McGuire Woods (McGuire Woods Firm Profile) writing this week says that cyber risk due diligence is an important part of the merger and acquisition process. In fact, they say, that failure to address these issues during due diligence could expose both buyers and sellers to a litany of adverse consequences (Cyber due diligence important during M&A process).
Potential consequences include lawsuits, fines, audits, suspensions, breaches of contract, reputational damage and even lawsuits against directors and officers.
The article suggests that data privacy and security concerns need to be addressed during the due diligence period, where you need to discover the facts, during the negotiation period, where you will try to obtain the broadest reps and warrants and the seller will try to give the narrowest reps and warrants and even post-closing, where you get to deal whatever is left.
They close the article with this ominous warning (that I completely agree with):
Buyers and sellers that ignore this area do so at their peril, as security and privacy vulnerabilities have the potential to significantly and adversely affect the value and continued attractiveness of a particular transaction.
While the seller may eventually be sued, the buyer gets to deal with the situation directly and live with it, often for years. As a result, the buyer, in my opinion, is the one that needs to demand that cyber due diligence is part of the transaction.