SPAC Should Not Ignore Cybersecurity Risks

The pandemic made the worldwide progress in digital transformation faster and it has become a focus. Breakthroughs in technology like Artificial intelligence, blockchain, internet of things and virtual reality, etc. are as well reshaping our future. Meanwhile, new economics and technologies bring challenges to security, privacy and ethics. The Network Security Director of KPMG said that hackers can always invade the systems and businesses have no options but to accept this reality. The key is to cut down the duration of the invasion and time needed to detect hacking activities. For SPACs and their sponsors, although their cybersecurity risks are lower, they have to actively identify, analyze and manage these risks in de-SPAC processes.

SEC’s new rules on cybersecurity disclosure

The U.S. Securities and Exchange Commission (SEC) adopted an amendment which aimed to strengthen and standardize information disclosure rules related to cybersecurity on July 26, 2023 (opens a new window). The amendment requires public companies to timely disclose information using Form 8-K, if major cybersecurity incidents happen. And they must disclose the company’s specific information related to risk management and governance for cybersecurity in their annual report on Form 10-K.

Meanwhile, issuers outside of the U.S. (“Foreign Private Issuers”) need to disclose, the same as for American local companies, information related to risk management and governance for cybersecurity in their annual report on Form 20-F. However, when they announce major cybersecurity risk incident using Form 6-K, the precondition will be whether there are same disclosure requirements in the laws of the place of incorporation or location of the applicable Foreign Private Issuers.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.

“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Charges against SolarWinds and its CISO

In December 2020, U.S. government agencies and businesses encountered the biggest cybersecurity threat in history. At the center of the issue is a security vulnerability of network monitoring software platform, SolarWinds Orion, has been exploited and hackers could passively invade targets that have been locked on. Ultimately, including the Pentagon, Department of State, Homeland Security, Department of The Treasury, Department of Commerce and many government departments confirmed they were being hacked.

On 23 October 2023, SEC charged SolarWinds and its Chief Information Security Officer (CISO) and accused SolarWinds of exaggerating its company’s cybersecurity measures, underestimating or concealing known security vulnerabilities and threats in their announcement documents from IPO in October 2018 to December 2020 which constituted the crime of fraud.

In addition, SEC accused SolarWinds’ CISO, according to internal communication documents, that he was not able to handle and solve timely the potential risks of cybersecurity including fixing vulnerabilities immediately, potential risks in remote access, unreasonable access rights on key systems and data, etc. The Commission claimed the CISO to be personally liable to cybersecurity incidents. This is also the first time SEC sued a company and its CISO for their internal control failure and inability to protect key assets due to cybersecurity flaws.

SPAC (Special Purpose Acquisition Company) sponsors, often due to their limited scale, focus commonly on business model and financial status in their assessment against a target company. They are susceptible to sideline cybersecurity or even being indifferent. Actually, cybersecurity risk has become a non-negligible part in merger and acquisition or listing processes.

In July 2016, Yahoo! reached a 4.8-billion-dollar merger agreement with a major telecommunications conglomerate – Verizon and made a public announcement. In 2017, Yahoo! disclosed twice in a row that the company had data breach of 3 billion users in total due to hacker attack in August 2013. Ultimately, Verizon renegotiated the purchase price from 4.8 to 4.48 billion dollars.

During a de-SPAC process, if the new company, after merger is completed and listed for trading, did not disclose cybersecurity flaws that they knew or should have known or even major cybersecurity incidents, the new company and/or its management and directors of the SPAC are at risk of regulatory investigations/litigations or civil litigations.

Therefore, SPAC sponsors must actively manage cybersecurity risks in a de-SPAC process which includes:

  • Covering data, cybersecurity record and management in due diligence on target company
    Against a target business with higher value of digital asset or importance of cybersecurity to its business operation, SPAC sponsors must cover data compliance and cybersecurity elements in due diligence under conventional laws, including but not limited to:
    - Evaluating the data assets the company owns and respective protective measures.
    - Understanding business data and protection tools, technology and workflow in cybersecurity.
    - Examining the practice of cybersecurity in their businesses, for example business response plans, risk assessment and penetration testing, etc.
    In addition, sponsors should also further ask the target company about susceptible or known exploits, data breaches or cybersecurity incidents.

  • Helping the target company to understand and pay attention to cybersecurity disclosure.
    When the target company changes from private to listed, they may be relatively unfamiliar with the responsibility to continuous compliance after going public. If their listed market is in the U.S., the target company must pay special attention to differences between local and foreign issuers in application of the laws including the cybersecurity disclosure rules of SEC. Moreover, when the target company holds large amounts of digital assets, it must pay special attention to the application of data and privacy protection laws in every country, for example the General Data Protection Regulation (GDPR) in the EU is also applicable to foreign businesses providing goods or services to individuals within the EU.

  • Risk transfer with insurance: D&O vs Cyber.
    Usually, SPAC would through purchasing of Directors and Officers Insurance (D&O) to cover the personal legal liability they faced when fulfilling their responsibilities as directors and officers, including insufficient due diligence against target company or misleading shareholders in their disclosure during the de-SPAC process.
    When purchasing D&O, SPAC sponsors should ensure cyber risk is not excluded and it should cover directors’ or officers’ managerial liability they faced due to cyber related information disclosure or cybersecurity incidents during investigation or litigation.
    Furthermore, the target company can purchase cyber insurance as a means of risk transfer which covers the company’s first-party financial loss for example, ransom, revenue loss, data or system restoration cost, forensic cost, etc. and the cost for target company and its related personnels in violation of data protection or regulatory investigation or litigations.

For details, please contact our Global Professional and Financial Risks team.

First published in Hong Kong Economic Journal – Finance and Investment columns on 20 May 2024

Read our latest risk control insights

Closeup front view of unrecognizable man cutting thin metal rod with electric grinder. Usual day in a workshop. Sparks flying all over.

Inside Risk: Mitigating the risk of hot works