Cybersecurity Due Diligence in Mergers and Acquisitions:
            Essential Focus Areas


            By  Tom  Cockriel,  co-leader  of  Trenam  Law’s  Business  Transactions  practice  group,
            Trenam Law


            Introduction

            Many companies view mergers and acquisitions (M&A) as opportunities for growth, market expansion,
            talent  acquisition  and  enhanced  operational  efficiencies.  However,  they  also  include  potential
            cybersecurity  risks  that,  if  not  properly  assessed  and  addressed,  could  result  in  financial  losses,
            reputational damage and legal liabilities for the acquirer.

            Cybersecurity due diligence should be a core part of any M&A strategy so that acquirers are fully aware
            of potential risks before finalizing the acquisition. Diligence should include members of the acquirer along
            with third-party advisers such as technical IT and cybersecurity advisers and legal counsel. This article
            explores essential areas, largely from a legal perspective, that acquirers must examine when conducting
            cybersecurity due diligence during M&A transactions. It should be noted that data protection and privacy
            regimes and industry practices are fast-evolving, and cybersecurity diligence does and will continue to
            evolve as well. Acquirers should work with knowledgeable internal and third-party advisers and take into
            account any industry-specific and geographic-specific concerns related to the target company.








                                                                                                            149