|Footnotes for this article are available at the end of this page.
Over the past decade, M&A activity has been steadily trending upward, paused only momentarily in 2020 by global pandemic concerns. Although activity is heavy across many sectors, there is particular interest and investment in medical technology (“medtech”). Despite the pandemic, in 2020, over 100 medical tech M&A deals were closed worldwide.
Although the FDA’s regulatory reach extends only to medical devices, in recent public comments, FDA officials have signaled an interest in increasing their enforcement abilities to include software that does not meet the definition of a device, but which supports or is relied on by devices, such as third-party software necessary to achieve the intended use of devices, hospital network software, programs, applications, mobile devices, cloud services, and certain Electronic Health Records (“EHRs”)/Electronic Medical Records (“EMRs”) where medical devices pull/push data directly as part of their intended use. These overtures, paired with increased national attention on cybersecurity and resiliency, give rise to unique and constantly evolving legal concerns. In this article, we discuss the current approaches taken by M&A deal teams and propose suggestions to ensure that an acquiring company is not inadvertently purchasing unknown liability or compliance risk.
In many of these transactions, the target company has products in development and the stream of commerce. Acquirers of these target companies face unique challenges when it comes to potential cybersecurity liability post-closing in part because security vulnerabilities are often latent and may not manifest until well after a transaction has been completed. Although most agreements include representations and warranties that cover data privacy and security, the extent and specificity of these representations and warranties vary significantly, with even the most robust being deficient in some regards, relying on ambiguous standards such as “industry norms” and only covering past events. These deficiencies mean that the representations and warranties could be of limited use in the event the target company’s products fall victim to a cyber attack.
Additionally, indemnification provisions allocating liability in the event of a post-closing security breach are markedly absent in many deals, although in some cases, buyers receive limited protection from either: (1) a seller commitment to cooperate if the buyer chooses to pursue a claim under a representation and warranties insurance policy or (2) a broader indemnification covering a breach of representations and warranties.
As in any sector, medtech M&A activity inherently carries risk, and the parties negotiate to allocate risk based, in part, on leverage. The absence of specificity and indemnification may be a testament to the leverage that sellers have in the current market. However, for buyers of medtech companies, especially medical device companies, given the shifting landscape and increased scrutiny, we recommend they seek the following in transaction documents.
- Draft representations and warranties with specificity.
- For example, instead of asking a seller to represent that cybersecurity policies and procedures are in place for third-party vendors, require the seller to represent that those policies, at minimum, require the third- party vendor to be liable for security breaches.
- In addition to the standard representation a seller makes that there are no prior security breaches, request sellers represent, to their knowledge, that the products do not contain security vulnerabilities that could be used to compromise the product.
- Seek assurances that all products, including those that are premarket, are being designed with security in mind. For example, if possible, require a representation that products comply with the standards set forth in Part 4-5 (“Medical electrical equipment – Guidance and interpretation – Safety-related technical security specifications”) of IEC TR 60601-4-5:202.1.1
- Broaden the scope of indemnifications.
- Include indemnification for breaches of all representations and warranties, but specifically, representations and warranties relating to cybersecurity matters.
- Consider requesting indemnification for all security breaches resulting from vulnerabilities present in the products at the time of acquisition, whether in the stream of commerce or inventory.
- Include provisions making the buyer whole in the event the buyer has to make payments under customer contracts for security breaches.
 International Electrotechnical Commission, Technical Report: Medical Electrical Equipment (2021), https://webstore.iec.ch/publication/64703.