3. Ownership and Voting Structure Information
In the launch and growth stages of a company, numerous types of investors may acquire equity in the company. But maintaining accurate corporate records may not be a priority for early-stage companies, which can complicate things in the acquisition process. Buyers must have a clear understanding of who the target company’s shareholders are and any rights these holders have that could impact the acquisition. This may include voting or dissolution rights associated with any particular share class or investor.
It is common for high-growth companies to use options or warrants to incentivize internal (e.g. employees, board members, and contractors) and external stakeholders (e.g. lenders, strategic partners, and key customers) to support its growth. Therefore, the buyer must also review the terms and vesting schedules of any options, warrants, or convertible securities (to the extent that any have been issued) issued by the target company, as these may impact the level of control and ownership long-term.
It is also critical that the buyer ensure that the appropriate shareholders approve of the transaction or are required to sell their shares (pursuant to the articles or shareholder’s agreement). For a share sale, buyers must understand who each shareholder is and ensure that it is purchasing all of the target company’s shares. A review of the chain of title of shares is essential to help ensure that buyers are purchasing all of the target company’s shares. Buyers must also ensure that each shareholder has the right to transfer its shares to buyers. A review of the target company’s minute books and any relevant agreements, such as shareholder agreements, will be critical to ensure a full understanding of the company’s ownership and voting structure information.
4. Cybersecurity
Data security is critical to protecting a business’s assets and operations. A data breach can be highly damaging to a company’s value. Unauthorized access to confidential business information or sensitive customer information can cause both financial and reputational harm, negatively impacting a company’s image and revenues. Cybersecurity due diligence (“cyber diligence”) is one way to help lower the risk of future data breaches, regulatory fines, and privacy breach proceedings.
Buyers should engage in cyber diligence to review a target company’s cybersecurity practices, identify vulnerabilities that could be exploited, and address cybersecurity risks before they turn into issues. Furthermore, cyber diligence should contemplate the sensitivity or value of the stored data and monitor any gaps in data security. The more sensitive or valuable the data is, the more secure the data must be. Cybersecurity experts may need to be engaged to assess the level of security and any vulnerabilities in the system. Buyers should also consider reviewing the target company’s cyber response plan to ensure that it has adequately contemplated cyber risk and has a robust plan to manage, mitigate or remedy any cyber threat.
5. Regulatory Risk and Life Cycle Issues
In the early stages of software development, it is not uncommon for technology companies to focus on product development that meets certain functional specifications. In doing so, these organizations may develop a functionally sound solution that does not contemplate the regulatory requirements imposed on the company or its customers. This issue can arise when a solution that was originally designed for one industry or jurisdiction is then made available to customers in another industry/jurisdiction whose regulatory obligations differ. In addition, regulations are constantly evolving, thus products and services must continually be updated to reflect these changes.
Buyers should ensure that the target company’s technology complies with both its and its customer’s respective legal obligations and should also contemplate anticipated changes in laws to best ensure that the technology will not be made obsolete by these changes.
If the target company’s solutions do not meet all applicable regulatory requirements, it could face significant liability from its customers, third parties, and governmental agencies.
Apart from regulatory requirements, the fast-evolving nature of disruptive technology means that the life cycle of the target company’s technology should be taken into account. In addition to legal and financial due diligence, the cyber diligence process should also consider the scalability, functionalities, and development potential of the technology being acquired.
6. Addressing the Risk
If issues are identified, buyers should consider if and how these risks can be addressed. Depending on the issue identified, the target may be able to address the concerns pre-closing. Buyers should also consider whether targeted representations and warranties addressing identified technology matters should be included in the purchase agreement.
If the issue cannot be addressed pre-closing, such as concerns relating to the use of open-source software in the target company’s products or services, buyers may wish to negotiate a reduction in the purchase price to reflect the risk assumed and the cost to remedy such risk post-closing. In addition, buyers may wish to consider a specific indemnity to address the risk for known issues and consider a holdback of a portion of the purchase price that buyers can set off against any losses due to the identified issues. The parties may also look to restructure the transaction to mitigate the risk.
Specific issues, such as material infringement of third-party IP or non-compliance with privacy laws, may not be able to be addressed pre-closing. Thus, buyers should consider the potential reputational risk of closing the transaction.
Conclusion
The points discussed in this article are by no means an exhaustive list of all issues relating to technology M&A but do illustrate some of the unique challenges that often arise in this space. The issues identified should be evaluated during the diligence stages of a transaction. Depending on the findings, issues may be able to be addressed in the purchase agreement. This will assist in protecting buyers and also in establishing a meaningful valuation for the target company as the parties can address the risk through a reduction in the purchase price. Both buyers and sellers should engage counsel who understands the underlying technology and has experience in technology transactions to protect their interests.