As printed in US cyber Security Magazine, Summer 2014 Issue, Page 20. It’s the sales season in the cybersecurity industry. Why? Just take a look at the headlines. Edward Snowden leaked classified national security documents last year, prompting global interest in privacy matters. Retail chain Target suffered a devastating customer data breach months later. Then emerged the Heartbleed bug, which cyber-criminals exploited to obtain user passwords kept by many of the tech’s leading companies—including consumer-facing giants such as Google, Netflix, Facebook, and Yahoo. These news-making events, coupled with high-profile deals such as FireEye’s acquisitions of Mandiant in January (for $1 billion) and nPulse Technologies in May ($70 million), have lead to a perfect storm of opportunity for cybersecurity firms and startups looking to sell. With every goldrush, however, comes danger. Buyers and sellers alike should be aware of the risks—many of which are unique to the industry—associated with cyber M&A transactions. As readers can no doubt attest, sensitive information should not be taken lightly. The same is true for mergers and acquisitions, with one exception: the more information shared, the better. As I often tell clients, disclosure is your friend during a transaction. Disclosure forms the basis of the deal: the price of the sale, the structure of the purchase agreement, the scope of due diligence investigations, as well as the relationship between buyer and seller. The buyer will almost always dig up the target’s major liabilities over the course of the transaction, so for the sake of moving the deal forward and preempting disputes, it is in the seller’s best interest to reveal any “skeletons in the closet” first.
The Good: Plenty on Offer
Not all confidential information is negative, and certain trade secrets can in fact improve a company’s value proposition. Many of cybersecurity’s key players are large international firms with dozens of subsidiaries and divisions, each catering to a specialized customer base. Valuation depends on need: Some buyers desire government contracts, while others light up at the mention of in-progress consumer products. Buyers look for assets that will fill a market niche, yield a competitive advantage, or diversify their business portfolios. Established relationships with customers and vendors, along with proprietary technology and other intellectual property, are premiums. Shrewd sellers understand how their companies fit into the puzzle, and pursue inside sales openings within their buyer’s framework. After the buyer outlines their initial terms and expectations in a letter of intent (LOI)—also known as a term sheet—the seller has a chance to show the aces up their sleeves: patents, unique market opportunities, business plans, R&D, and so on. Parties will typically agree to protect all this information under confidentiality and non-disclosure clauses in the LOI, and to negotiate in good faith—that is, honestly and fairly. LOIs are typically non-binding, except in unusual circumstances, but parties can maintain equal leverage by ensuring non-disclosure is bilateral. When both parties have sensitive information about one another, neither will want to spill it.
The Bad: Liabilities, Known and Otherwise
As is the case for sellers in general M&A transactions, a cybersecurity company’s liabilities—those aforementioned skeletons—are by and large mundane. Operational inefficiencies, gaps in management, and disorganized or missing records can drive down a sales price. The good news is that eliminating these common issues is a relatively straightforward process. The not-so-good news? Cybersecurity is still a new industry, prone to threats and teeming with legal uncertainties. It is impossible to know where the next digital attack—or lawsuit—will come from, and when. Acquirers are assuming liability for these issues, which may arise years after the deal is closed, whether they realize it or not. Caveat emptor: let the buyer beware. For now, proactive firms can find limited protection in the form of preemptive planning, insurance, and contractual risk-shifting. When a buyer conducts a rigorous investigation on the seller through due diligence, they will want to know who assumes the brunt of a security breach, along with what procedures are in place for dealing with incidents both outside and from within the target company. Companies can take out first-party policies that cover events such as loss of digital assets or cyber terrorism, as well as third-party plans that concern network security and employee privacy liability. Sellers should seek legal counsel to pick these programs, draft protective covenants, and remain compliant with corporate governance and national security policies.
The Ugly: Shared Risk, Shared Trust
No matter how well both parties prepare for the transaction, a M&A deal—like cybersecurity itself—is never a sure thing. One party may violate the confidentiality or retention agreement, spilling the deal or shopping around behind the other’s back. Without buy-in, stakeholders may veto (in actuality or with intent) the purchase far along into the process, a dispute may arise over purchase price or indemnification, or one or both parties may simply walk away from the deal. At its core, a M&A deal, like any transaction, is centered on agreements made by humans. In this respect, the real strength of the transaction rests on the intelligence, integrity and practices of the parties involves. Thus, while the legal considerations are very important. One rule of thumb is to ever let the legal hurdles outweigh the practical implications. Keep in mind that a seller is most vulnerable to risk during a sale as the owner most likely will be required to also join the purchase agreement to claim personal responsibility for the business he/she is selling. The acquiring party faces significant risk as well, once the deal is finalized, with what could amount to expensive experiment on its hands. Even if every corner of the business has been exposed, it still may fail to deliver a worthwhile ROI in a constantly changing marketplace. In the end, it comes down to trust. Parties can make the transaction a win-win circumstance by disclosing every piece of information possible, keeping communication open with stakeholders and employees, and moving the transaction along as quickly as possible. That is, unless a better deal comes along. About Michael Mercurio Mr. Mercurio is a Principal and Chair of the Firm’s Business Law and Transactions’ Practice Group. He serves as outside general counsel to clients on matters related to corporate and business law, commercial transactions, government contracting, technology issues and real estate. As a strategic partner to firm clients, Mr. Mercurio regularly counsels entrepreneurial individuals and assorted entities on all aspects of business and commerce including formation and structure; ownership, management and control; financing and capital; expansion and acquisition; sale and transfer; and contraction and dissolution. He is well versed in the various issues and challenges companies of all sizes and industries face in the business life cycle including start-up, maturation and end stage considerations. A core specialty practice for Mr. Mercurio is mergers and acquisitions, both from the sell side perspective and buy side perspective. About Offit Kurman Offit Kurman is one of the fastest growing, full-service law firms in the mid-Atlantic region. With offices serving Washington, D.C., Baltimore, Philadelphia, Northern Virginia, Frederick, MD and Wilmington, DE, Offit Kurman is well-positioned to meet the legal needs of dynamic businesses and the people who own and operate them. At Offit Kurman, we are our clients’ most trusted legal advisors, the professionals who help them to maximize and protect their business value and individual wealth. In every interaction, we consistently maintain our clients’ trust and confidence by remaining focused on their objectives to help them achieve their goals.