Importance of Data Confidentiality in Mergers and Acquisitions

By Robert Harrington posted 18 days ago


The mergers and acquisitions process happens when two companies combine. In a merger, both companies are renamed under one new corporate name. One business buys another outright in an acquisition and it ceases to exist in its original name. 

The weeks, months, and even years of mergers and acquisitions negotiations are fraught with complex checks and balances to ensure that the final deal suits both parties. Data confidentiality is a critical due diligence matter in mergers and acquisitions. Here are some of the reasons why:

Increased cybersecurity threats

During negotiations, attorneys for the companies involved will want to examine existing cybersecurity measures and how data is protected and kept confidential. These attorneys are bound by their oath of office not to share any information they glean, merely to assess data confidentiality and security. 

However, many lawyers have a standard list of questions that form part of a checklist they need to complete. They might not necessarily understand the nature of a company’s data landscape and the potential threats facing it.

While most attorneys and negotiators focus on privacy, they do not devote enough attention to data security. For example, they might not pay much attention to whether a company has secure file transfer software

GoAnywhere’s managed file transfer (MFT) solutions ensure that data loss cannot occur when data is accessed from its central server and during transit between users. Additionally, while there is raised awareness about breaches, other data compromising threats, such as phishing and ransomware, are not lent enough consideration.

Cybersecurity breaches during the mergers and acquisitions process

During the negotiations, there is increased access to a company’s confidential data, including customers’ private information, patents, and other intellectual property. A leak at this time could have a disastrous impact on an organization, devaluing it because of the reputational and financial implications.

This is a sensitive time in any organization’s existence, and enhanced data security protocols might be put in place to avoid a breach or leak. Both parties’ best interests are served by doing so.

Due diligence during the mergers and acquisitions process includes identifying unique cybersecurity risks in the company, understanding current systems and how they operate and establishing any prior data security incidents. 

Another critical component is grasping the extent to which a company gathers confidential personal information and what commitments and representations it makes to users and customers regarding privacy.

Legal requirements

Companies are obliged to report data breaches and incidents that have adversely affected their cybersecurity. Delays in discovering and reporting of such occurrences lead to a loss of public confidence in the company and its brand. This reputational brand could take years to rehabilitate. Nevertheless, that will be the least of an organization’s woes when the legal implications of such events become apparent.

A failure to provide sufficient cybersecurity resulting in a breach or loss could open the way for punitive fines against a public company. The Securities Exchange Control (SEC) is tightening up its measures in this relatively unchartered territory. Additionally, class-action civil lawsuits by affected parties could bankrupt the organization of its assets. 

SEC requirements

During the mergers and acquisitions process, there is intense scrutiny of the organizations’ compliance history. There are dozens of compliance areas that companies must remain abreast of, including data security and confidentiality. 

The SEC insists that businesses have robust internal controls and processes to ensure appropriate risk management levels and interventions. This is vital for management oversight of a cybersecurity incident. 

Additionally, the SEC has disclosure obligations that require companies to report an incident upon discovering it, retract and amend public statements about data breaches proven untrue after the fact.