By Doug DePeppe, J.D., LLM; cybersecurity attorney
The general economic environment undoubtedly affects the merger and acquisition (M&A) marketplace, just like the economy affects everything else. This article will show how cybersecurity – specifically Cyber Due Diligence (Cyber DD) – has become a facet of the ordinary buyer/seller assessment of M&A market conditions in the United States.
General M&A Market Conditions.
Both buyers and sellers, when considering the M&A marketplace, look at factors such as economic growth and access to capital, interest rates, inflation, credit markets, consumer spending, geopolitical dynamics and geography, energy constraints or advances, and other market conditions. With both increased cyberattacks and ransomware schemes, along with the increasing depth and breadth of cybersecurity regulation, as well as litigation risk, cyber conditions have become an imperative consideration alongside market conditions.
The last several years have demonstrated the massive disruption that can occur to the supply chain from cyberattack. The SolarWinds fiasco foretold the risk of cascading impacts when a central technology provider gets compromised. But, in 2024, a bigger illustration emerged of supply chain risk. Cybersecurity provider CrowdStrike, in concert with Microsoft’s Windows platform, caused a broad information systems collapse reportedly from faulty software updates. While Delta Airlines and flight cancelations may have been the public face of the outage, and which is now in litigation with CrowdStrike, the impact was felt across healthcare, financial services, and other industries. Meanwhile, in the summer of 2024, auto dealerships across the US were shut down for weeks when their software platform, CDK Global, experienced a hack. With over 15,000 dealerships across North America impacted, the assessed direct financial loss has been estimated to exceed $1 billion. “Cyber resiliency” has become the cyber industry jargon for business continuity assurance in this era of interdependencies across IT systems.
Yet, M&A considerations about cyber resiliency extend beyond the cyberattack risk – government regulators have also been prompted into action in the aftermath of the supply chain risk to the economy from the lack of cyber resiliency. For public companies, including their supply chain vendors, the big regulatory news came in December 2023 with the Security and Exchange Commission (SEC) cybersecurity rule concerning risk disclosures and reporting. This new rule now requires 10-K disclosures of systemic risk related to cyber resiliency. The broader repercussions upon the M&A market, including further down market upon privately-held companies, will be vendor cybersecurity (i.e., the pipeline of vendors that service publicly-traded companies). For the M&A market, cyber resiliency has become a consideration for buyers and sellers involving companies having a nexus to those 10-K cyber resiliency requirements.
The regulatory oversight item having the greatest impact on M&A Cyber DD will come in 2025 from the Cyber Incident Reporting for Critical Infrastructures Act (CIRCIA). Not widely reported yet, because the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security (DHS) is still in the rulemaking stage of oversight, CIRCIA will impact a wide set of mid-market companies. And the law’s clear approach to solving the repercussions from SolarWinds, CrowdStrike, and CDK Global, is shown in its definition of a “covered entity”. That definition addresses when a company falls within the mandatory incident reporting scope of the law. It includes all critical infrastructure sectors, but equally important it covers a broad swath of IT service providers (e.g., the CrowdStrike incident, even for a much smaller vendor that deploys a small string of code, would fall within the scope of the law). The thrust of the law requires mandatory reporting of any significant cyber incident to CISA. It is a common view among cyber pundits that disclosures and reporting serve as an incentive to improve cyber resiliency. Put simply, companies would prefer not to reveal embarrassing incidents and therefore increase budgets on cybersecurity to protect their brand. Accordingly, CIRCIA’s massive reporting trigger is expected to drive improvements in cybersecurity all across and down the market!
How then will CIRCIA spur increased Cyber DD in the M&A market? A buyer will have an interest in knowing the risk that its acquisition target could become a mandatory cyber incident reporter to CISA. In other words, the buyer will want assurances of the cyber resiliency and hygiene level of the targeted acquisition. Similarly, sellers will want to gussy-up their cybersecurity posture prior to entering the M&A market. Moreover, the deficiency with M&A representations and warranties, sometimes a method for minimizing certain risks, is that sellers cannot issue legal clauses without a sufficient factual basis. In short, only after the performance of an adequate Cyber DD can a trusted M&A transaction be executed.
In sum, many M&A market insiders have commonly used this phrase about the looming adoption of Cyber DD: “It’s coming.” The avoidance of conducting Cyber DD was even more routine for down market M&A deals. Now, with the extensive impact of CIRCIA, set to rollout by fall of 2025, that phrase about Cyber DD is likely to change to: “It’s here!”
This article is brought to you by IR Global and its Trusted Partner, OnCall Cyber™. With its product, OnCall Recon™, they offer a two-week Cyber DD checkup that filters all network traffic in and outbound, including detection of common attack protocols used by hackers.