Cybersecurity and the M&A Market: The Time Has Come For Cyber DD

Cybersecurity and the M&A Market: The Time Has Come For Cyber DD
Published January 14th 2025

Volume 12, Issue 1, January 14, 2025

By: Doug DePeppe

As a cybersecurity law attorney with experience handling data breach investigations, and the related ramifications and privacy compliance dimensions, I was pleased when Vertess approached me about publishing a blog article concerning cyber due diligence (Cyber DD). Engaging in due diligence of risk as part of mergers and acquisition (M&A) is a standard practice. So, sharing knowledge around Cyber DD was a sensible suggestion and I readily agreed.

In addition to breach coaching, my experience includes partnering with technology to create legal-tech solutions that help protect assets and businesses. For example, OnCall Recon is a law-led solution that uses patented netflow technology in a two-week audit to verify the effectiveness of security controls. My discussion of OnCall Recon for a Cyber DD use case was the other prompt for this article. The growing risks of cyberattack affect all sectors, so it is timely to inform the M&A community about the expanding risks.

A preliminary observation is whether representations and warranties (Reps & Warranties) is a satisfactory way of avoiding the additional expense of commissioning a Cyber DD service. The risk of a Reps & Warranties approach is whether the parties have a basis for making an appropriate representation about security or assigning responsibility for the risk of a data breach. Threat actors are skilled in establishing a persistent presence, which entails circumventing detection. Moreover, in the cat and mouse game of cybersecurity, the defenders are always playing catch-up with the latest attack technique. Cybercrime will be a $10 trillion black market industry in 2025. The attacks will keep coming.

Yet, in the cybersecurity market, it has usually been compliance mandates rather than cyber risk that has triggered spending increases to improve cyber hygiene. A pending compliance requirement may impact the M&A market – the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA). In October 2025, a Notice of Proposed Rulemaking will go into effect, having broad implications for cyberattack reporting.

CIRCIA will require reporting to the DHS Cybersecurity and Infrastructure Security Agency (CISA) of any “substantial” cyber incident or ransomware payment by a “covered entity”. The proposed rule has a multi-part definition of a substantial incident, including:

Unauthorized access to a covered entity’s business system:
- Caused by automated download of a tampered software update; or
- Using compromised credentials from a managed service provider.
Intentional exfiltration of sensitive data in an unauthorized manner for an unauthorized purpose.

Notably, these criteria would trigger CISA reporting for attacks that would not meet the data breach standard under state law. These expansive triggering criteria suggest that third-party or supply chain attacks that compromise an M&A party’s network would trigger reporting to CISA. However, a further step in the analysis is whether the attacked party is a “covered entity”. Except for small businesses, the criteria would also implicate a broad swath of companies in mandatory incident reporting. If the attacked company meets the broad sector definitions of DHS, such as operating its business in the financial services, health care, or information technology sector, it would likely be a covered entity.

An additional wrinkle about CIRCIA’s application to M&A activities is the practice and utilization of a Data Room. The owner or custodian of the Data Room could have a duty to report to CISA if a substantial incident affected it (e.g., a supply chain attack, as noted above), especially because of all the sensitive information contained in a Data Room. Moreover, considering how threat actors seek to migrate and move laterally, the Data Room could be attacked by an upload of data from an M&A party or any of its advisors or partners. Hence, transaction brokers, financial service providers, M&A parties, Data Room Custodians, and any party associated with the M&A activity could suffer a substantial incident giving rise to CISA reporting.

CIRCIA’s final rule may change before it is promulgated in October of 2025. However, the underlying federal law was enacted in 2022 and supports Congress’ intent to improve cybersecurity for critical infrastructure. What is considered critical infrastructure is extremely broad; and therefore, CIRCIA will create an incentive for many companies to improve cybersecurity so that the risk of reporting to CISA is minimized.

For the M&A market, the same incentive applies. Hence, both Data Room cybersecurity and Cyber DD to increase assurance of a clean asset will likely receive higher priority in M&A activities in 2025.

Doug DePeppe

Doug DePeppe is a Special Counsel in the Firm’s Denver office with a national practice in data rights, data protection, sports data and licensing, and cybersecurity law. He is a member of the Firm’s Privacy & Data Security, Sports Industry, and Artificial Intelligence Practice Groups.

A retired Army Judge Advocate and national security attorney, Mr. DePeppe’s military cyberlaw career began with his Army-funded Master of Laws (LLM) degree from The George Washington University Law School with a cyberlaw focus, followed by his leading the Army JAG Corps’ development of a cybersecurity law practice. He next helped develop cybersecurity law capabilities in the cybersecurity divisions at Homeland Security, including serving as the legal advisor to US-CERT.

In his cybersecurity law practice, Mr. DePeppe assists clients in data breach investigations, orchestrating the incident response and crisis management as a Breach Coach. Mr. DePeppe has assisted clients with cyberattack response services for twenty years. He is well known and respected in the field, has presented at major conferences on nearly every continent across the globe, and has published in Forbes, trade journals, and other online magazines.

Mr. DePeppe also assists clients with data privacy prevention and compliance. Leveraging his interdisciplinary knowledge and cybersecurity resource network, he helps clients with risk assessments, leadership and boardroom training and mentoring, third-party contract and supply-chain risk review, cyber due diligence for mergers and acquisitions, and other cyber risk advisory and services.

With his background in data rights, Mr. DePeppe also advises clients concerning name-image-likeness (NIL) protection and licensing. Universities, collectives, athletes, sports entities and associations, and sports agents have growing needs to protect NIL monetization efforts from infringing misappropriations.

While a Judge Advocate, Mr. DePeppe was a trial attorney in courts-martial for five years and became a certified capital case defense counsel. This criminal law experience aids his client advice concerning cybercrime. Additionally, Mr. DePeppe has used his litigation experience in the representation of sport sector mediations and arbitrations. In particular, he has successfully represented several soccer clubs and athletes in administrative disputes arising from the Ted Stephens Amateur Sports Act and SafeSport.

Connect with Doug here!