top of page

Cybersecurity in M&A: Why worry about it?

Fernando Stacchini, Renata Ciampi, Paola Lorenzetti *

Digital Data Age

Danish antiquarian and archeologist Christian Jürgensen Thomsen developed and perfected the so-called three-age model to divide prehistoric time in specific periods (Stone Age, Bronze Age and Iron Age) and to classify archeological findings according to the materials used by humans to craft their tools and weapons. This method was also used to develop the concept that the human behavior and social relationships could also be shaped according to the characteristics of the prevailing material and of the abilities required to use and craft it.

It is highly unlikely that Thomsen could have thought that one day it would be possible to classify a history period based on an immaterial element. But, if we assume that data is currently the most important material that humans are using to manufacture everything, and that the ability to process data is currently essential for the manufacture and commercialization of goods and services and is the basis for human communication, education and social networking, we could very well name our time as the Digital Data Age. And is with no surprise that we find that in this Digital Data Age, data and its every faster processing ability are also the basis for the development of weapons and criminal activities.

Cybercrime is reaching a level of sophistication, continuous innovation and efficiency that allows one to compare it to a growing business industry (although illicit). Besides, the fact that business and economy are more and more based on information technology systems, growing connectivity between the physical and the digital worlds and the development of new technologies based on IoT (Internet of Things) and AI (Artificial Intelligence) will certainly potentialize the opportunities for cybercrime.

In this context, fearing the impacts of cyberattacks, national legislators are enacting laws and regulations to strengthen privacy rights aiming at limiting and controlling the collection and use of personal data and at making companies responsible for disclosing cyber breaches and implementing cyber breach contingency plans. The European Union's General Data Protection Regulation (GDPR) and Network Information Security Regulation (NIS) and several other national laws inspired in the CGPR, as well as a number of United States' federal, state and local regulations focus on data protection and cyber security measures that will strongly impact the way companies collect, use and manage personal data. Without intending to present a detailed summary of those regulations, we may certainly say that most of them:

  • Strengthen individuals' rights on their personal data (affirmative consent and right to be forgotten);

  • Impose limits and controls of companies' data processing (specific purpose and time limit);

  • Oblige companies to adopt data security procedures;

  • Establish sanctions for failure to comply with data protection regulations.

The main purpose of all those regulations is to promote cyber security. In a simple (and probably imperfect) attempt of defining cyber security, it may be considered a process or processes designed to protect systems, networks and data from attacks intended to gain unauthorized access, expose, destroy or steal assets and data.

All those laws and regulations, however, will not be sufficient to impose a new level of cyber security if governments, regulatory authorities, enforcement agencies, companies, as well as legal, audit and TI professionals fail to understand the need of a change of mentality in what regards data security and protection. Although many governments and companies endeavor great efforts to enforce and to comply with the new regulations, the change of mentality in relation to cyber security and data protection requires constant attention and improvement in connection with transparency on the use of data, faster incident responses, strict security procedures and policies.

Impacts on M&A transactions

With the enactment of cyber security and data protection regulations enhancing individuals' rights on their personal data and more strict procedures for the access and management of data bases and systems, law firms are facing new challenges to assure cyber security and data protection in M&A transactions.

During the entire course of an M&A procedures, it is necessary that companies have a clear vision of the processing practices with personal data and the eventual risks involved in said operation to understand the measures that will have to be adopted in order to conclude the transaction.

Preclosing concerns: due diligence

a) how to access personal data in compliance with the new regulations? Buyer must be sure that access to the information provided by the target company comply with its legal and contractual obligations regarding the processing of personal data. It is not possible to provide and/or access all information without a legal basis;

b) How to assure a sufficient level of security for the law firm system? Law firms will need to assure the security of their systems to prevent any leak of data or even a cyberattack, using tools to mitigate risks and involving the IT team and insurance companies to compensate any security breach.

Contractual and Insurance concerns: asset valuation and insurance

a) How to adequately valuate the personal data assets of the target company? To be sure about the rightful access to personal data detained by buyer is an important precaution. And a careful pre-analysis of seller's internal policies and related responsibilities should be well defined in the preliminary M&A documents. It is necessary to set out liability for contingency regarding the undue use of personal data. A deep analysis of the data processing practices of a target company becomes an essential part of any M&A operation: map all the personal data collected, stored and used by the target company, the purposes for which they were collected and the legal basis for its processing; adequately valuate the cyber security risks of the target company; and the examination and test of the contingency plan measures that need to be taken in case of data breach are essential measures.

b) how to contract insurance for data breaches vis-à-vis the new risks involved and the lack of sufficient risks statistics? Companies and law firms will need to negotiate appropriate new insurance policies to reflect the ever-increasing risks of cyber-attacks.


Despite the progress around the world in implementing security measures to assure cybersecurity and data protection, companies have a long way to go to implement a change of mentality in their business models to face the constant threat of cybercrime. Not only the companies directly involved in M&A transactions, but mainly the law firms will need to invest in cyber security focusing in the protection of personal data. It is strictly necessary that all companies invest in improve information security management, risks and compliance and adopt best practices in cyber security in order to ensure fraud prevention and the integrity of data.

* Fernando Stacchini, Renata Ciampi, Paola Lorenzetti are members of the Technology, Cyber Security and Digital Law practice of Motta Fernandes Advogados

51 views0 comments


bottom of page