Tricks Of The Trade

In September last year, Colorado Timberline, an American printing company that worked in the promotions industry, posted a message on its website to say that it had ceased operations following a ransomware attack.

The abrupt closure was not just bad news for the dozens of people who worked there – it was also a disappointing outcome for two private equity firms that, in 2017, had bought Colorado Timberline. A promising investment had quickly turned sour.

There have been numerous high-profile examples of cyber breaches that came to light only after an acquisition. Among them is the leak involving 1.4 million users revealed after TripAdvisor had spent $200 million buying Viator in 2014. TripAdvisor’s share price suffered as a result.

Such unfortunate cases illustrate the cyber risks associated with mergers and acquisitions, and bring to the fore the importance of cybersecurity due diligence, which involves carrying out a comprehensive audit of the cybersecurity status of a target company.

“It’s only been within the last three to five years that cybersecurity has become a fundamental part of the diligence process,” says Steven Chabinsky, a Washington, DC-based partner with the law firm White and Case.

“The rationale is a growing understanding of the impact of cybersecurity for the protection of financial business interests, combined with a growing reliance on technology by companies as part of their value.”

There are multiple reasons why cybersecurity due diligence could be considered. A key factor is the protection of the potential acquisition’s intellectual property rights (IPR).