Jump to:
- Assess and protect value
- Invest in risk mitigation
- Be aware of carve-out vulnerabilities
- Pay attention to contractual protections
- Stay on top of technology and regulation shifts
Dealmaking with India remains a strategic priority for global businesses seeking entry into Asia’s fastest-growing economy. Similarly, Indian companies are pursuing opportunities to expand their international presence. With these growth prospects, it is essential to safeguard value, mitigate risks, and minimize regulatory exposure. This article outlines five key ways in which implementing cybersecurity and data privacy best practices can support and protect your M&A activities involving India.
Assess and protect value
Due diligence matters. For companies in tech, healthcare, and consumer goods, value centricity is dependent on proprietary data, data models and algorithms. This raises the stakes for regulatory scrutiny and cyber threats. Early and thorough assessment of vulnerabilities in potential assets can help with more accurate valuation.
Companies should invest in the right expertise and defense tools, and as part of due diligence, determine if a target’s data or credentials have been compromised and available on the dark web.
— Vinod Bange, Partner, London
Investors should conduct thorough penetration testing and scans of the dark web to identify vulnerabilities in target companies. Starting checks early can help investors identify if a target's data or credentials are compromised, which is critical in the Indian market where data breaches can have significant impact.
Invest in risk mitigation
High potential for data breaches and consequent regulatory fines are making third-party tools like cyber insurance increasingly attractive to companies looking to conduct M&A with India. Such tools can be used to bridge risk allocation should negotiations stall, protecting the deal. For inbound investors, considerations around India’s specific cybersecurity and data privacy laws are crucial.
| Information Technology Act, 2000 |
Section 43A: Mandates compensation for failure to protect data Section 66E: Penalizes the violation of privacy through the publication of private images without consent |
| Digital Personal Data Protection Act (DPDPA), 2023 |
Consent: Organizations must obtain explicit consent from individuals before collecting or processing their personal data Data Principal Rights: Individuals have rights such as access, correction, and deletion of their data Data Protection Authority (DPA): Oversees compliance and handles grievances |
| National Cyber Security Policy, 2013 |
Outlines the government's approach to securing cyberspace It aims to protect the nation's information infrastructure, promote a secure and resilient cyber ecosystem, and enhance the capabilities of law enforcement agencies. |
Be aware of carve-out vulnerabilities
Carve-out transactions can be especially vulnerable — particularly, inbound investments involving carve-outs are at risk. Investors should be fully equipped to manage and de-escalate cyber risks that are related to detangling existing infrastructure and assets which could create security breaches and/or cause sensitive data leaks.
Additionally, compressed timelines for carve-outs may also lead to oversight in lapses in risk assessments or data testing. Cross-border transactions also require an additional layer of complexity in navigating shifting and nuanced regulation across buy and sell side jurisdictions.
Technical, procedural, and legal considerations across different units can increase overall vulnerability.
Threat actors are deliberate with the timing of their attacks, aiming to strike with ransomware in order to cause the most interruption and harm.
— Vinod Bange, Partner, London
Pay attention to contractual protections
Protecting your deal means being strategic with contracts. Have specific wording around risk transference when it comes to cybersecurity and data privacy matters, as well as for specific risks in the acquirer or target jurisdictions across India, UK, US, Europe and more. They clarify obligations, assign risks fairly, and protect both parties from major financial or reputational harm, ensuring transaction stability.
It is critical to clearly define which party is accountable for cybersecurity risks and data protection vulnerabilities. Companies should ensure they have carefully drafted representations and warranties in the transaction agreement. These contractual clauses require the seller to affirm that appropriate data security measures have been maintained and that there are no undisclosed breaches or weaknesses.
In addition, warranties and indemnities can be used to allocate risk. Should a data breach or previously unknown cyber vulnerability surfaces after the deal closes, such provisions can determine whether the seller must compensate the buyer for any resulting losses. To further manage risk, both buyers and sellers may consider acquiring cyber insurance, which provides financial protection in the event of incidents such as data breaches, ransomware attacks, or regulatory penalties.
Stay on top of technology and regulations shifts
The adoption of Privacy-Enhancing Technologies (PETs) into existing platforms can help to keep data secure for processing and storage during strategic transactions. However, companies should seek legal advice on the proper compliance with specific data protection and cross-border data transfer laws.
Under the DPDPA for example, companies have to get explicit content from individuals in India prior to the collection and processing of data, regardless of where the business is located. There are also terms and conditions surrounding data localization and the transferring of personal data beyond Indian borders. Scrutiny around large swathes of data collection and movement may also occur in the interest of antitrust regulation.
Conclusion
Data privacy and cybersecurity are crucial for mergers, as they protect against cyber-attacks, ensure compliance with regulations, and safeguard sensitive information.
Bange notes, “Being cyber ready should not be a solo quest for any company. Importantly, working with cyber agencies and law enforcement specialists through the ‘public/private partnership’ so information can be shared on threats, defense techniques and emerging best practice will be critical to being best prepared for when the cyber threat materializes."
Ultimately, effective strategies, contractual protections, and vigilance in managing vulnerabilities can prevent significant disruptions and secure the success of the transaction. This article was written to complement "4 Key Strategies for Deal Making in the Digital Age," which highlights the important of data protection in strategic M&A.
This article is being provided as general information and does not constitute legal advice. Baker & McKenzie does not practice Indian law and where Indian law advice is needed, we work closely with top India-qualified lawyers. We’d be happy to discuss your needs in India. For more information, please contact Mini Menon vandePol.