Cybersecurity in M&A Transactions: What the United States and South Korea Jurisprudence Can Learn From Each Other

Digest Notes

View PDF


Data is one of the most valuable assets in today’s business world. Many companies are collecting an increasing amount of data related to customers, competitors or suppliers to improve their own performance; at the same time, these companies risk cybersecurity breaches by third parties who also hope to monetize this valuable data. Victims often have no recourse because it is almost impossible to identify the breaching party, regardless of the legality of their actions.

In response, cybersecurity has gained increased importance to businesses. This applies to company operations generally, but much attention has been devoted to cybersecurity concerns specifically in M&A transactions as well. This paper aims to identify how various influences have shaped the way cybersecurity considerations in M\&A transactions developed, with a comparative focus on the United States and South Korea. Within the M&A context, this paper will place emphasis on the role of cybersecurity in due diligence, which refers to an acquirer’s investigation of a target company to identify risks and make an informed decision.

Part I of this paper studies legal obligations related to cybersecurity that exist in the United States and South Korea, and how such obligations may have affected cybersecurity considerations in M&A transactions. Cybersecurity laws and regulations in the United States tend to be industry-specific, while the South Korean counterparts focus on the type of data. However, both countries currently lack laws and regulations that specifically address cybersecurity in the M&A transactions context.

Part II analyzes how cybersecurity has developed as a standalone consideration in M\&A due diligence, in the absence of substantial legal obligations. This part provides an overview of what cybersecurity due diligence looks like as well as the substantive grounds commonly covered by acquirers and advising law firms. Most of the literature so far addressing cybersecurity concerns in M&A transactions have been generated in the United States. This may be due to the greater abundance of attractive cybersecurity targets in the United States, the internalization of cybersecurity functions by South Korean companies, or both.

Part III closely examines Verizon’s acquisition of Yahoo in 2017, which was discounted from $4.83 billion to $4.48 billion due to two cybersecurity incidents that occurred in 2014. This part explores which substantive cybersecurity due diligence areas discussed in Part II are applicable to the Verizon-Yahoo deal as well as how a thorough diligence process may have helped Verizon carry out the deal in a smoother manner.

Part IV discusses the takeaways of this paper. Without substantial legal obligations, understanding of what is appropriate cybersecurity due diligence in M&A transactions will rely primarily on trial and error. In this context, United States companies can learn from the internalized cybersecurity functions of South Korean companies, and South Korean law firms can learn from the M&A-related cybersecurity expertise of United States law firms. Parties to M&A transactions should remember that cybersecurity due diligence is necessarily individualized and contextual...continue

Recommended Citation

Yong Bum Lee, Cybersecurity in M&A Transactions: What the United States and South Korea Jurisprudence Can Learn From Each Other, Harv. J.L. & Tech. Dig. (May 23, 2018),