Karen Painter Randall and Joshua Previl published an article in the April issue of New Jersey Lawyer titled “Mitigating Cybersecurity Risks in Mergers and Acquisitions.”
In the piece, Karen and Joshua address how government regulators’ recently adopted cybersecurity disclosure rules impact M&A in today’s data privacy landscape, where “it is crucial for investors to conduct a cybersecurity risk assessment to gain as much information about a target’s security infrastructure as reasonably possible before deciding to consummate an acquisition.”
Investors request varying levels of detail about their targets’ cybersecurity protocols, the pair writes. The SEC’s new disclosure rules provide acquirers with information “they may not have otherwise received or requested during the due diligence process.”
Karen and Joshua go on to explain how the new rules impact M&A targets by reinforcing the importance of testing and updating cyber policies and procedures.
The article further addresses how cybersecurity attackers can take advantage of the new regulations by—among other things—launching a ransomware attack and then notifying the SEC that the victim company has violated the new rules by not disclosing the attack.
“The threat of a cyberattack may be increased during M&A transactions, especially as it pertains to publicly-traded companies,” write Karen and Joshua. “Due to the visibility associated with such a transaction, it is a prime opportunity for cybercriminals to launch ransomware attacks, phishing scams, and other data breaches.”