April 11, 2018

M&A and Cyber Diligence: New York’s DFS Issues a Reminder

+ Follow Contact

Send

Embed

Over the last year, U.S. companies have been hit with a wave of new data security regulations and agency guidance, ranging from the SEC’s Guidance on Public Company Cybersecurity Disclosures to the European Union’s General Data Protection Regulation (GDPR).

But financial services and insurance companies with New York ties that are considering M&A activity must now look beyond their own data security practices. In recently issued guidance, the New York State Department of Financial Services (DFS) announced the “need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions.” DFS further explained that it expects covered entities to “do a factual analysis of how the regulatory requirements apply” to a “particular acquisition.” At a minimum, DFS says that acquiring companies must consider “the target company’s risk for cybersecurity,” “its availability of PII [personally identifiable information],” its “safety and soundness,” and “the integration of data systems.”

And the acquiring company’s obligations will not end at the pre-acquisition due diligence stage. For instance, the DFS regulation requires that a company update its required data security risk assessment “as reasonably [as] necessary to address changes to” a company’s “business operations.” Likewise, the regulation requires that any change to a company’s risk assessment will require updates to its cybersecurity program, policies, and guidelines. For smaller entities, a merger might also push the surviving company over the revenue and employee thresholds to fit within the regulation’s “limited exemption.” In which case, the company “shall have 180 days” from the “most recent fiscal year end” to comply “with all applicable requirements.”

These potential regulatory pitfalls to a merger are not limited to the DFS regulation. For instance, companies considering cross-border mergers and acquisitions will need to determine whether the target company is in compliance with GDPR. Likewise, New York is not alone in regulating data security, and companies acquiring out-of-state entities will need to consider the dramatically varying cybersecurity laws.

Nor are cybersecurity issues purely a question of regulatory compliance. A recent survey found that nearly a third of companies that conducted pre-merger-cyber diligence found the target vulnerable to inside attacks.

We will continue to monitor developments in this area.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Patterson Belknap Webb & Tyler LLP

Contact + Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Banking Sector

+ Follow

Chief Information Security Officer (CISO)

+ Follow

Cybersecurity

+ Follow

Cybersecurity Framework

+ Follow

Data Protection

+ Follow

Financial Institutions

+ Follow

Financial Services Industry

+ Follow

Information Technology

+ Follow

Insurance Industry

+ Follow

NYDFS

+ Follow

Risk Management

+ Follow

Mergers & Acquisitions

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Patterson Belknap Webb & Tyler LLP on:

M&A and Cyber Diligence: New York’s DFS Issues a Reminder

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Patterson Belknap Webb & Tyler LLP on:

"My best business intelligence, in one easy email…"