The Critical Role of Cybersecurity Due Diligence in Mergers and Acquisitions by Daphne Onoja
The due diligence process in mergers and acquisitions (M&A) is a comprehensive investigation carried out by the buyer to assess the target company’s business, assets, liabilities, and overall condition before finalizing the transaction.
Consider a company, (Company X) planning to acquire a smaller startup (Company Y), which specializes in data analytics. During due diligence, Company X focuses heavily on Company Y’s intellectual property, cybersecurity infrastructure, and data privacy practices. The process reveals that while Company Y has strong IP assets, it has some vulnerabilities in its cybersecurity protocols. Company X uses this information to negotiate a lower purchase price and requires Company Y to improve its cybersecurity measures as a condition of the acquisition.
Generally, the end goal of a due diligence exercise is to ensure that the buyer makes an informed decision, identifies potential risks, and negotiates the terms of the deal effectively. While privacy and cybersecurity are related, they serve different functions within a company. Privacy focuses on how personal data is handled internally by employees, authorized personnel, and vendors. It governs the proper use and protection of personal information within the organization. On the other hand, cybersecurity involves safeguarding the company’s networks, trade secrets and infrastructure from external threats, such as unauthorized access, cyberattacks, or damage.
With the increasing digitization and growing significance of data in nearly every industry, privacy and cybersecurity have become critical components of transactional due diligence. It is essential for parties involved to work closely with their legal counsel to navigate these complex issues and manage their associated risks effectively. In an M&A transaction, a buyer must evaluate three key breach-related risks: the possibility that the target company has already experienced a breach, the risk of a breach occurring during the acquisition process (between the signing and closing of the deal), and the potential for future breaches due to existing cybersecurity vulnerabilities within the target company.
Separate from cyber risks, a buyer would also want to consider if it can avoid taking on the target company’s liabilities in respect of noncompliance with privacy and data security laws, which could include lengthy and costly investigations, fines, consent orders, and litigation. The regulatory landscape has become increasingly challenging, and companies are often subject to a complex web of requirements, with conflicting privacy and cybersecurity requirements set out by different regulators.
When evaluating a company during a privacy and cybersecurity due diligence exercise, buyers should focus on two key areas. The first is assessing how strong the company’s data security and IT practices are, especially if the company depends heavily on data or IT assets. If the company does not have up-to-date policies, regular employee training, or consistent third-party security testing, this could indicate a high cybersecurity risk, prompting buyers to seek legal protections in the deal.
Second, buyers should scrutinize the company’s commitment to privacy laws. Given the complexity and value of digital assets, especially personal data, buyers need to understand how the company handles and complies with privacy regulations. This helps buyers determine if there are any compliance issues that could impact the value of the data or require special attention in the transaction agreement.
With cybersecurity, if the target company’s IT systems and data protection practices are less secure or rigorous than those of the buyer, integrating the two systems could expose the buyer’s data to security risks. Therefore, any cybersecurity issues identified during the due diligence process should ideally be resolved before closing the deal or, before integrating the target company’s data with the buyer’s systems.
In terms of data privacy, challenges can arise when the buyer and the target company have different privacy policies and practices. The buyer’s use of any transferred personal data, even in the context of a merger or stock purchase, may be scrutinized by regulatory bodies to ensure it aligns with the promises made by the target company when the data was originally collected. If the buyer plans to change how personal data will be used after the acquisition, it must provide existing consumers with notice of these changes and offer them a choice to consent. Additionally, the buyer must consider any contractual obligations the target company has made, such as commitments to delete customer data upon their request or termination of services.
Conducting cybersecurity due diligence during M&A is crucial for identifying and addressing any vulnerabilities in the target company’s IT systems. This process helps mitigate risks early by ensuring the company has strong measures to protect its intellectual property and sensitive data, safeguarding these valuable assets from potential theft or loss. It also ensures that the target company is compliant with cybersecurity and data protection laws, helping to avoid legal issues after the acquisition.
Additionally, thorough cybersecurity due diligence makes the post-acquisition integration of IT systems and security protocols more efficient, reducing disruptions and ensuring that operations continue seamlessly. By uncovering cybersecurity risks, buyers can better assess the true value of the target company, which can lead to more favorable negotiation terms. Moreover, addressing any past cybersecurity issues protects the acquiring company’s reputation, preventing potential damage from being associated with unresolved security problems.
In Nigeria, cybersecurity is regulated through a series of laws and frameworks designed to protect digital infrastructure, data, and privacy. The Cybercrimes Act of 2015 serves as the primary legislation, addressing various cyber offenses and requiring service providers to assist in investigations while enforcing data protection and security measures. The National Cybersecurity Policy and Strategy (NCPS) of 2021 outlines a framework for managing cybersecurity risks, emphasizing public-private collaboration and the protection of critical infrastructure. The Nigerian Data Protection Regulation (NDPR) of 2019 governs the processing and protection of personal data, requiring organizations to implement security measures and report breaches. The National Information Technology Development Agency (NITDA) Act, 2007 establishes NITDA as the regulatory body for IT standards and cybersecurity, promoting awareness and capacity building. The Nigerian Communications Act of 2003 regulates the communications industry, mandating that service providers secure their networks and protect consumer data. Together, these regulations ensure a comprehensive approach to cybersecurity in Nigeria.
In the financial sector, the Central Bank of Nigeria (CBN) regulates cybersecurity through several key guidelines. These guidelines ensure that financial institutions in Nigeria implement strong cybersecurity measures to protect against cyber threats. They include, CBN Risk-Based Cybersecurity Framework and Guidelines (2018) which requires banks and payment service providers to adopt a risk-based cybersecurity approach, establish governance structures, report incidents, and conduct regular audits.
Additional regulations to note include the CBN Guidelines on Information Technology Standards (2013) which sets minimum IT security standards, including data protection, access controls, and disaster recovery planning; the CBN Guidelines for Electronic Payments and Card Issuance (2020) which regulates card security, fraud prevention, and transaction monitoring for electronic payments; and the CBN Regulatory Framework for USSD Services (2018) which mandates security standards, multi-factor authentication, and incident reporting for USSD-based financial services.
For M&A transactions in the technology industry, buyers need to be vigilant about compliance with various data protection and cybersecurity regulations, especially when dealing with cross-border deals. Key regulations in cross-border transactions include the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) in California, China’s Cybersecurity Law, Personal Data Protection Act (PDPA) in Singapore, and Japan’s Act on the Protection of Personal Information (APPI). Compliance with these laws is crucial to avoid legal penalties and ensure smooth post-acquisition integration. Buyers should also assess the target company’s intellectual property rights and cross-border data transfer practices to mitigate risks. Engaging legal experts familiar with these regulations is essential for successful transactions.
Daphne Onoja is based in Lagos and advises technology startups on regulatory and commercial issues.
