M&A transactions increase cyber-attack vulnerability, warns lawyer

Cybersecurity risks are high when it comes to the M&A market, a recent global survey has found.

Cybersecurity risks are high when it comes to the M&A market, a recent global survey has found. 

According to the global survey by Freshfields Bruckhaus Deringer, 78 per cent of respondents believe cybersecurity is not analysed in great depth or specifically quantified as part of the merger and acquisition due diligence process, with 83 per cent of respondents believing a deal could be abandoned if previous breaches were identified. 
 
Alec Christie, partner at DLA Piper said businesses need to place more emphasis on ensuring cybersecurity strategies are employed, particularly during the M&A due diligence process. 
 
The risk during the M&A process is high, with the average cost to businesses for a cyber-security breach in Australia costing an average of $2.8 million. Businesses can now be fined up to $1.7 million under the privacy act and in some cases; businesses have seen a hit to their reputation and even a drop in the share price as a result of a cyber-attack.
 
“In anyone’s language, I would think that would be significant enough to warrant attention in an M&A to warrant a question about what cyber incidents there have been, what the risk management plan is and how you deal with it,” he said.
 
Christie said failing to ensure a cybersecurity risk strategy is in place should be considered a breach of duty of care by company directors, and finding management strategies for cyber-security breaches are the key to minimising risk to companies during an M&A transaction. 
 
“The fact that they have had an incident is not the issue, the fact is, how have they dealt with it, how did they swing into action, what the damages were that arose from it and are they now in a better position after that point,” he said.  “You’ll never eliminate cyber-attacks, unfortunately anymore, that’s the world we live in but what you’re trying to do is manage the risk and minimise the potential liability both from a cost and reputation point of view… the question should be, what is your cyber/ personal information security risk management plan… if there’s nothing, alarm bells should be going off.”
 
He said the fact that cybersecurity is not a focus company wide, is the reason it’s often overlooked during a transaction. 
 
“A lot of M&A lawyers because their clients and what they have seen haven’t been focussed on cyber-risk or cyber-management as an issue, they simply haven’t brought it into their thinking in due diligence checklists, in their M&A issues and things like that.”