Cybersecurity and the M&A Market: The Time Has Come For Cyber DD
Volume 12, Issue 1, January 14, 2025
By: Doug DePeppe
As a cybersecurity law attorney with experience handling data breach investigations, and the related ramifications and privacy compliance dimensions, I was pleased when Vertess approached me about publishing a blog article concerning cyber due diligence (Cyber DD). Engaging in due diligence of risk as part of mergers and acquisition (M&A) is a standard practice. So, sharing knowledge around Cyber DD was a sensible suggestion and I readily agreed.
In addition to breach coaching, my experience includes partnering with technology to create legal-tech solutions that help protect assets and businesses. For example, OnCall Recon is a law-led solution that uses patented netflow technology in a two-week audit to verify the effectiveness of security controls. My discussion of OnCall Recon for a Cyber DD use case was the other prompt for this article. The growing risks of cyberattack affect all sectors, so it is timely to inform the M&A community about the expanding risks.
A preliminary observation is whether representations and warranties (Reps & Warranties) is a satisfactory way of avoiding the additional expense of commissioning a Cyber DD service. The risk of a Reps & Warranties approach is whether the parties have a basis for making an appropriate representation about security or assigning responsibility for the risk of a data breach. Threat actors are skilled in establishing a persistent presence, which entails circumventing detection. Moreover, in the cat and mouse game of cybersecurity, the defenders are always playing catch-up with the latest attack technique. Cybercrime will be a $10 trillion black market industry in 2025. The attacks will keep coming.
Yet, in the cybersecurity market, it has usually been compliance mandates rather than cyber risk that has triggered spending increases to improve cyber hygiene. A pending compliance requirement may impact the M&A market – the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA). In October 2025, a Notice of Proposed Rulemaking will go into effect, having broad implications for cyberattack reporting.
CIRCIA will require reporting to the DHS Cybersecurity and Infrastructure Security Agency (CISA) of any “substantial” cyber incident or ransomware payment by a “covered entity”. The proposed rule has a multi-part definition of a substantial incident, including:
- Unauthorized access to a covered entity’s business system:
- Caused by automated download of a tampered software update; or
- Using compromised credentials from a managed service provider.
- Intentional exfiltration of sensitive data in an unauthorized manner for an unauthorized purpose.
Notably, these criteria would trigger CISA reporting for attacks that would not meet the data breach standard under state law. These expansive triggering criteria suggest that third-party or supply chain attacks that compromise an M&A party’s network would trigger reporting to CISA. However, a further step in the analysis is whether the attacked party is a “covered entity”. Except for small businesses, the criteria would also implicate a broad swath of companies in mandatory incident reporting. If the attacked company meets the broad sector definitions of DHS, such as operating its business in the financial services, health care, or information technology sector, it would likely be a covered entity.
An additional wrinkle about CIRCIA’s application to M&A activities is the practice and utilization of a Data Room. The owner or custodian of the Data Room could have a duty to report to CISA if a substantial incident affected it (e.g., a supply chain attack, as noted above), especially because of all the sensitive information contained in a Data Room. Moreover, considering how threat actors seek to migrate and move laterally, the Data Room could be attacked by an upload of data from an M&A party or any of its advisors or partners. Hence, transaction brokers, financial service providers, M&A parties, Data Room Custodians, and any party associated with the M&A activity could suffer a substantial incident giving rise to CISA reporting.
CIRCIA’s final rule may change before it is promulgated in October of 2025. However, the underlying federal law was enacted in 2022 and supports Congress’ intent to improve cybersecurity for critical infrastructure. What is considered critical infrastructure is extremely broad; and therefore, CIRCIA will create an incentive for many companies to improve cybersecurity so that the risk of reporting to CISA is minimized.
For the M&A market, the same incentive applies. Hence, both Data Room cybersecurity and Cyber DD to increase assurance of a clean asset will likely receive higher priority in M&A activities in 2025.
