DealLawyers.com Blog

This PwC memo addresses a number of topics surrounding M&A cybersecurity due diligence. One segment discusses some specific mechanisms that may be employed to reduce the buyer’s risk in this area. This excerpt addresses the use of a transition services agreement for cyber-risk mitigation:

Further protection for acquirers can come through transition services agreements (TSAs). TSAs are common in deals, but they only recently have started covering cybersecurity issues. Through a TSA, an acquirer and target can negotiate how the target will manage cybersecurity during the transition and the conditions under which the responsibility will shift to the acquirer. The latter can be crucial if due diligence has revealed any significant cyber issues that could decrease deal value.

The memo also highlights the importance of mining other intelligence beyond that available through a due diligence request in order to assess cyber-risk. In particular, it suggests reaching out to information sharing organizations:

Broader intelligence on cyber issues is available through information sharing and analysis centers and organizations (ISACs and ISAOs). These groups allow companies to share with each other information on digital threats and ways to combat them. ISACs originally were created in a few industries, most notably financial services and aerospace and defense. ISAOs build on the concept by spanning sectors to share expertise and experiences among broader communities of interest.

If you’re interested in identifying an ISAC for your industry sector, check out the National Council of ISACs website.

– John Jenkins