses on data handling and protection issues, noted that “buyers are increasingly sophisticated about cybersecurity risks, and this is shaping their approach to M&A deals.”

As a result, cybersecurity has become a standard area of due diligence in M&A deals, regardless of the nature of the target company’s business, she added.

Lyon predicts the emphasis on cybersecurity will only increase in the near future, as more buyers seek out “sophisticated representatives and warranties in the areas of privacy, cybersecurity, and security incidents.”

Beyond M&A, cybersecurity is also expected to be a factor in the valuations of IPOs, the volume of which 54 percent of those surveyed believe will increase in 2017.

“As a general matter, we do expect that significant cybersecurity issues can affect a company’s valuation,” Lyon said. “While the costs of a security incident can be substantial, the reputational damage can be far greater.”

2. The Pressure Is on M&A Attorneys to Provide Cyber Expertise

The growing importance of cybersecurity matters means that M&A professionals now need to be well versed and capable in all things security.

Robert Townsend, a partner and co-chairman of MoFo’s Global M&A Practice Group, said that not only do M&A attorneys need to “understand the types of cybersecurity risks that can arise in the target company’s industry,” but they also need to bring in dedicated cybersecurity attorneys.

Such attorneys, he explained, bring to the table the practical experience of helping companies “mitigate and respond to cybersecurity incidents” and can understand the scope and effects of a security incident, thereby offering an assessment of the risk involved.

And it’s not just cybersecurity attorneys’ expertise that is essential in M&A deals, but also their rolodexes. These attorneys, Townsend said, can “call on third-party forensic firms and technical advisers in their network, if the client wants a third-party technical viewpoint.” After all, he added, “the M&A attorney’s job is to recognize the issue and bring in the right resources.”

3. Regulators Are Expanding Their Oversight of Enterprise Cybersecurity

It’s now a well-known fact that without knowing the extent of the cybersecurity vulnerabilities and security incidents at a target company, a buyer could potentially be opening themselves up to regulatory action once a deal is complete.

Lyon noted that these matters are particularly pressing given that “government regulations are continuing to expand, and government agencies like the Federal Trade Commission are holding companies to even higher data security standards.”

Indeed, the FTC’s power to regulate cybersecurity may broaden if the courts uphold the commission’s action against medical testing company LabMD’s exposure of its clients’ medical information. The FTC’s action is currently being appealed by the company in federal court.

Julie O’Neill, a former FTC staff attorney currently of counsel at MoFo’s privacy practice, previously told Legaltech News that the FTC’s case against LabMD is unique, because while sensitive medical data was exposed, “nobody spoke up and said their medical information had been exposed. Nobody spoke up and said they were embarrassed by that or it violated their privacy, there was no evidence of medical identity theft.”

She noted that one of the main points of contention in the case will be whether the FTC can claim that personal data which “was exposed is an injury unto itself, even if nothing further comes of it.”

The prospect of such increasing regulatory oversight not only adds to the need for companies to not only proactively address cybersecurity, but follow existing law to keep “up with industry practices and trends,” Lyon said.

Contact Ricci Dipshan at rdipshan@alm.com.

 

The disclosure of hackers compromising 500 million Yahoo user accounts in 2014 was surprising not only in scope, but also because it became public only months after Verizon had agreed to purchase the technology company this July.

For Verizon, it may have been a rude awakening. But for many mergers and acquisitions practitioners, it was yet another example of a company ignoring modern M&A best practices. For while the breach at Yahoo may have caught its buyers off guard, the modern M&A industry is far from asleep at the wheel as far as cybersecurity is concerned.

Here is a look at three ways cybersecurity is already changing the M&A world:

1. Cybersecurity Is Now a Standard Area of M&A Due Diligence

Cybersecurity has come a long way in recent years, going from a back-burner issue to a front-and-center risk. And the M&A space is no exception. Morrison & Foerster ’s “M&A Leaders Survey” of 150 C-suite executives, investors, general counsel and other professionals found that 82 percent of respondents now place a greater emphasis on assessing the cybersecurity practices of target companies.

Christine Lyon, a partner at MoFo who focuses on data handling and protection issues, noted that “buyers are increasingly sophisticated about cybersecurity risks, and this is shaping their approach to M&A deals.”

As a result, cybersecurity has become a standard area of due diligence in M&A deals, regardless of the nature of the target company’s business, she added.

Lyon predicts the emphasis on cybersecurity will only increase in the near future, as more buyers seek out “sophisticated representatives and warranties in the areas of privacy, cybersecurity, and security incidents.”

Beyond M&A, cybersecurity is also expected to be a factor in the valuations of IPOs, the volume of which 54 percent of those surveyed believe will increase in 2017.

“As a general matter, we do expect that significant cybersecurity issues can affect a company’s valuation,” Lyon said. “While the costs of a security incident can be substantial, the reputational damage can be far greater.”

2. The Pressure Is on M&A Attorneys to Provide Cyber Expertise

The growing importance of cybersecurity matters means that M&A professionals now need to be well versed and capable in all things security.

Robert Townsend, a partner and co-chairman of MoFo’s Global M&A Practice Group, said that not only do M&A attorneys need to “understand the types of cybersecurity risks that can arise in the target company’s industry,” but they also need to bring in dedicated cybersecurity attorneys.

Such attorneys, he explained, bring to the table the practical experience of helping companies “mitigate and respond to cybersecurity incidents” and can understand the scope and effects of a security incident, thereby offering an assessment of the risk involved.

And it’s not just cybersecurity attorneys’ expertise that is essential in M&A deals, but also their rolodexes. These attorneys, Townsend said, can “call on third-party forensic firms and technical advisers in their network, if the client wants a third-party technical viewpoint.” After all, he added, “the M&A attorney’s job is to recognize the issue and bring in the right resources.”

3. Regulators Are Expanding Their Oversight of Enterprise Cybersecurity

It’s now a well-known fact that without knowing the extent of the cybersecurity vulnerabilities and security incidents at a target company, a buyer could potentially be opening themselves up to regulatory action once a deal is complete.

Lyon noted that these matters are particularly pressing given that “government regulations are continuing to expand, and government agencies like the Federal Trade Commission are holding companies to even higher data security standards.”

Indeed, the FTC’s power to regulate cybersecurity may broaden if the courts uphold the commission’s action against medical testing company LabMD’s exposure of its clients’ medical information. The FTC’s action is currently being appealed by the company in federal court.

Julie O’Neill, a former FTC staff attorney currently of counsel at MoFo’s privacy practice, previously told Legaltech News that the FTC’s case against LabMD is unique, because while sensitive medical data was exposed, “nobody spoke up and said their medical information had been exposed. Nobody spoke up and said they were embarrassed by that or it violated their privacy, there was no evidence of medical identity theft.”

She noted that one of the main points of contention in the case will be whether the FTC can claim that personal data which “was exposed is an injury unto itself, even if nothing further comes of it.”

The prospect of such increasing regulatory oversight not only adds to the need for companies to not only proactively address cybersecurity, but follow existing law to keep “up with industry practices and trends,” Lyon said.

Contact Ricci Dipshan at rdipshan@alm.com.