May 2021 saw one of the most high-profile cyberattacks in US history, as ransomware infected the technology systems supporting the southeastern Colonial Pipeline, which primarily carries gasoline and jet fuel. The pipeline was shut down, disrupting supplies, as the attackers demanded US$4 million in ransom. Among the many organizations that have fallen prey to cyberattacks is the Washington, DC Metropolitan Police Department. Cyberattacks like these are increasing in frequency as companies and governments further digitalize their operations.

The prevalence of cyberattacks clearly has a knock-on effect for dealmakers. Regulators are increasingly requiring companies to disclose cybersecurity risks. The SEC has released guidance that identifies processes companies should have in place and disclosures they should make regarding data, cybersecurity and security breaches. US lawmakers are taking steps to vest consumers with rights relating to their personal data, similar to those provided by Europe’s GDPR, by passing new data privacy laws.

Regulatory and compliance risks associated with cybersecurity and data has clearly increased. In response, insurers are paying more attention to this area in deals, both from a regulatory and an operational perspective. In some instances, insurers have denied representations and warranties coverage in situations where they believe that a company’s systems and procedures are not robust enough or where they perceive insufficient due diligence on a company’s data and cybersecurity risks.

Assessing resilience and compliance

All these factors mean that, for every target, dealmakers are increasingly having to conduct in-depth analyses of resilience and readiness for a cyberattack, including across the supply chain. This requires reviewing the target’s privacy and cybersecurity processes to understand where its data lies, and how such data is accessed, used and shared—as well as examining the company’s networks to identify potential vulnerabilities or even whether an attacker is already there.

Dealmakers must also conduct analysis to ensure targets are in compliance with regulatory requirements on data privacy. This is becoming increasingly complex. US data privacy regulation remains highly fragmented, with separate laws encompassing a number of verticals at the federal level, such as on healthcare, financial services and consumer protection—plus laws coming into force in 2023 in a number of states, including in California, Virginia and Colorado.

Many other states have new laws pending. Those conducting M&A transactions or entering the capital markets will therefore need to start conducting compliance reviews on a state-by-state basis where applicable.

To help mitigate some of these risks, buyers are increasingly seeking representations from sellers that they have implemented adequate data privacy and cybersecurity processes and assessed technology networks, or building into the documentation a full review and implementation post-deal within a specified time. Buyers should also start to consider the risks posed by data privacy considerations and cyberattacks as material because breaches can occur at any time. We are even seeing cyberattacks happen during live deals, the effect of which can significantly delay or even completely derail transactions.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2022 White & Case LLP}