Looking To Invest In Or Acquire A Digital Assets Business? Watch Where You Step—Realizing Value And Managing Risk – Technology | #cybersecurity | #cyberattack


The upshot, for busy people:

  • Realizing value and managing risk in investments and
    acquisitions of digital assets businesses means understanding
    several key areas of the target’s business-among them,
    cybersecurity, data privacy and regulatory positions.

  • This is particularly challenging in light of the pace of
    innovation in these technologies and the intersecting, evolving
    regulations that apply to digital assets.

  • As valuations increase and investment capital flows into the
    digital assets sector, the negative impacts of missteps in these
    areas-especially risks of cybercrime and regulatory penalties and
    sanctions-have also expanded significantly.

As applications and use cases for digital assets and their
blockchain infrastructure grow and become more sophisticated,
investments and valuations for businesses in these areas have
similarly grown and attracted a diverse group of stakeholders.
Acquisitions and equity financings in digital assets businesses are
being pursued by global financial institutions and some of the
world’s largest institutional investors, among many others.

No matter who the buyer is-and no matter the size of the
investment-understanding the assets and revenue streams of a target
digital assets business is critical to capturing and realizing
value in any equity investment or M&A deal. Given the
complexity and nuances of digital assets businesses, this
understanding requires a deep dive into several key subject
areas-among them, cybersecurity, data privacy, and federal and
state regulations.

These issues are not unique to businesses in the digital assets
world-among others, financial services and healthcare businesses
are also well acquainted with these issues. However, effective
analysis and due diligence in this space is particularly complex
and challenging in light of the pace of innovation in the
technological foundations of these businesses and the rapid
evolution of the products and services that are developed on
them.

In order to validate an investment thesis, confirm valuation and
manage risk, an early step in any proposed acquisition or
investment in a digital assets business should be a careful
analysis of the target’s cybersecurity, data privacy, and
federal and state regulatory position.

Cybersecurity

While every company in the world should be concerned about
cyberattacks (for several reasons1),
digital assets businesses should be particularly focused on it.
Digital native businesses exist exclusively in cyberspace, which
means that a serious cyber threat is also an existential one. And
while the use of distributed ledger technology-the backbone of
digital assets-has certain inherent security benefits (as compared
to centralized networks), there are still security vulnerabilities
that arise through the security (or lack thereof) of individual
participants and end-users, among others.

When these threats materialize as an attack or breach, there are
a host of negative effects that can result. To name just a few:

  • Attackers that are able to access bank account or crypto wallet
    information can reroute payments or currency (fiat or digital),
    often to opaque jurisdictions or untraceable accounts.

  • Theft of data, trade secrets and/or other IP can result in a
    business’s “special sauce” being lost to competitors
    or bad actors.

  • Loss of trust can destroy future revenues and cause
    reputational damage that is difficult (or impossible) to
    repair.

To guard against this, an investor or acquirer must have a
thorough understanding of the data and software that are material
to the target business and the ways they have been structured and
protected against cyberattacks. This is especially true for any
data and software that will be integrated with or otherwise linked
to an acquirer’s IT infrastructure. A target company’s
vulnerabilities will become the acquirer’s vulnerabilities.

Even if an investor is only taking a minority equity stake in a
target, there is potential for the target’s cyber risk to
spread to its new owners-especially if there are business or
commercial arrangements that accompany the investment. The
security, trustworthiness and ultimately the market position of a
target digital assets business will be key drivers of the utility
and value of a commercial arrangement with its acquirer or
investor. In addition, the potential negative impact of
reputational damage from a cyberattack on a digital assets
business-and its owners, investors and vendors-really cannot be
overstated. In highly competitive markets, reputational damage can
sometimes be impossible to overcome.

As a result, the physical and digital security of the target and
its digital assets themselves are critical to realizing deal value
and mitigating the risk of damages, loss and theft. A few examples
of areas of specific focus for digital assets businesses
include:

  • Whether there have been cyber breaches-keeping in mind that
    these can be unreported, or even undetected, for long periods of
    time;

  • Scope of the target business’s internal testing of its
    cybersecurity program-including penetration testing and
    vulnerability assessments; and

  • Method(s)/location(s) for storage and custody of digital
    assets, including the individuals that have access to
    multisignature wallets and cold storage devices.

Data Collection, Usage and Privacy

Another key part of due diligence in any investment or
acquisition is determining what data policies-and
restrictions-apply to a company’s data. These restrictions may
thwart an efficient integration (in an acquisition) or monetization
of data (in any business) and limit the ways in which data may be
used in future business plans.

A company’s right to use the data it collects is governed by
the company’s privacy policies in effect at the time the data
was collected and the applicable laws. This may include the laws of
countries outside of a company’s home base.

An investor or acquirer cannot assume a target business’s
data can be monetized without a thorough review of the policies
under which the data was collected and stored. In addition, an
investor or acquirer must also review the target’s compliance
with its policies-in other words, how it functions day to day, not
merely how it looks on paper.

Regulations

The regulations that apply to cryptocurrency are numerous,
overlapping, evolving and, in some cases, contradictory. In the
United States alone, different federal and state legal and
regulatory regimes are relevant to digital assets businesses, and
the positions of various regulators and legislators are
continuously evolving. Because of this, many market participants
have been hoping for clarity regarding which US federal agency or
agencies have jurisdiction over digital assets.

For example, US federal regulators-including the Federal
Reserve,2 Securities and Exchange
Commission (SEC),3 Commodity Future
Trading Commission (CFTC), Federal Trade Commission (FTC) and
Department of Justice,4 among
others-have all positioned themselves for a role in the future of
regulation and enforcement relating to digital assets. The Biden
administration has also weighed in recently with an executive order
that sets in motion a process to produce regulatory proposals (and,
perhaps, a consensus on) how Congress and financial regulators
should modernize US regulation to incorporate digital assets.5

For example, under the federal securities laws, a cryptocurrency
token can simultaneously be subject to the jurisdiction of the SEC
(as a “security”), the CFTC (as a “commodity”)
and the FTC (as a consumer-facing product). In addition, different
types of transactions involving the hypothetical token may be
governed by different regulators-the CFTC would have exclusive
jurisdiction over token swaps, but the CFTC would share enforcement
authority with the SEC for the token if it were both a commodity
and a security.

Alongside the US federal regulatory landscape are different
approaches to governing law and regulation at the state level. For
example, states such as Wyoming and Colorado have encouraged
digital assets investment in their states and passed regulations
tailored to assist digital assets businesses. Most notably, Wyoming
has passed laws that give decentralized autonomous organizations
(DAOs) organized in the state the same legal status as limited
liability companies. In addition, Colorado has announced that it
plans to accept Bitcoin for payment of state taxes later this year.
Other states, such as Arizona and California, have introduced
legislation or proposals that would make Bitcoin legal tender in
those states.

In contrast, New York requires a specific “BitLicense”
for companies that want to conduct virtual currency activities in
the state. The BitLicense is issued by the New York State
Department of Financial Services and applies to a broad range of
digital assets activities. New York’s attorney general has
brought actions against digital assets businesses that operate in
New York without the requisite licenses.

While these are some US-focused examples, debates about digital
assets regulations and the policies that underlie them are
similarly in motion around the world. The approaches and
dispositions of different countries vary widely, from broad
acceptance of virtual currencies as legal tender to outright bans
on digital assets.

In light of these factors, the regulatory environment-and lack
of regulatory clarity in key jurisdictions such as the United
States -will continue to be a key concern for operators in this
sector and those that look to buy into it. This will require both
an understanding of the current, complicated landscape and a
watchful eye on regulatory changes as they develop. If a crystal
ball is not available, an experienced and thoughtful team of
advisers is the next best thing.

Wrapping Up

With the massive amount of attention being given to digital
assets by global companies, financial institutions, central banks
and investors, it’s no surprise that deal activity and
valuations have significantly accelerated. For investors and
acquirers to realize the strategic and economic value of their
investments in digital assets-and to prevent damaging ripple
effects from missteps in diligence and deal execution-it will be
important to closely examine these (and other) key subject areas of
any target digital assets business.

Footnotes

1 Missiles, Malware and Merger Management: Why
Cybersecurity and Data Privacy Matter to M&A Practitioners -
Part 1: https://www.mayerbrown.com/-/media/files/news/2018/10/insight-missiles-malware-and-merger-management-why/files/pt1_spmissles-pt-1-oct-3-2018/fileattachment/pt1_spmissles-pt-1-oct-3-2018.pdf

2 US Banking Regulators Release Roadmap for
Crypto-Related Activities by Banks: https://www.mayerbrown.com/en/perspectives-events/publications/2021/11/us-banking-regulators-release-roadmap-for-cryptorelated-activities-by-banks

3 SEC Examinations Division Issues Risk Alert Regarding
Digital Assets: https://www.mayerbrown.com/en/perspectives-events/publications/2021/03/sec-examinations-division-issues-risk-alert-regarding-digital-assets

4 US DOJ Continues to Position Itself as Preeminent
Global Enforcement Agency for Virtual Currency and Digital Assets:
https://www.mayerbrown.com/en/perspectives-events/publications/2022/02/us-doj-continues-to-position-itself-as-preeminent-global-enforcement-agency-for-virtual-currency-and-digital-assets

5 Biden Executive Order Calls for Regulatory Proposals on
Digital Assets and Central Bank Digital Currency: https://www.mayerbrown.com/en/perspectives-events/publications/2022/03/biden-executive-order-calls-for-regulatory-proposals-on-digital-assets-and-central-bank-digital-currency

Visit us at
mayerbrown.com

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.



Original Source link

Leave a Reply

Your email address will not be published.

+ twenty nine = thirty one