Threat actors have found a promising opportunity to get targets to pay – mergers and acquisitions. During a business deal, merger or acquisition, hackers leverage non-public information that could damage a company’s reputation or expose the company to liability and even criminal consequences. A company going through a merger or an acquisition is a ripe target for malicious actors.
The FBI recently issued a private industry notification (PIN) warning that ransomware gangs were targeting companies involved in “time-sensitive financial events” that included mergers and acquisitions. A congressional investigation is currently looking into the trend of ransomware attacks on U.S. companies in 2021, including the attacks on Colonial Pipeline Co. and CNA Financial Corporation, who paid a $40 million bitcoin ransom to cybercriminals. The FBI encourages companies not to pay the ransoms, but it issued a caveat that companies will need to take whatever steps are necessary depending on the severity of the leak and the data involved.
Prevention is ideally better than cure. Experienced M&A lawyers and business litigation attorneys can provide external counsel throughout the M&A talks and beyond. This can only be effective, however, if outside counsel, the company’s legal team, and the security team have coordinated their strategy and are reviewing all relevant documents and issues that could be touched by cyber-security threats during an M&A. Entering into the M&A process must be recognized as a particularly vulnerable time in the life cycle of the organizations involved, and cyber-security strategy should be primed for these events.
Cyber attacks during the M&A process can have legal, financial and reputational consequences. The legal consequences of ransomware attacks are manifold, ranging between falling foul of state or international data privacy laws, due diligence requirements during the M&A, reporting requirements and more. The decision about whether to pay the ransom could expose the company to additional consequences. Paying the ransom could be in violation of federal laws for doing business with threat actors in countries sanctioned by the Department of Treasury OFAC (Office of Foreign Assets Control) list. On the other hand, companies may find themselves liable for failing to protect sensitive data.
Reputational damage can be swift and severe, such as in the case of the recent Solar Winds attack. A cyber-attack on a company like Solar Winds that provides software to businesses could represent a judgement on their entire business model that could have catastrophic business consequences.
During the M&A process, mergers and acquisitions attorneys, data privacy and cyber-security attorneys must conduct an extensive review of both party’s vulnerabilities and the potential legal, financial and reputational consequences.
For More information