A version of this piece can be read on Law360, here.
Recently, the FBI released a notification warning1 that ransomware groups may focus on mergers and acquisitions and other significant transactions and financial events to target victims.
Because M&A transaction parties are highly incentivized to consummate their deal without the delay, public embarrassment and potential damages that may come from a ransomware attack, M&A activity is a ripe target for threat actors.
In early deal days, the environment is somewhat chaotic, new teams are just beginning to work together, there are a large number of new vendors, and in many cases the target company does not have a mature control environment or sophisticated internet technology infrastructure. All of these can exponentially increase the risks of a cyberattack.
Additionally, the traditional uptick in M&A activity at the end of the year coincides with increased ransomware activity normally seen around the holiday.
Ransomware is not a new cybersecurity risk, but during 2021, it has repeatedly made headlines and received attention at the highest levels of government. A recent Nasdaq article called ransomware the "greatest business threat in 2022"2 and a recent advisory from the U.S. Department of the Treasury called cyberattacks and ransomware the most significant threat to U.S. financial institutions.3
Despite the unprecedented attention and activity to counter these attacks, experts predict there will continue to be significant attacks in 2022 as threat actors continue to exploit security weaknesses to hold data hostage and demand ransom.
According to a Sophos Ltd. 2021 report on the state of ransomware, the average third-quarter 2021 ransomware payment was approximately $140,000. However, the costs associated with remediation and business interruption were significantly higher; the average cost of a ransomware attack in 2021 has been $1.85 million.
In recent attacks, threat actors are targeting specific victims, spending time researching publicly available information about the target prior to the attack.
Companies that publicly announce M&A transactions are expected to be high on the list of potential targets for threat actors because of the perceived increased vulnerability to coercion and external pressure during the pendency of the transaction.
There is an added concern with the recent trend of double extortion. In the past, threat actors simply encrypted data and demanded ransom payment in exchange for a de-encryption key. With double extortion, threat actors also extract data from the system and threaten to leak the data if they are not paid.
These threat actors infiltrate the company's network or systems, often going undetected and appearing dormant, to gather nonpublic information from the affected system. At an opportunistic time that the target may be most vulnerable, such as upon an M&A transaction announcement, the threat actor initiates the ransomware attack by encrypting data. The threat actor demands ransom payment to de-encrypt the data and can also leverage any extracted data by threatening to disclose the sensitive information if they are not paid.
This is especially problematic in M&A, as this release of data can jeopardize the deal or result in a competitive impact. Additionally, even companies with good backups can be offline for a significant period during ransomware events, which can cause deal delays.
This increased ransomware activity targeting M&A also comes at a time when privacy and security audits and diligence are becoming more important in deals, and there have been multiple instances where a cyber event affected the deal price. One example is the 2017 acquisition of Yahoo Inc. by Verizon Wireless Inc.
Initially, Yahoo did not disclose any significant cyber events, but later disclosed an earlier data breach affecting more than 500 million users. The following day, Yahoo's stock dropped 3%, and it lost $1.3 billion in market capitalization.
Verizon determined that the incident was a material adverse event under the stock purchase agreement and the parties agreed to reduce the purchase price by $350 million, or 7.25%. In response to this and similar incidents, and as cyber events increase in scope and complexity, investors are requiring more detailed quantification of cyber risk exposure, including risks of financial loss and reputational harm.
The FBI advisory provided examples of recent cyber incidents affecting M&A, including:
- In April, the DarkSide group, which was responsible for many of the recent ransomware attacks, posted a message on its blog to show its interest in affecting victims' share prices. DarkSide also discussed the leverage presented in ransomware negotiations when it threatened to release sensitive information that could affect the share price.
- Three U.S. public companies were victims of ransomware during M&A negotiations in 2020, two of which were private. The advisory did not name the companies.
- An investigation of a 2020 ransomware event revealed that the threat actor used search terms indicating interest in the victim's current and near future stock price and U.S. Securities and Exchange Commission filings. The FBI advisory did not name the victim.
Companies should consider how potential ransomware attacks and their disclosure are treated under the M&A transaction agreements, including:
- How interim operating covenants between signing and closing the transaction might affect the company's ability to respond to an attack — such as incurring debt to pay a ransom;
- Closing conditions that may permit one party to refuse to close the transaction — such as a bringdown of representations and a lack of a material adverse effect;
- Indemnification rights; and
- Disclosure restrictions.
For transactions that include representations and warranties insurance, consider whether the attack and its effects would be excluded from coverage either expressly or as a known condition. Additionally, companies should take these six steps to protect against attacks and decrease the impact:
- Encrypt and segregate sensitive and nonpublic data within the company's systems and provided to only those that need access.
- Maintain offline backups of critical data and segregate the backups from the network. It is common for threat actors to search for and encrypt backups when they are not kept offline and separate from the where the original data is housed. Organizations should regularly test backups. Most organizations that pay ransom do not have current backups of the affected data.
- Adopt strong security practices, including taking steps to secure domain controllers and using multifactor authentication. Keep all antivirus and anti-malware software patched and updated.
- Conduct regular scanning to identify and address vulnerabilities.
- Provide training to employees that includes guidance on how to identify and report suspicious activity. Require strong passwords and instruct employees to only use secure networks. Conduct organizationwide phishing tests. In most cases, threat actors initially access systems through weakly configured remote access portals and through email phishing.
- Finally, maintain a strong incident response plan and an associated communications plan, and test the plan regularly with key stakeholders through tabletop exercises. This preparation may be a helpful fact when evaluating whether a planned response to a threat complies with the interim operating covenant to operate in the ordinary course often found in M&A transaction agreements.
Cynthia J. Cole is a partner, deputy department chair of the corporate department in Palo Alto & San Francisco. Travis Wofford is a partner, chair of the corporate department in Houston and vice chair of the global M&A practice at Baker Botts LLP.
Rachel Ehlers is special counsel at the firm.
Brooke Chatterton is an associate at the firm.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
1FBI Private Industry Notification "Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims." Nov. 1, 2021.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.