In brief

.As we head into 2023, all eyes are on salary and pay range requirements in US job postings — where these laws apply, what they require, and when they come into effect.

In this latest video, our Labor & Employment lawyers explain what employers need to know about US laws requiring salary and pay range disclosures in job postings including important differences from location to location, questions and concerns, and practical takeaways. 

While the trend has continued, the landscape has drastically changed since we shared our May 2022 video, The Proliferation of Pay Transparency Laws. Consider this your update!

Speakers: Susan EandiKrissy Katzenstein and Dionna Shear.

Key Resources 

We regularly assist with large-scale pay equity audits to help companies look under the hood and assess whether there are any unexplained or unjustified pay gaps. For more information on how we can help, please contact your Baker McKenzie lawyer.

Catch up on our additional pay transparency publications:

Subscribe to The Employer Report blog where Baker McKenzie lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers. Past videos are linked in the blog sidebar for easy access to topics including the proliferation of pay transparency laws, whistleblower developments for multinational employers, trends in labor unions and workforce, and much more.

The post United States: Employers – All eyes on salary and pay range disclosure in US job postings (Video Chat) appeared first on Global Compliance News.


Tax Notes and Developments December 2022

In brief

On 30 November 2022, Treasury and the IRS published Notice 2022-61 (“Notice”), which provides much-awaited guidance on the application of “prevailing wage” and “apprenticeship” requirements relevant to determining the amount of several renewable energy and other clean technology tax credits that were enacted, extended or modified by the Inflation Reduction Act (“IRA”). The guidance provided by the Notice is fairly scant and leaves a number of issues unaddressed. It seems that the issuance of the Notice was rushed in order to start the 60-day period after which taxpayers will need to satisfy the “prevailing wage” and “apprenticeship” requirements, to the extent applicable, to claim the maximum tax benefit for projects (i.e., projects the construction of which begins on or after 29 January 2023).

For the full client alert, please view here.

The post United States: IRS releases guidance on ‘prevailing wage’ and ‘apprenticeship’ requirements appeared first on Global Compliance News.


Upcoming Webinar | 2023 January 12, Thursday, 1:30 – 2:30 PM CST

Between maintaining business continuity and keeping your workforce safe, we know there’s been little time to track the rapidly changing employment, compensation and mobility law landscape — in Illinois, across the US, and globally.

This webinar, co-hosted by the Association of Corporate Counsel – Chicago Chapter, is designed to ensure that Midwest in-house counsel are up to speed on the top developments of 2022 and are prepared for what’s on the horizon in 2023.

Join us for a content-rich 90-minute presentation with practical takeaways, covering the latest developments in employment, compensation and mobility, including:

  • Protecting your trade secrets in the US and globally
  • Trends in salary disclosure laws in the US and abroad
  • The NLRB: Where things stand and what to expect in 2023
  • Employment litigation trends for the year ahead
  • Significant new developments affecting equity awards in 2023
  • Equity compensation trends and best practices for public and private companies
  • Post-COVID updates from an immigration and mobility perspective, from international travel to I-9 completion



ACC Chicago Logo

ACC Chicago is an Approved Illinois MCLE Provider. This program is approved for 1.5 General IL MCLE Credit Hours. Participants seeking MCLE credit must provide their IL ARDC number during registration and attend via the online platform versus by phone dial-in. Details for video and audio participation to be provided upon registration.

Thursday, January 12

1:00 – 2:30 pm CT

Please direct program inquiries to Anna Belova

Attendance is complimentary but limited to ACC members, in-house counsel non-ACC members, and guests of the sponsor.

By registering, you agree that your name and email address will be provided for one-time use to Baker McKenzie (Sponsor) for virtual meeting management.

The post Looking Ahead: Key Themes and Recommendations for US and Global Employers in 2023 appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled G7 Sets Price Cap for Russian Oil at USD 60 Per Barrel on 9 December 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post Global: G7 sets price cap for Russian oil at USD 60 per barrel appeared first on Global Compliance News.


In brief

The strengthening partnerships between the United States and African countries is evident in recently announced initiatives that focus on sustainability and community empowerment and that provide reciprocal benefits for the citizens of both regions. Such initiatives include, for example, increased US support for climate, clean energy and infrastructure development projects in Africa, and programs that boost reciprocal trade and investment between the two regions.


  1. In more depth
  2. Climate finance
  3. PowerAfrica
  4. Infrastructure finance
  5. Trade and investment

In more depth

The United States and countries in Africa are building strong partnerships that boost sustainability, empower local communities with a focus on opportunities for women and youth, and provide benefits for both African and US citizens. Recently, the US has made numerous announcements regarding cementing its strong ties with Africa via, for example, increased climate financing, infrastructure development support, and reciprocal trade and investment initiatives.

In August 2022, a fact sheet issued by the White House noted that Sub-Saharan Africa (SSA) played “a critical role in advancing global priorities to the benefit of Africans and Americans. It has one of the world’s fastest growing populations, largest free trade areas, most diverse ecosystems, and one of the largest regional voting groups in the United Nations. It is impossible to meet today’s defining challenges without African contributions and leadership.” 

The White House further noted that its Africa strategy articulated the new US vision for a 21st century US-African Partnership and the “tremendous, positive opportunities that exist to advance shared interests alongside our African partners.”

Climate finance

Developing countries are among the most vulnerable in the world to the effects of climate change, especially with regard to adapting to weather extremes and finding solutions that address food insecurity and energy and water scarcity. The availability of climate financing to assist developing countries with the transition to a low-carbon, climate-resilient future was one of the key topics under discussion at this year’s United Nations Climate Change Conference (COP 27) in Egypt.

US President Joe Biden said in a speech at COP 27 that the US Emergency Plan for Adaptation and Resilience Fund (PREPARE) had already deployed USD 2 billion in financing to help developing countries prepare for climate change. He announced a USD 150 million down payment to support PREPARE’s adaptation efforts in Africa, including for the Accelerating Adaptation in Africa project that was launched by the US and Egypt earlier in 2022. Other US climate initiatives in Africa include expanding access to early warning systems, building capacity for African decision makers to accelerate climate adaptation, supporting locally led adaptation efforts, expanding access to risk-based insurance for the most vulnerable, mobilizing private sector support, and supporting climate smart food systems, as well as the initiative – Advancing Climate Security Through Sahel-Climate Advocacy and Peacebuilding with Pastoralists.


Power Africa, a US government-led program that focuses on addressing Africa’s access to electrical power, has provided significant support to African countries since its launch in 2013. A US Agency for International Development (USAID) report shows that, since then, Power Africa has helped bring more than 5,500 megawatts (MW) of cleaner and more reliable power generation and first-time electricity to 127.7 million people across sub-Saharan Africa. The program is a partnership between the US government and the governments of Ethiopia, Ghana, Kenya, Liberia, Nigeria, Tanzania, and the private sector. The African Development Bank (AfDB) has partnered with USAID to shape the Power Africa initiative and, according to the AfDB, Power Africa interventions have included investment loans, reforms, advisory services and guarantees, with a commitment of at least USD 3 billion in the six priority countries.

Infrastructure finance

In June 2022, it was announced at the G7 Summit that a USD 600 billion lending initiative, the Partnership for Global Infrastructure and Investment (PGII) would be launched to fund infrastructure projects in the developing world, with a particular focus on Africa. The G7 countries – Canada, France, Germany, Italy, Japan, the UK, and the US – explained that the PGII would help address the infrastructure gap in developing countries, with a core focus on sustainability.

The US announced at the same time that it would mobilize USD 200 billion for developing countries over the next five years as part of the PGII. This funding will be in the form of grants, financing and private sector investments. One of the priority pillars of this funding will be “tackling the climate crisis and bolstering global energy security through investments in climate resilient infrastructure, transformational energy technologies and developing clean energy supply chains across the full integrated lifecycle.” Some deals have already been announced, including a USD 2 billion solar energy project in Angola and the building of multiple hospitals in Côte d’Ivoire.   

Trade and investment

In July 2021, the Biden Administration announced that it would renew the US Prosper Africa initiative, started in 2019, with a focus on increasing reciprocal trade and investment between the US and African countries. At the time, the US said that the initiative would focus on improving trade and investment in sectors such as infrastructure, energy and climate solutions, healthcare and technology. Seventeen US government agencies working as part of this initiative were given a mandate to, among other things, empower African businesses, offer deal support and connect investors from the US with those in Africa.

Also noted at the renewed Prosper Africa launch was the intention to focus on projects that supported women, and small and medium enterprises in Africa. Under the Biden Administration, US engagement with African countries has focused on strengthening these trade and investment relationships in a strategic, cooperative and reciprocal way, under the vision of shared prosperity between Africa and the US. 


The US has also expressed its support for the African Continental Free Trade Area (AfCFTA), the Africa-wide free trade zone, stating that it wants to see the growth of Africa’s economic power in the world. All future trade agreements signed between the US and African countries will have to align with AfCFTA’s trade stipulations and, considering the Biden Administration’s environmental stance, new agreements will likely also include climate change provisions and tariffs on high-carbon imports. The Administration is also focusing on trade agreements that don’t disadvantage US businesses and consumers.

For example, the US-Kenya Strategic Trade and Investment Partnership (STIP) was signed in July 2022. The agreement outlined the enhanced engagement and high standard of commitment between the two countries, and focused on increased investment and sustainable and inclusive growth that will be of benefit to both countries’ citizens and businesses. The agreement also included the intention to support regional economic integration in East Africa.

Further reciprocal bilateral and regional trade agreements between the US and African countries are expected to be signed in the near future. Such agreements are expected to eventually replace the non-reciprocal African Growth and Opportunity Act (AGOA), which allows duty- and quota-free exports from eligible African countries into the US, and which is due to expire in 2025.


US investment in Africa has grown in recent years. According to Refinitv data, Prosper Africa’s focus on improving investment between the two regions appears to be working. The value of M&A transactions in SSA, where the acquirers, or acquirer’s ultimate parent, were based in the US, was USD 3.6 billion in the 2022 year-to-date, with 94 deals announced so far in 2022. The only time in the last few years that the deal value has been higher was in pre-pandemic 2017, when 58 deals were announced, valued at USD 4.9 billion. In 2021, the value of deals from US acquirers into Africa was slightly lower than in 2022 so far, at USD 3.3 billion, but the volume was higher, with 97 deals announced. In 2020, both the volume and value of deals were lower, with US-based acquirers announcing USD 1.5 billion in deals in SSA, spread over 42 deals. This was much lower than in 2019, when USD 2.9 billion in US-originated M&A deals were announced in SSA, spread over 38 deals. The volume of deals was higher in 2018 than in 2019, but the value was lower – 55 deals valued at USD 2.4 billion were announced that year. With both the volume and value of US M&A deals in Africa once again climbing, an increasing number of US investors are clearly looking to launch and grow African operations.

The US focus on increased engagement and continued trade and investment in Africa is good news for the continent. Africa needs strong partnerships to address its development challenges and reach its full potential, and it has a solid ally in the US. The numerous US-Africa initiatives and partnerships that have launched as part of the US’s renewed, sustainable and reciprocal approach to Africa, are leading to a plethora of opportunities for both regions.

The post United States and Africa: Building strong partnerships appeared first on Global Compliance News.


In brief

On 6 December 2022, the US Department of Justice (“DOJ”) announced the unsealing of an 11-count indictment filed in the US District Court for the Southern District of Texas charging twelve individuals from Texas and Mexico in a violent conspiracy to monopolize the transmigrante industry in Texas.

The charges against the individuals resulted from an investigation by the Federal Bureau of Investigation (“FBI”) and Homeland Security Investigations (“HSI”), the principal investigative arm of the US Department of Homeland Security. The DOJ Antitrust Division is partnering with the DOJ Criminal Division’s Organized Crime and Gang Section (“OCGS”) and the US Attorney’s Office for the Southern District of Texas (“USAO-SDTX”) in prosecuting the case.


  1. Key Takeaways
  2. Background
  3. Indictment
  4. Agency Collaboration
  5. Recommended Actions

Key Takeaways

  • DOJ has signaled that it intends to revitalize monopolization enforcement and has recently started bringing criminal monopolization charges for the first time in decades.
  • The partnership among the investigating and prosecuting agencies in this case illustrates a broader commitment across federal agencies to work together to investigate and prosecute antitrust violations.

Companies should consider reviewing their antitrust risk and implementing appropriate safeguards, including annual assessments of any such risk.


On 9 July 2021, President Joe Biden issued an Executive Order (“EO“) announcing his administration’s commitment to increasing vigorous antitrust enforcement. The EO recognizes that a “whole-of-government” approach is necessary to address monopolization and other anticompetitive practices. In response, many federal agencies have strengthened their partnerships to carry out the EO’s initiatives.


The indictment alleges that eight individuals conspired to monopolize the transmigrante services market in violation of Section 2 of the Sherman Act. Transmigrantes are individuals who transport goods, often used vehicles, from the United States through Mexico for resale in Central America. Transmigrante forwarding agencies are businesses that provide services to transmigrante clients, such as assistance in completing customs paperwork and paying fees as required by the Mexican government.

According to the indictment, from about 2013 to November 2022, the defendants knowingly entered into and engaged in a combination and conspiracy to monopolize, and specifically intended to monopolize, the market for transmigrante agency services in Texas. The defendants’ transmigrante forwarding agencies operated as a single entity referred to as the “empresa” to acquire, maintain, and exercise monopoly power. The defendants carried out the charged conspiracy to monopolize through various anticompetitive acts, including restraints that are per se unlawful under the Sherman Act, as well as threats and acts of violence aimed at deterring market participants from undermining the conspiracy.

The indictment also alleges that the defendants conspired to fix prices and allocate the transmigrante services market in violation of Section 1 of the Sherman Act. According to the indictment, the defendants entered into price-fixing agreements and collected and divided revenues among the conspirators through an arrangement referred to as the “Pool.” When transmigrante industry participants refused to charge the fixed prices, pay into the Pool, or pay an extortion fee referred to as a “piso,” the charged individuals used threats, intimidation, and violence against the industry participants, their families, and their business associates.

The indictment also alleges that six individuals conspired to interfere with commerce by extortion and charges three of these individuals with one count of interference with commerce by extortion. The indictment also charges six individuals with money laundering related to the underlying scheme

Agency Collaboration

The partnership among the Antitrust Division, OCGS, USAO-SDTX, HSI, and FBI in this prosecution is part of a broader effort across federal agencies to collaborate and strengthen their partnerships to maximize antitrust enforcement. Illustrating the EO’s whole-of-government approach to competition policy, the partnership in this prosecution demonstrates the agencies’ commitment to work together to investigate and prosecute antitrust violations. Indeed, after the announcement of the unsealing of the indictment, agency leaders commented on the importance of their partnership in investigating and prosecuting the alleged conspiracy. “Together with our partners, we are committed to dismantling violent enterprises that victimize individuals simply trying to earn an honest living,” said Assistant Attorney General Kenneth A. Polite, Jr. of the DOJ’s Criminal Division. “Working with our partners across the government, we will continue to investigate and prosecute violent criminals who prey on our communities,” said U.S. Attorney Jennifer Lowery of USAO-SDTX. “HSI and its law enforcement partners are committed to dismantling organized crime by eliminating their corrupt influence in our communities and protecting our nation’s borders,” said Acting Special Agent in Charge Craig Larrabee of HSI San Antonio. “Today’s actions are the result of the FBI’s continued collaborative efforts with our law enforcement partners in this important investigation,” said Special Agent in Charge Oliver E. Rich Jr. of the FBI San Antonio Division.

Recommended Actions

The charges against the individuals illustrate that the DOJ is continuing to pursue vigorous antitrust enforcement, including criminal monopolization enforcement, and is partnering with other agencies to achieve its enforcement goals. Companies should expect greater collaboration between agencies and scrutiny of anticompetitive conduct, even where the antitrust laws might not have been consistently considered by law enforcement previously. For this reason, companies should consider taking steps to mitigate antitrust liability. In particular:

  • Companies should ensure that their antitrust compliance programs include training on appropriate contacts with competitors.
  • Companies should develop controls around communications with competitors.
  • Companies should analyze the markets in which they operate to assess the level of antitrust risk associated with certain business decisions.

Companies that have not conducted an annual antitrust risk assessment and compliance review should consider doing so as soon as possible.

The post United States: 12 Individuals Indicted with Criminal Monopolization Charges appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled OFAC Issues Russian Crude Oil-related Determination, Guidance on Implementation of the Price Cap Policy for Russian Crude Oil, and Russia-related General Licenses on 2 December 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC issues Russian crude oil-related determination appeared first on Global Compliance News.


On November 26, 2022, the US Department of the Treasury’s Office of Foreign Assets Controls (“OFAC”) issued General License 41 (“GL 41“) authorizing Chevron Corporation (“Chevron”) to resume limited oil extraction operations in Venezuela and accompanying FAQs. According to the accompanying press release, OFAC issued GL 41 after Unitary Platform and President Maduro’s regime announced the resumption of negotiations; a humanitarian agreement focused on education, health, food security, flood response, and electricity programs that will benefit the Venezuelan people; and agreement on the continuation of talks focused on the 2024 elections. OFAC also issued an updated General License 8K (“GL 8K“) extending certain limited wind-down activities with Petróleos de Venezuela, S.A. (“PdVSA”) until May 25, 2023.

New GL 41 and Related FAQs

GL 41 authorizes transactions ordinarily incident and necessary to certain activities related to the operation and management by Chevron Corporation or its subsidiaries of its joint ventures in Venezuela (“Chevron JVs”) involving PdVSA or any entity in which PdVSA owns, directly or indirectly, a 50% or greater interest. Such activities include, among others:

  1. Production and lifting of petroleum or petroleum products produced by Chevron JVs and related maintenance, repair, or servicing of the Chevron JVs;
  2. Sales, exports from, or imports into the United States of petroleum or petroleum products produced by the Chevron JVs provided such products are first sold to Chevron;
  3. Ensuring the health or safety of personnel or the integrity of operations or assets of the Chevron JVs in Venezuela; and
  4. Purchases and imports into Venezuela of goods or inputs related to the above activities, including diluents, condensates, petroleum, or natural gas products provided such goods or services are not of Iranian origin.

While GL 41 signals an opening for other companies to resume oil extraction activities in Venezuela, it is important to note Venezuela-related sanctions and restrictions imposed by the United States remain in place and GL 41 does not authorize:

  • Payments of taxes or royalties to the Government of Venezuela.
  • Payment of any dividends, including a dividend in kind, to PdVSA, or any entity in which PdVSA owns, directly or indirectly, a 50% or greater interest.
  • The sale of petroleum or petroleum products produced by or through the Chevron JVs for the exportation to any jurisdiction other than the United States.
  • Any transaction involving an entity located in Venezuela that is owned or controlled by an entity located in the Russian Federation.
  • Any expansion of the Chevron JVs into new fields in Venezuela beyond what was in place on January 28, 2019.
  • Any transactions involving any person blocked pursuant to the Venezuela Sanctions Regulations other than the blocked persons authorized under GL 41 or other OFAC authorizations.

Concurrent with the issuance of Venezuela GL 41, OFAC also issued public guidance indicating that US persons, including financial institutions, are authorized to provide goods and services for certain activities as specified in GL 41 and that non-US persons generally do not risk US sanctions exposure for facilitating transactions that are authorized by GL 41.

GL 41 will automatically renew on the first day of each month and is valid for a period of six months from November 26, 2023 or the date of any subsequent renewal, whichever is later.

Updated GL 8K

In addition to issuing GL 41, OFAC also issued GL 8K which extends the validity period of the authorization for certain transactions and activities otherwise prohibited by Executive Order (“EO”) 13850 (as amended by EO 13857) or EO 13884 that are ordinarily incident and necessary to the limited maintenance of essential operations, contracts, or other agreements that are (i) for the safety or the preservation of assets in Venezuela, (ii) involve PdVSA or its 50%-or-more owned subsidiaries, and (iii) were in effect prior to July 26, 2019 for the following entities and their subsidiaries: Halliburton; Schlumberger Limited; Baker Hughes; and Weatherford International (“Covered Entities”). GL 8K also extends the validity period of the authorization to wind-down PdVSA-related activities involving Covered Entities, effectively providing US companies an additional six months to exit the market. In light of Venezuela GL 41, OFAC also removed Chevron from the list of Covered Entities. Beyond the extension of the validity period and removal of Chevron, no additional changes were made to the license.

The post United States: OFAC issues Venezuela General License authorizing Chevron to resume limited extraction operations appeared first on Global Compliance News.


The White House has set a deadline for agencies to track most of their IT systems through the Continuous Diagnostics and Mitigation program, as new guidance continues a shift toward using automation to track cyber metrics across government.

The Office of Management and Budget released the fiscal 2023 Federal Information Security Modernization Act (FISMA) guidance on Dec. 2. The memo comes as Congress is still considering the first big update to FISMA in nearly a decade.

The latest guidance, picking up on a theme from last year’s FISMA memo, continues to shift agencies away from manual reporting.

The memo directs agencies to report at least 80% of their government-owned IT systems through the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) program by the end of fiscal 2023.

The FISMA memo follows on an October binding operational directive from CISA that directs agencies to routinely scan their networks for both assets and vulnerabilities, with an emphasis on using CDM.

The CDM program provides agencies with tools for monitoring their IT assets, users and activities, including automated capabilities for identifying systems. The program also provides agencies with dashboard for tracking IT data, while also feeding it into a “Federal Dashboard” that gives CISA and OMB visibility across agency networks.

“Even where full automation is not yet achievable, this memorandum requires CISA to provide performance and incident data to OMB in an automated manner and machine-readable format,” the FISMA memo states. “Collecting and reviewing data consumes time that could be spent on security outcomes. OMB intends for agencies to collect only data that provides critical insight into their security stance.”

The memo also directs agencies to “provide data on assets in an automated manner to the maximum extent feasible.”

Meanwhile, CISA and a newly formed “FISMA Metrics Subcommittee,” situated under the federal chief information security council, will work with OMB to “identify future metrics on automation” for next year and beyond, the memo continues.

“Fully automated identification of certain assets through CDM may not be feasible,” the memo states, adding that those systems can still be reported through the Department of Homeland Security’s CyberScope website.

Agencies should also be on the lookout for a list of software categories that meet the definition of “critical software.” CISA will provide that list to agencies by Jan. 15, according to OMB’s memo. “CISA will include examples of software products in each category so that FISMA reporting on this metric remains consistent,” it adds.

Zero trust implementation

OMB also highlights how it will align FISMA metrics with zero trust architecture to help measure agency progress toward the goals outlined in the federal zero trust strategy.

“The Federal Government no longer considers any Federal system or network to be ‘trusted’ unless that confidence is justified by clear data; this means internal traffic and data must be considered at risk,” the memo states. “Historically, FISMA metrics have not focused enough on defense measures beyond the perimeter. Because modern cyber threat campaigns have continued to find success in breaching perimeters, it is essential to evaluate cybersecurity measures throughout the entire ecosystem.”

CISA is also updating the CDM program to align with zero trust principles.

Ross Nodurft, the former chief of OMB’s cyber team and current executive director at the Alliance for Digital Innovation, applauded OMB’s focus on zero trust and increased automation through the CDM program.

“Specifically, ADI supports OMB’s efforts to drive zero trust implementation and IT modernization across agencies through its metrics,” Nodurft told Federal News Network. “Additionally, ADI appreciates the FISMA metrics’ emphasis on outcome-focused data as well as its alignment with other programs including CISA’s CDM program. As OMB continues to push for modern, secure architectures and environments at agencies, ADI urges the administration to ask Congress for the necessary resources to meet the numerous policy requirements that will be measured by the FY-23 FISMA metrics.”


In brief

Where does the responsibility lie for an acquiring company to understand and evaluate cyber risks in an acquisition? How can these risks be identified and mitigated in the middle of a fast-paced deal? A data breach can have serious financial consequences to both the buyer and the seller. A significant security breach can lead to a nearly instantaneous devaluation of assets and can severely damage the acquiring company’s business viability, raising serious questions as to purchase price and follow-on integration issues.


  1. Whose risk is it?
  2. Upgrade your diligence
  3. Conclusion

Trillions of dollars are spent on M&A each year, yet reports suggest that less than 10% of deals integrate cybersecurity into the due diligence process.1

Despite the FBI and private watch dog groups raising multiple warning flags about ransomware groups hitting more and more companies in the middle of significant transactions like M&A, and despite increased focus from the FTC and the SEC on data security failures as legitimate reasons for shareholder and government enforcement actions, companies continue to struggle with how to capture and mitigate cyber risk in an M&A transaction. Even with increased top down pressure from Boards of Directors and the potential for breach of fiduciary duties related to lax data security measures, companies are fumbling the ball on what questions to ask and how to measure the security risk in a target.

Whose risk is it?

Where does the responsibility lie for an acquiring company to understand and evaluate cyber risks in an acquisition? How can these risks be identified and mitigated in the middle of a fast-paced deal? A data breach can have serious financial consequences to both the buyer and the seller. A significant security breach can lead to a nearly instantaneous devaluation of assets and can severely damage the acquiring company’s business viability, raising serious questions as to purchase price and follow-on integration issues. Unresolved risk can also push investors to question the impact of future attacks. And for good reason: An increasing number of deals have stalled or not gone through at all since the widely publicized 2017 Yahoo disclosure of a data breach which led to a decrease in the deal price for Yahoo in its acquisition by Verizon Wireless Inc. Initially Yahoo did not disclose any significant cyber events but later disclosed an earlier data breach affecting more than 500 million users. The following day Yahoo’s stock dropped 3%, and it lost USD 1.3 billion in market capitalization.

Verizon determined that the incident was a material adverse event under the stock purchase agreement and the parties agreed to reduce the purchase price by USD 350 million, or 7.25%. In response to this and similar incidents, and as cyber events increase in scope and complexity, investors are requiring more detailed quantification of cyber risk exposure, including risks of financial loss and reputational harm.

Upgrade your diligence

Preemptive and proactive cyber integrity risk assessment must be incorporated into the M&A process. This means that dedicated cyber and security experts must be involved at an early enough stage of the transaction to gauge a company’s cyber security and resiliency. Risk reports should inform both initial deal-making and stay relevant through the lifecycle of the deal.

There is no simple playbook for an acquiring company to address cyber risk but the diligence process is key to getting it right.

As part of efforts to uncover cybersecurity risks or incidents at a target, some key areas for an acquiring company to direct its focus include:

  • IT and data assets: What IT assets, systems, software, platforms, websites and applications exist and are critical to the target? How is company data stored, and is it encrypted?
  • Governance practices: Who has responsibility for privacy compliance and data security within the company and for overseeing security preparedness? Is there a specifically appointed data protection officer?
  • Security risk management: What is the target’s data security infrastructure? When and how has it been upgraded? What third parties are involved in maintaining?
  • Has the target experienced any interruptions, outages or suspensions of system operations? Does the target have a comprehensive written security management program and show proof of vulnerability testing? Consider hiring an outside firm to do penetration tests or security audits.
  • Insurance: Does the target have data security insurance coverage? Does the target require vendors to maintain such coverage?
  • Historic incident or loss experience: Has the target received complaints from customers, employees, contractors or other third parties regarding data privacy and security practices? Have any such complaints resulted in litigation or other proceedings?

Sharing information with third parties: How does the target vet third party security infrastructure, policies and records? Does the target ensure audit rights in contracts with third parties? Has the company assessed its obligations to notify customers and regulators in case of a breach?

Ultimately, while these examples provide a starting point for appropriate cybersecurity diligence, it is critical that the acquiring company tailor its diligence on data privacy and security matters to the target company by also understanding its data collection and use practices. Foremost, the forthrightness of the target in these matters is of increasing importance. A blank stare or a vague response to any of the data security questions is itself an answer and should be given attention.


Cybersecurity and resilience has become increasingly important for successful business practices. Executive teams are judged on lax security measures and appropriate breach response. Ransomware is increasing at an alarming rate. Ignorance or the inability to obtain a straight answer from a seller company no longer appeases shareholders and regulators when significant fines and enforcement actions could be at stake. Cyber integrity and proper data security due diligence is no longer a “nice to have,” it is a necessary and critical part of M&A.

Jake Rubenstein contributed to this article.

1.  Aon Cyber Solutions, 2020 Cyber Security Risk Report

The post United States: Buyer Beware Cyber Diligence in M&A appeared first on Global Compliance News.