Cybersecurity & Data Privacy Due Diligence in M&A Deals

People working at a round table

Focused on Cybersecurity and Data Privacy as Its Own Risk Factor

Due diligence during the early stage of a merger or acquisition either advances the transaction or causes it to terminate. Well-executed due diligence is one of the key factors that leads to a successful closing and contributes to the overall positive impact of the transaction. Carving out a detailed cybersecurity and data privacy phase that is separate from a traditional information technology review is a critical component to thorough due diligence. By taking a deep dive into a target company’s cybersecurity and data privacy history, policies and practices, potential threats and liabilities can be uncovered and analyzed before the transaction continues.

Saul Ewing’s cybersecurity and mergers and acquisitions attorneys work closely with acquirer and target companies entering into M&A transactions to perform comprehensive cybersecurity and data privacy due diligence and to respond appropriately to cybersecurity and data privacy due diligence requests. With cybersecurity and data privacy identified as its own risk factor, our team helps companies update their due diligence procedures to include:

  • Disclosure of the target’s cybersecurity policies and procedures, risk assessments and network security assessments, both internal and by external consultants or agents
  • Identification of any prior breaches of the target’s systems and descriptions of incident responses, including the incident response reports
  • Disclosure of the target’s policies and procedures relating to data privacy compliance, which includes the organizational mechanisms for compliance with any national or international regulatory frameworks, including cross-sector regulations such as the European Union’s General Data Protection Regulation (GDPR) and sector-specific requirements for data privacy and compliance (such as in the health care and financial services industry), as well as the existence of best practices, such as data inventory and data governance programs and board-level oversight of cybersecurity and data privacy programs
  • Access to the target’s personnel responsible for ensuring cybersecurity and breach responses to address internal and external threats and the level of cybersecurity risks created by the company’s business model
  • Analysis of the need to hire forensic experts to assess network security and/or compare network files with backup files

In addition, after due diligence is conducted with a focus on cybersecurity and data privacy risks, our attorneys advise acquirers on requesting and negotiating the inclusion of certain representations and warranties in the operative deal documents, which may include:

  • Representations about known incidents (and the target’s responses)
  • Representations that the target is compliant with applicable privacy and data security laws and regulations (which may or may not be focused on the target’s particular industry)
  • Representations about the absence of consumer complaints, litigation or investigations regarding privacy and data security


Key Contacts
Michael A. Gold
View all related professionals