A new WTW article provides an in-depth analysis of the cybersecurity issues that should be addressed during the due diligence process for an acquisition. Topics covered include potential liability risks, costs required to upgrade the target’s systems, the target’s cyber insurance coverages, and the differences in cyber risk profiles between strategics and private equity buyers. This excerpt suggests some best practices for addressing cybersecurity issues in an acquisition:
1. Assess past cybersecurity incidents
– Evaluate if the target company has completed necessary system updates and due diligence.
– Consider lingering third-party claims from past incidents in the risk assessment.
2. Evaluate data storage practices
– Assess if data storage systems need updates to meet current cybersecurity standards.
– Ensure third-party data stored in the target’s systems is adequately protected.
3. Review vendor agreements
– Verify that necessary safeguards are in place, including audit requirements, continuous monitoring, and incident response plans for vendors.
– Ensure privacy disclaimers are clear to third-party clients.
– Clarify data ownership and the purpose for which it is collected.
4. Update incident response plan
– Review and update the target’s incident response plan to align with the acquiring company’s standards and practices.
The article also includes a seven-point due diligence checklist for buyers to use in assessing the cyber risks associated with the target’s business. Enjoy the Labor Day weekend. Our blogs will be back on Tuesday.
In Sunstone Partners Management, LLC v. Synopsys, Inc. (Del. Ch.; 8/24), Judge Paul Wallace, sitting in the Chancery Court by designation, addressed a jilted suitor’s claims that a seller breached its obligations under a letter of intent between the parties. The plaintiff argued that statements made in an earnings call to the effect that the seller had decided to “explore strategic alternatives” for its software integrity group (SIG), a business segment of which the security testing services (STS) business that was the subject of the LOI was a part, and its subsequent retention of a financial advisor to facilitate that process breached the exclusivity provision contained in the LOI.
In his letter ruling, Judge Wallace rejected those allegations. He began his analysis by quoting from the relevant language of the LOI, which imposed the following exclusivity obligation on the seller:
[d]uring the Exclusivity Period (as defined below), Synopsys and its agents and representatives will not solicit, negotiate or accept any proposal for any merger with or acquisition of the Business, or the sale or exclusive license of all or substantially all of the Business’s assets, from any person other than Sunstone Partners and its representatives and advisors.
The plaintiffs claimed that the CEO’s statements during the earnings call about exploring strategic alternatives for the SIG segment and its subsequent retention of JP Morgan to serve as its financial advisor for that project involved “soliciting” a “proposal” the sale of the STS business.
Judge Wallace didn’t agree. The term “solicit” was undefined in the exclusivity provision, so the Judge interpreted it in accordance with its plain and ordinary meaning. Citing Webster’s Dictionary, he said that solicit means “to approach with a request or plea,” or “request or seek to obtain something.” He also observed that the object of the solicitation must be a “proposal” for the sale of the assets of the business, “not expressions of general interest or preliminary discussions.” Accordingly, he concluded that the actions pointed to by the plaintiff didn’t constitute the solicitation of a proposal for the sale of the STS business:
The statements in the Earnings Call are not a solicitation seeking a proposal for the sale of the STS assets. Stating that “we have decided to explore strategic alternatives for the Software Integrity business” is not a request for a proposal of a sale of the STS assets, even if the STS is a subdivision within the Software Integrity business. Interpreting these comments in the most plaintiff-friendly light, the Court construes them as initiating a process that may or may not result in sale proposals. That, under the narrow terms of the Exclusivity Provision, is not a solicitation. There must exist a specific request for proposals of a sale of the STS assets. Merely considering a sale is not soliciting, negotiating, or accepting a proposal.
He also concluded that the plaintiff failed to raise any facts supporting an inference that its retention of J.P. Morgan involved a solicitation. In reaching that conclusion, he observed, among other things, that it would have made little sense for the seller to solicit interest from other buyers after the earnings call, since the exclusivity period would have expired just three days later.
This case involved only a letter opinion, but you don’t see too many LOIs addressed by the Chancery Court, so this decision is one that’s worth reading.
The NFL season kicks off next week, and once again, it’s not easy being a Cleveland Browns fan. Cleveland’s QB1 hasn’t played a down in preseason, Nick Chubb is out for at least the first four games, the team’s top draft pick is suspended indefinitely, and its owners are fighting with the City of Cleveland over a new stadium deal. While fans worry about stuff like this, the nice folks who brought us the “personal seat license” have come up with yet another way to line their own pockets. Yesterday, NFL owners voted to allow private equity investments in the league’s franchises. This excerpt from an NFL.com article on the decision provides some details:
A total of 10 percent of a team can be owned by private equity funds. The NFL has already vetted the big-name private equity funds that will be allowed to do transactions with the teams. Direct investment by sovereign wealth funds and pension funds is not allowed. Such funds are allowed to be investors in the overall private equity funds, but even then, their participation would be limited to a very small percentage share of ownership.
A team can sell stakes to multiple funds for a total of 10 percent of ownership, although each stake must be for at least 3 percent. And a fund can hold stakes in more than one team at the same time — up to six teams. The league has set up parameters around information disclosure for funds that own stakes in multiple teams.
This is truly a passive investment. There is no voting power attached to the transaction. The rest of the NFL’s strict ownership rules remain in place. The controlling owner must own 30 percent of the team. A franchise can have limited partners, but no team can have more than 25 owners total, including the controlling owner, other individuals and families, and now private equity funds.
According to Axios, NFL owners can only sell a stake in their clubs to a preapproved list of PE investors, which includes Arctos Partners, Ares Management, Sixth Street and a consortium made up of Blackstone, Carlyle, CVC Capital Partners, Dynasty Equity and Ludis, a platform founded by Hall of Famer Curtis Martin. Check out this document for more details on the NFL’s private equity investment policy.
The NFL prohibits corporate ownership and also doesn’t permit players, coaches or other employees who aren’t members of the owner’s family to own equity in a club, but the NFL.com article says the league is opening up to private equity in order to address a growing bajillionaire shortage that could threaten the upward spiral of franchise prices:
To keep sale prices going up — the 2023 sale of the Washington Commanders to Josh Harris and a collection of limited partners that includes Magic Johnson broke the $6 billion mark — the NFL needs a larger pool of potential owners to get into the bidding. The pool should expand now, because institutional investment will almost certainly be able to provide a larger chunk of the sale price as a limited partner than an individual or family can, with little to no interest in having a voice in team operations.
A few months ago, I blogged about Prof. Brian Quinn’s suggestion that new Section 122(18) of the DGCL might permit a Delaware corporation to adopt a “dead hand” poison pill. These pills were invalidated by the Delaware courts in the late 1990s, in part because they were inconsistent with the board’s authority to manage the business and affairs of the corporation under Section 141(a) of the DGCL. Since Section 122(18) says that notwithstanding Section 141(a), a corporation may enter into contracts that delegate to stockholders the kind of governance rights invalidated by the Moelis decision, Prof. Quinn asked whether the Delaware General Assembly may have resurrected the dead hand pill? Now, Vice Chancellor Laster appears to be asking the same question.
Dead hand pills were invalidated by the Chancery Court in Carmody v. Toll Bros., 723 A.2d 1180 (Del. Ch. 1998), on the basis that the adoption of such a provision involved both a violation of Section 141 of the DGCL and a breach of the directors’ fiduciary duties. Subsequently, in Quickturn Design Systems v. Shapiro, 721 A.2d 1281 (Del. 1998), the Delaware Supreme Court invalidated a “no hand” provision that contained an outright prohibition on redeeming the pill. Like the Chancery Court in Toll Bros, the Supreme Court concluded that the no hand provision “impermissibly circumscribes the board’s statutory power under Section 141(a) and the directors’ ability to fulfill their concomitant fiduciary duties.”
In a recent LinkedIn post, Vice Chancellor Laster raised the question of whether Quickturn needs to be reassessed in light of Section 122(18). His post praised Stephen Bainbridge’s blog considering the potential implications of this new statutory provision on Omnicare v. NCS Healthcare (which is “a whole ‘nother bag of snakes”) and observed:
Also worth debating whether Quickturn survives. The synopsis to the Governance Agreement Amendment attempts to exclude rights plans as not being supported by consideration (tell that to the rights agent that wants to get paid for its services), but why not enter into a governance agreement with a continuing director feature?
I guess my response to this is the same as it was to Prof. Quinn’s argument. In Toll Bros, Vice Chancellor Jacobs didn’t just have problems with the dead hand pill under Section 141(a), but also held that in adopting it, the directors breached their fiduciary duties, and fiduciary duty claims are something that the advocates of the amendments say are unaffected by them. But this more recent LinkedIn post from Vice Chancellor Laster suggests that maybe I shouldn’t be so sanguine about the likelihood that the Delaware courts would toss such an arrangement on fiduciary duty grounds:
Here’s a quote to ponder from the Delaware Supreme Court in 2010:
“It is a well-settled principle that where a dispute arises from obligations that are expressly addressed by contract, that dispute will be treated as a breach of contract claim. In that specific context, any fiduciary claims arising out of the same facts that underlie the contract obligations would be foreclosed as superfluous.” Nemec v. Shrader, 991 A.2d 1120, 1129 (Del. 2010).
To be filed under “Do fiduciary duties really always trump contracts?”
We can probably add Vice Chancellor Laster’s statements about fiduciary duties not trumping contract rights in his recent Columbia Pipeline opinion into the mix here as well. I continue to think that a board’s decision to enter into a governance agreement incorporating a “dead hand” or “no hand” provision will be a tough sell under Unocal, but the language that the Vice Chancellor cites is a reminder that advocates for a different position have several arrows in their quiver.
Woodruff Sawyer recently released the 2024 edition of its “Guide to Representations & Warranties Insurance.” This edition of the guide covers a variety of topics relating to RWI, including an overview of RWI and its users, the key elements of an RWI Policy, the five main exclusions contained in the typical policy, and insights into current market conditions. Here’s an excerpt from the Guide’s discussion of claims trends:
From mid-2020 through mid-2022, we saw a large uptick in the number of policies and limits bound, and so it stands to reason that the number of R&W claims received by insurers has increased in the past year. Statistically, claims are most likely to arise within the first 12 to 18 months after a policy is bound since the first audit cycle of the target company’s finances may bring to light certain breaches—leading to the current increase in claims.
The two largest categories in which claim payouts were made continue to be breaches of (1) financial reps, and (2) customers and contracts. Those two categories account for almost two-thirds of claim payments, with compliance of laws coming in at a distant third. Most claims tend to arise within the first 12 months of the policy period, and the earliest reported claims tend to result in severe losses since these material matters are often discovered shortly after the deal has closed.
Transactions involving targets with audited financials (versus unaudited financials) often result in greater losses and a higher likelihood of claims alleging financial rep breaches. Payments for financial statements claims involving targets with audited financials averaged 41.4% of the policy limit, whereas this figure is only 22.1% for payments involving companies with unaudited financials.
The Guide says that most of the action is at the smaller end of the food chain, with deals involving less than $250 million in enterprise value resulting in 60% of claim payouts. These smaller deals have a higher incidence of breaches of compliance with laws reps and reps relating to operations, while bigger deals more typically see breaches of intellectual property and tax reps. Not surprisingly, claims for breaches of financial statements are high for deals both large and small.
We’re excited to announce the launch of “Understanding Activism with John & J.T.” – a new podcast series available to members of TheCorporateCounsel.net and DealLawyers.com. Orrick’s J.T. Ho will be John’s co-host for these podcasts. Together with their guests, they’ll focus on key issues in shareholder activism and seek out insights from both the activist and management perspectives.
Their inaugural podcast features a discussion with Kyle Pinder of Morris Nichols on recent activist challenges to advance notice bylaws and the implications of the Delaware Supreme Court’s decision in Kellner v. AIM Immunotech. Check it out & stay tuned for future podcasts in the series!
In late July, the Uniform Law Commission approved model legislation for a standardized approach to require companies to submit HSR Filings to state AGs and to permit State AGs to share filings with each other. This Freshfields blog notes that the model legislation follows the adoption of baby HSR Acts by a number of states (at least 14) and that these acts will likely “lead to increased scrutiny by State AGs who could have divergent enforcement priorities from the FTC and DOJ.” It notes these key takeaways from the model legislation:
– The model legislation requires parties to submit their HSR Filings to a State AG if (1) a filing entity is principally located in a state or (2) a filing entity’s parent has sufficient sales in a state. The creation of a new state-level filing obligation would add another compliance element to be monitored to avoid a potential liability for failure to notify.
– States may be encouraged or incentivized to pass legislation with provisions that go beyond the template language of the model, with, for example, waiting periods or filing fee requirements.
– Giving State AGs up-front access to HSR Filings opens the door to more state-level review, particularly for those transactions that have an outsized local impact and/or that may not otherwise have attracted the attention of either the FTC or DOJ.
While the model legislation is intended “to alleviate potential information asymmetries between the federal and state merger review processes,” note that “states remain free to enact their own versions of the legislation, which could lead to divergence” and undermine the intent. For example:
One point of potential deviation for some states could be the lack of a pre-closing waiting period. Many of the “baby HSR Acts” already on the books include at least a 30-day (or longer) waiting period (and at least one, as long as 180 days). States investigating complicated health care transactions, for example, may want longer lead times to ensure they have time to review thoroughly all areas of potential concern, particularly where such states may not have the same resources as the FTC or DOJ.
A second issue on which states might diverge from the model legislation could be the lack of a filing fee. States, such as California, have expressed concern that the model statute will not be “meaningful unless it is coupled with significant additional financial support for enforcement.” A recent report on state-level antitrust enforcement by the California Law Revision Commission, an independent state agency, argued that while the federal antitrust authorities receive thousands of filings per year, the cost of review is “defrayed” by filing fees. The fact that the model legislation has no filing fees creates an “unfunded burden” upon a State AG and “may in fact nullify legislative efforts to provide for filing fees” in other contexts.
In October 2022, the Treasury Dept. issued its first ever CFIUS Enforcement & Penalty Guidelines. Under the Guidelines, three types of conduct may constitute a violation, including failure to file, non-compliance with CFIUS mitigation agreements or conditions and material misstatements or omissions from filed information or false or incomplete certifications. Since the publication of those Guidelines, CFIUS has completed at least 6 enforcement actions that resulted in monetary penalties ranging from approximately $1 million to $60 million. This Ropes & Gray alert notes that this signals a significant uptick in enforcement activity since “between 1975 and 2022, CFIUS publicly reported only two penalties, both relating to failures to comply with CFIUS mitigation requirements.”
The alert notes that CFIUS also summarized conduct that has resulted in the issuance of a DONT Letter — which is issued as an alternative or as a precursor to a monetary penalty when “a CMA has ‘determined that one or more violations occurred, but [has] . . . decided not to pursue further enforcement remedies or [to] require additional information to assess if a penalty is warranted'”:
– failure to file a mandatory declaration (but, notably, only in cases where there was a first-time offense, and the lack of a filing did not lead to national security harm)
– failing to limit the receipt and distribution of specified information to a segregated network, as required under an LOA
– transferring assets to a company controlled by foreign persons, in violation of an NSA or other CFIUS mandate
– failing to prevent unauthorized access to specified intellectual property
Given these enforcement action summaries, the alert has these reminders:
– NSA Compliance is Mandatory: In connection with publication of the Guidelines, Assistant Secretary of the Treasury for Investment Security Paul Rosen stated, “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”3 Parties to NSAs are on notice of the potential consequences of non-compliance. In addition, parties negotiating NSAs should be transparent about any practical challenges that may arise in complying with specific mitigation proposals, in an effort to arrive at a mitigation framework that is attainable.
– Anonymity is Not Guaranteed: Historically, the Committee’s emphasis on confidentiality has extended to publication of enforcement activity. The T-Mobile case marks the first time that the Committee has publicly identified a party to an enforcement action. This unprecedented step suggests the possibility that future enforcement actions will not be kept anonymous.
This Morrison Foerster insight highlights a recent enforcement action marking the second time the Biden administration has sued for HSR Act violations and the first time the DOJ and FTC have pursued a gun jumping case in 7 years. In early August, the DOJ brought an action against Legends Hospitality Parent Holdings in connection with its proposed acquisition of ASM Global for gun jumping in violation of the HSR Act by effectively assuming control of ASM and failing to operate separately prior to the expiration of the HSR waiting period.
On November 3, 2023, Legends agreed to purchase ASM for $2.325 billion and submitted an HSR filing on November 6, 2023. The DOJ issued a Second Request on January 8, 2024, to extend its review of the deal. The DOJ closed its review on May 29, 2024. While the DOJ did not challenge the transaction itself, it filed the gun jumping lawsuit months later, on August 5, 2024.
According to the DOJ, while the DOJ’s review of the deal was still pending, Legends and ASM engaged in gun jumping. Specifically, the DOJ claims that in May 2023, Legends won the right to manage a city-owned arena in California where ASM was the previous manager. The DOJ alleged that due to the pending acquisition, Legends decided to allow ASM to continue to operate the arena instead and signed an agreement to that effect on December 7, 2023. Also during the diligence process, Legends allegedly sought to discuss competitive bidding strategies with ASM. It subsequently decided not to compete for a bid opportunity against ASM and decided to change a different Legend’s bid to a joint bid with ASM.[3]
The DOJ asserted that the violation started on December 7, 2023 (when Legends signed the agreement with ASM to manage the California arena) and continued until May 29, 2024 (when the HSR waiting period was terminated), which amounts to 175 days total. Legends agreed to pay a $3.5 million civil penalty to settle the alleged violation, approximately 40% of the maximum civil penalty, among other requirements, which include submitting regular compliance reports to the DOJ, appointing an Antitrust Compliance Officer, and implementing an antitrust training and compliance program.
The alert notes that the DOJ and the FTC have considered the following types of conduct to constitute gun jumping in the past:
– Sharing competitively sensitive information, such as current and future pricing or cost information;[10]
– Prematurely transferring beneficial ownership of the target or closing the transaction before the expiration of the HSR waiting period;[11]
– Prematurely integrating or consolidating operations;[12]
– Exercising control over the other party’s assets or its routine business, management, or operations;[13] and
– Engaging in impermissible joint conduct, such as fixing prices, terms, and conditions.[14]
The alert suggests parties “confer with legal counsel prior to discussing integration, exchanging data, or discussing the transaction with customers, suppliers, or the public, and develop safeguards for integration planning tailored to the transaction at hand” and lists other best practices to avoid even the appearance of gun jumping.
The July-August Issue of the Deal Lawyers newsletter was just posted and sent to the printer. This issue includes the following articles:
– Drafting of Corporate and M&A Documents for 2024 Delaware General Corporation Law Amendments – Soft Earn-out “Promises” as Potential Fraud or Merely Puffery: Delaware Chancery Court Provides Guidance in Trifecta
– Watch Your Derivatives: The Role 13Fs Play in Detecting Shareholder Activism
– We’re Back In-Person – Register Today & Join Us in San Francisco!
The Deal Lawyers newsletter is always timely & topical – and something you can’t afford to be without to keep up with the rapid-fire developments in the world of M&A. If you don’t subscribe to Deal Lawyers, please email us at sales@ccrcorp.com or call us at 800-737-1271.