Cybersecurity "Safe Harbor" now possible for acquisitions

Foresite has been brought in after acquisitions where, despite attempts at verifying the cybersecurity and compliance of the target business, the acquirer ends up with liability. In one case, an online retailer that had self-attested for years as PCI compliant was not even close to compliant, and the former owner ended up giving back most of his profits in legal fees and settlement costs.

Here are key points you need to know if you are involved in M&A, including #MSPs and consultants who may be asked to assist in verifying cybersecurity or compliance.

1. Safe Harbor for Self-Disclosures: The DOJ offers a "Safe Harbor" to acquirers who voluntarily self-disclose misconduct within the acquired entity. If certain conditions are met, these acquirers will receive a "presumption of a declination," meaning they won't be prosecuted for the disclosed misconduct.
2. Prominence of Compliance in M&A: The DOJ emphasizes the importance of compliance-related due diligence and integration in the M&A process. They encourage acquiring companies to give compliance a prominent role during deal-making.
3. Successor Liability: If a company does not perform adequate due diligence or self-disclose misconduct at the acquired entity, they may be subject to entire successor liability for that misconduct under the law.
4. Disclosure and Remediation Timelines: Companies seeking the Safe Harbor must disclose discovered misconduct within six months from closing, whether the misconduct was found before or after the acquisition. They will then have one year from closing to remediate the misconduct fully.
5. Flexibility in Deadlines: The specified timelines are subject to a reasonableness analysis and may be extended based on the specific circumstances of the transaction. Companies detecting misconduct related to national security or imminent harm are encouraged not to wait for deadlines to self-disclose.
6. Cooperation and Remediation: Acquiring companies must cooperate with the DOJ's investigation and engage in timely and appropriate remediation, restitution, and disgorgement.
7. Applicability: The Safe Harbor policy applies to criminal conduct discovered in bona fide, arms-length M&A transactions. It does not apply to misconduct that was already required to be disclosed, public, or known to the DOJ.

Safe Harbor is intended to incentivize proactive self-disclosure and emphasize compliance's importance in M&A transactions. It provides a potential avenue for companies to mitigate legal risks and possible penalties if they discover misconduct within acquired entities. Companies engaging in M&A activities should include a third-party validation of the target company's alignment to a recognized cyber framework and any sector-specific compliance requirements as part of due diligence.