DealLawyers.com Blog

Cybersecurity is becoming an increasingly important part of M&A due diligence, & this Skadden memo provides guidance about key cyber-related issues to consider as part of the due diligence process.  This excerpt discusses evaluating a target company’s network security:

If the target has never engaged a third-party forensic firm to conduct vulnerability assessments and penetration testing — a scenario that is becoming less common in many industries — the acquirer may want to retain a firm to undertake its own testing on the target company’s network and perhaps even conduct searches on the dark web (the part of the internet that may only be reached with anonymization tools and where many hackers sell their spoils) to see whether the target’s customer data or intellectual property is already compromised and available for sale. The acquirer should be aware,however, that the target will likely opt to conduct its own testing and provide a report rather than allow the acquirer to do so.

In an extreme scenario, the diligence investigation may uncover hackers lurking in the target company’s network, but more likely the result will be a risk calculation based on the target company’s governance and the administrative, technical and physical information security controls it uses to protect digital assets.

Other areas addressed in the memo include the target’s compliance with industry standards for cybersecurity, the use of deal terms to both verify the target’s statements about its cybersecurity and to allocate liability risks, and the role of due diligence in obtaining cyber-risk insurance on favorable terms.

– John Jenkins