Canada continued its record run of M&A activity in 2021. Throughout the year, we saw a significant amount of M&A activity in the Canadian technology sector. To increase value and expand capabilities, organizations in all industries are investing in and acquiring technology companies rapidly. Technology companies can offer significant upside because of their ability to scale operations rapidly while using lower levels of capital investment. Yet, companies that utilize technology present unique risks. Buyers, including private equity funds and strategic acquirers, must understand these risks and engage advisors experienced in technology M&A to help structure the transaction to mitigate risk and maximize value. These risks increase where the target company uses cutting-edge technology, such as artificial intelligence, or whose products are utilized in highly regulated industries, such as providers of FinTech, RegTech, biomedical solutions, digital health devices, or autonomous vehicles.
This article will identify five key technology-specific issues to consider when acquiring a technology company and provide strategies to mitigate these risks. As with all acquisitions, buyers must review all aspects of the business’s operations, including employment, tax, commercial agreements, and any specific issues triggered by the acquisition (e.g. regulatory review of the transaction).
1. Does the Target Company Have Adequate Rights to Its IP?
For technology companies, clear ownership of, or adequate rights to utilize, all relevant intellectual property (IP) is paramount. IP is the cornerstone of most technology businesses. If a company does not have a clear title to its IP, it risks third-party infringement claims that can be detrimental to the business’s survival.
Buyers should first identify what IP is critical to the target company’s operations and then ensure that the target either exclusively owns or has the rights to the IP utilized in its operations or incorporated in its products and services. This includes ensuring that any third parties (e.g. employees, contractors, service providers, research institutions) involved in developing the target company’s IP have adequately assigned all rights to the target company. Buyers should review all applicable databases of appropriate administrative bodies (e.g. the Canadian Intellectual Property Office) to ensure that the target company owns any applicable registered IP and that no third-party interests are registered against the IP. Additionally, buyers should identify and form a strategy for any IP infringement claims against the target company. If the target company does not own the underlying IP, buyers should understand how the target company is permitted to utilize the IP. This will include understanding the scope of any licenses for any material IP of the target company.
For target companies that employ either employees or independent contractors to develop their technology, it is crucial to confirm that the target company has sought waivers of moral rights from these third parties. Moral rights grant the author of an original work covered under copyright laws certain rights to that work, without any need for registration. In Canada, moral rights cannot be assigned or licensed but must be waived.
Utilization of open-source software by the target company also offers its risks. This can include creating obligations on the company utilizing the open-source software to make available, at no charge, the source code of any program or software that incorporates the open-source software. Due to the significant risk involved, buyers should consider engaging a third-party provider to conduct an audit of the target company’s source code. This will help the buyer understand if there are any open-source issues or issues relating to the potential infringement of third-party IP.
2. Data Rights and Use of Personal Information
For technology companies, data is often a key driver of value. As such, buyers should work to understand how the target company utilizes data and its data practices, focusing on any contractual obligations relating to the collection, use, and transfer of data. Such review should include examining the target company’s policies surrounding personal information, verifying compliance with applicable laws (including data protection laws), and obtaining consent to transfer data where necessary. The review should cover all applicable privacy policies and internal data use policies and the target company’s privacy practices. Reviewing whether the target company has all the necessary consents to use the data will also mitigate this risk.
Suppose the target company’s data practices involve the processing of personal information. In that case, buyers should understand what legislation applies and whether the target has implemented processes and procedures that comply with all applicable data protection laws, privacy laws, and third-party agreements.
If the proposed transaction results in a transfer of ownership of the data, buyers should ensure that the target company has the necessary rights and consents to transfer the data. Without this consent, the target company could be in breach of its obligations.
As issues relating to inappropriate data use may be expensive, if not impossible, to remedy, buyers must have a clear understanding of the target company’s data practices. It must also confirm that the target complies with all regulatory obligations and third-party agreements concerning data use. If the target company is non-compliant, then this issue may be difficult or impossible to remedy without seeking the consent of all applicable third parties.
3. Ownership and Voting Structure Information
In the launch and growth stages of a company, numerous types of investors may acquire equity in the company. But maintaining accurate corporate records may not be a priority for early-stage companies, which can complicate things in the acquisition process. Buyers must have a clear understanding of who the target company’s shareholders are and any rights these holders have that could impact the acquisition. This may include voting or dissolution rights associated with any particular share class or investor.
It is common for high-growth companies to use options or warrants to incentivize internal (e.g. employees, board members, and contractors) and external stakeholders (e.g. lenders, strategic partners, and key customers) to support its growth. Therefore, the buyer must also review the terms and vesting schedules of any options, warrants, or convertible securities (to the extent that any have been issued) issued by the target company, as these may impact the level of control and ownership long-term.
It is also critical that the buyer ensure that the appropriate shareholders approve of the transaction or are required to sell their shares (pursuant to the articles or shareholder’s agreement). For a share sale, buyers must understand who each shareholder is and ensure that it is purchasing all of the target company’s shares. A review of the chain of title of shares is essential to help ensure that buyers are purchasing all of the target company’s shares. Buyers must also ensure that each shareholder has the right to transfer its shares to buyers. A review of the target company’s minute books and any relevant agreements, such as shareholder agreements, will be critical to ensure a full understanding of the company’s ownership and voting structure information.
Data security is critical to protecting a business’s assets and operations. A data breach can be highly damaging to a company’s value. Unauthorized access to confidential business information or sensitive customer information can cause both financial and reputational harm, negatively impacting a company’s image and revenues. Cybersecurity due diligence (“cyber diligence”) is one way to help lower the risk of future data breaches, regulatory fines, and privacy breach proceedings.
Buyers should engage in cyber diligence to review a target company’s cybersecurity practices, identify vulnerabilities that could be exploited, and address cybersecurity risks before they turn into issues. Furthermore, cyber diligence should contemplate the sensitivity or value of the stored data and monitor any gaps in data security. The more sensitive or valuable the data is, the more secure the data must be. Cybersecurity experts may need to be engaged to assess the level of security and any vulnerabilities in the system. Buyers should also consider reviewing the target company’s cyber response plan to ensure that it has adequately contemplated cyber risk and has a robust plan to manage, mitigate or remedy any cyber threat.
5. Regulatory Risk and Life Cycle Issues
In the early stages of software development, it is not uncommon for technology companies to focus on product development that meets certain functional specifications. In doing so, these organizations may develop a functionally sound solution that does not contemplate the regulatory requirements imposed on the company or its customers. This issue can arise when a solution that was originally designed for one industry or jurisdiction is then made available to customers in another industry/jurisdiction whose regulatory obligations differ. In addition, regulations are constantly evolving, thus products and services must continually be updated to reflect these changes.
Buyers should ensure that the target company’s technology complies with both its and its customer’s respective legal obligations and should also contemplate anticipated changes in laws to best ensure that the technology will not be made obsolete by these changes.
If the target company’s solutions do not meet all applicable regulatory requirements, it could face significant liability from its customers, third parties, and governmental agencies.
Apart from regulatory requirements, the fast-evolving nature of disruptive technology means that the life cycle of the target company’s technology should be taken into account. In addition to legal and financial due diligence, the cyber diligence process should also consider the scalability, functionalities, and development potential of the technology being acquired.
6. Addressing the Risk
If issues are identified, buyers should consider if and how these risks can be addressed. Depending on the issue identified, the target may be able to address the concerns pre-closing. Buyers should also consider whether targeted representations and warranties addressing identified technology matters should be included in the purchase agreement.
If the issue cannot be addressed pre-closing, such as concerns relating to the use of open-source software in the target company’s products or services, buyers may wish to negotiate a reduction in the purchase price to reflect the risk assumed and the cost to remedy such risk post-closing. In addition, buyers may wish to consider a specific indemnity to address the risk for known issues and consider a holdback of a portion of the purchase price that buyers can set off against any losses due to the identified issues. The parties may also look to restructure the transaction to mitigate the risk.
Specific issues, such as material infringement of third-party IP or non-compliance with privacy laws, may not be able to be addressed pre-closing. Thus, buyers should consider the potential reputational risk of closing the transaction.
The points discussed in this article are by no means an exhaustive list of all issues relating to technology M&A but do illustrate some of the unique challenges that often arise in this space. The issues identified should be evaluated during the diligence stages of a transaction. Depending on the findings, issues may be able to be addressed in the purchase agreement. This will assist in protecting buyers and also in establishing a meaningful valuation for the target company as the parties can address the risk through a reduction in the purchase price. Both buyers and sellers should engage counsel who understands the underlying technology and has experience in technology transactions to protect their interests.
The authors would like to acknowledge the contributions of Jane Huang, Articling Student, in the writing of this piece.