September 13, 2023

Podcast - The Impact of Cybersecurity Compliance on Corporate Transactions

Regulatory Phishing Podcast Series

In this episode of "Regulatory Phishing," government contracts and cybersecurity attorney Eric Crusius is joined by David Cole, a partner in Holland & Knight's corporate and securities practice groups. Mr. Crusius and Mr. Cole discuss the role of cybersecurity compliance in corporate transactions, how lack of compliance can impact the ability of a transaction to close and what parties look at during the due diligence process. The pair also reminisce about Mr. Cole's time lugging dozens of boxes through an airport in Costa Rica.

Eric Crusius: Welcome back to the next episode of Regulatory Phishing. I have the pleasure of being here with my partner and friend, David Cole. One of the great things about our firm, and I'm going to do a little firm ad here briefly, is the terrific M&A practice we have here in Tysons that is married to our government contracts practice. And a key player in that practice is David. So David, thanks for coming.

David Cole: Thank you, Eric. As always, it's a pleasure.

Eric Crusius: Now, I know you didn't just start at Holland & Knight and be uber-successful here right out of law school. So I wonder if you minded telling us kind of your background, and then we can get into the substance of today, which is how these cybersecurity requirements are impacting things on the corporate side.

David Cole: Sure. Happy to. Thank you, Eric. So I started out a good 28, 29 years ago up in New York working for a corporate M&A law firm. And found my way back to Washington, D.C., about three years later. And I've been working on corporate M&A transactions for the entirety of my career. I spent about 13 years doing cross-border M&A transactions at Baker McKenzie before I joined Holland & Knight. I've been working on all kinds of M&A transactions for the government contracts community for the duration of my career.

Eric Crusius: Not exactly related to government contracts, but I remember a story you told me. I was talking about how we had gone to vacation in Costa Rica and how there's two main international airports there and they're both very nice. And you were talking about how you did some funding or something for the main airport there in San Jose. I was talking about how nice the airport is. It's easy to navigate. And one thing I didn't appreciate when I was there with my luggage with wheels was the time that you went there with boxes of documents back when boxes of documents was a thing, and how you're lugging them up and down stairs.

David Cole: Imagine the mid-level associate who is so excited that the firm has shown confidence in this young man, that they're going to send him on his first international business trip. So he decides he's going to wear a suit on the airplane to fly all the way down to Costa Rica with boxes and boxes of documents that are necessary for this transaction. That'll tell you how long ago this took place.

Yes, I show up at the airport in San Jose, Costa Rica, and I've cleared customs with all my boxes, but there's a very long staircase. I'll exaggerate and say it's as long as the escalator at DuPont Circle, but it's in that neighborhood, OK. And this poor kid who's just been traveling all of his way to San Jose has to go downstairs, pick up a box, lug it upstairs, go back down, get another one, lug it back up. And I'll tell you, all of the drivers that were lined up at the curb got their entertainment for the evening watching this poor schmuck go all the way down and up and all the way down and up with these boxes. And of course, he was sweating through his suit at the time. And it was my first experience doing cross-border transactions. Thank you, Eric, for reminding me of that.

Eric Crusius: The one benefit of that is that it would be difficult to breach a computer system with documents.

David Cole: That is true.

Eric Crusius: There wasn't a cybersecurity concern?

David Cole: No. I would've had to leave box 27 of 28 behind us to have that kind of a breach.

Eric Crusius: So this podcast is focused on the intersection of government contracts and cybersecurity, and one really important aspect of that is, how these businesses run. Eventually, a lot of the founders of small, medium-sized businesses sell. Sometimes they decide to grow and get funding from third-party sources, and all those kind of different iterations involve some kind of due diligence.

So, the first question I'd be interested in you answering is, what are the different kinds of transactions we see out there and what kind of diligence? And then we'll connect it to cybersecurity.

David Cole: Sure. So you're absolutely right, Eric. It is a very common life cycle for government contractors in our community to reach a point where they consider whether they need to invest further in the business to grow the business or perhaps sell it so that they can apply that business to another platform that might be, perhaps, better suited to help grow that business. And sellers will engage in a variety of different M&A transactions in order to accomplish the sale of their business and gain the liquidity that they deserve having built this business over many years.

One such transaction is a stock purchase agreement, another is a merger agreement, and then finally we can also accomplish the same thing through an asset purchase agreement as well. They're all very similar. But they all have very key, important differences as well. And they are used in different situations depending upon the factual situation at the time.

A merger is typically used when you've got two companies of fairly equal financial performance. And what we're trying to do is add one and one and create three from the merger. In contrast, your target is going to be smaller than the acquirer. The acquirer will typically look to simply buy the equity of that company through a stock purchase or some other equity purchase, or perhaps look at simply buying the assets of the business. And in either of those two cases, a purchase agreement would be put in place. One would be buying the equity, and the other would be buying the assets. But in both cases, whether it's an asset purchase or a stock purchase, and including whether it's a merger, the selling company and the selling owner is going to have to provide what we call representations and warranties about the business. These are affirmative statements, made by the company and by the seller, to the buyer in order to induce the buyer to buy the company. And those statements inevitably will concern, among many other things, whether that company and that target has been compliant with all kinds of things, whether legal requirements, statutory requirements, regulatory requirements and contractual requirements as well. And so the buyer is going to engage in due diligence in order to confirm those reps and warranties.

Eric Crusius: So I know there are distinctions and differences with the types of due diligence that occur in these different kinds of transactions, but from a general sense, what are you looking at as far as compliance with federal contracting requirements? Let's put cybersecurity specifically to the side. But from a general sense, as a transactional lawyer, what do you like to see, and what do you need to see?

David Cole: If we're on the selling side we want to see a clean record for all purposes regulatory, whether it's the federal government contracting regulations, thus far. We want to see a very clean record. We want to see a clean record with state laws and state regulatory requirements, making sure that you've got all the necessary authorizations and consents and permits that you need to operate your business at a state level, because to the extent that you have any deficiencies in these areas, the buyer simply is going to point to these things, and even if they really don't affect value, they're going to try to argue that these things do affect value. So the cleaner your regulatory compliance is heading into the transaction, frankly, the better the purchase price is going to be for the seller.

Eric Crusius: So if they successfully point out, "Hey, you're not compliant with this clause," or "You don't have this compliance regime in place that should be there," that could impact the sale price and cost the owner money.

David Cole: It could. And the buyer's going to try to poke holes in the valuation in any way possible. And one of the ways they try to poke a hole in valuation is through some sort of a breach of legal compliance.

Eric Crusius: So the last few episodes of the podcast we've touched on what those compliance obligations are. If you're sitting in the shoes of a buyer and you see that a seller, for instance, doesn't have the cybersecurity controls in place that they're required to under a contract — and that could be similar for outside of cybersecurity too, whatever controls they're required to have — from a general sense, what do you advise a client to do in that situation if you're a buyer?

David Cole: So, if I'm a buyer and I see that we have a CMMC potential violation, the first thing that we want to do is assess how material that violation is. Not every violation is the same. And, frankly, in any M&A transaction, I don't think I've ever closed a deal where we didn't have, during the course of the deal, some fulcrum point in the deal where something has happened and we learn something.

Eric Crusius: Right.

David Cole: But just because we learn that something has happened, that in and of itself shouldn't crater a deal. What we need to do is get creative and think about the problem, assess whether it's material or not, and even if it is material, then we find a way to remedy the problem. And we can do so in many, many different ways.

Eric Crusius: OK. So it's not necessarily fatal to the deal, but it could impact value, and it could impact the approach and if the seller may be required to have some kind of carveout where payment is held back or something like that. What kind of creative ways do you typically see?

David Cole: Sure. So, one of the nice things that has developed over the last 15 years or so in the M&A industry is the use of representations and warranties insurance. We call it RWI. And RWI is a wonderful tool. It basically helps the parties to the transaction to shift liability for breaches of reps and warranties to a third-party insurer. Of course, you pay a fee or a premium for that, but it is a way of shifting risk.

Now, the one key here is that a rep and warranty insurance policy, unfortunately, in this fact pattern, is not going to work. It's not going to work because rep and warranty insurance policy only covers the unknown, and what's happened here is during the course of due diligence we've learned of the CMMC potential violation. So we're going to have to get creative here and we're going have to find some other solution besides just pawning it off onto some unknowing, unsuspecting insurance company. There are lots of things that we can do, right? This all comes down to an allocation of risk between the buyer and the seller and what their appetites are for these different types of risk. So the buyer might say, all right, look, we will continue to proceed and buy the company knowing that there is this problem, but what we're first going to do is we're going to go try to find someone like Eric Crusius to help us patch this problem and make sure that on a go forward basis we don't have a recurring problem. That's probably the most important thing. Figure out what's wrong, fix it and do so in a way that's going to work going forward.

Now you return back to the deal, though. And so there has to be some allocation of the risk between the parties. How do we do that? One of the things that we do is we create escrows. We create purchase price holdbacks. We create special indemnities. And all of these things are ways for buyers to have some level of confidence that they won't overpay for the company. In other words, they will get some sort of a purchase price reduction based on the harm that they are assuming by buying the company. It may take some time, Eric, to find out exactly how deep this problem runs and what its financial consequences will be to the business as a going concern in the long run. We still have to get the deal done. So how are we going to project what that harm is? We're going to do a few things. We're just going to project what that is and maybe create an escrow so that if, indeed, we have to pay money to remedy the CMMC problem in the future, that money will come back to the buyer when the escrow is released.

Another way of doing that, rather than paying for it in the future, the seller could pay for it up front. How do they do that? A purchase price holdback. So we all agree that the value of the company is $50 million, OK? But at closing, instead of paying the full $50 million, we'll hold back $500K, $600K, whatever it is that we project is going to be needed in order to remedy that situation in the future. That's a holdback.

Finally, an indemnity is a little different than both the escrow and the holdback. What the indemnity says is, all right, look, we'll pay you the full value that we agreed upon before we discovered this CMMC problem. So you'll get your full $50 million saved, to the extent that we're out of pocket in the future to remedy this problem. Then you are going to reimburse us through the indemnification mechanism in the future for what we're out of pocket. And that's called a special indemnity.

So you can either set aside an escrow and put the money aside with a third party, typically a bank, you can have an immediate holdback of cash in order to remedy that problem or you could have the indemnity. The concern with the holdback though, while it's great to get the money in your pocket and not pay as much up front, the seller is going to insist that's it. So that if you underestimate the extent of the harm, it's not as if you're going to, in all likelihood, get more money back from the seller. The seller's going to say, all right, you took your $500K, your $600K, and that's it. In contrast, the indemnity, it delays when you get paid, but it in all likelihood would probably cover more of the harm.

Eric Crusius: It's more open-ended.

David Cole: It is.

Eric Crusius: OK. It's almost like liquidated damages versus actual damages in a litigation sense. But this is all really interesting. Certainly, the evolving world of cybersecurity requirements and the diligence that follows transactions is going to really tax, I think, the lawyers and experts in this area as they navigate through it and try to figure out is the deal salvageable. What kind of creative ideas, like you mentioned, you can to kind of let the deal go through, but maybe it costs the owner something in the short or long term. So, this fast-changing area is certainly having an impact all across the board, including in this corporate area. Thanks for being here and offering your insight. I really appreciate your time, David.

David Cole: Thank you for having us.

Related Insights