The rapidly expanding crypto world has started to see an uptick in investments and M&A deals (and lofty valuations). Galaxy Digital acquired BitGo. Coinbase bought Routefire. Recently founded NYDIG is moving into mining through M&A. By some estimates, crypto M&A is a billion-dollar-plus business.
Understanding the assets and revenue streams of target businesses is critical to capturing and realizing value in any equity investment or M&A deal – especially in crypto. Given the complexity and nuances of crypto businesses, this understanding requires a deep dive into a few key areas: cybersecurity, data privacy and regulations.
Joe Castelluccio is a partner at Mayer Brown LLP and counsels clients on M&A, equity financings and other corporate and business matters.
While these issues are not unique to businesses in the crypto space, effective analysis and due diligence in this space is particularly complex and challenging.
While every company in the world should be concerned about cyberattacks (for several reasons), businesses in the crypto space should be particularly focused on it. There are a host of negative effects that this kind of attack or breach can have. To name just a few:
- Theft of data, trade secrets and/or other IP can result in a business’s “special sauce” being lost to competitors or bad actors
- Loss of trust can destroy future revenues and cause reputational damage that is difficult (or impossible) to repair
- Attackers that are able to access bank account or crypto wallet information can reroute payments or currency, often to off-shore or untraceable accounts.
To guard against this, an acquirer must have a thorough understanding of the data, software and hardware that will move onto its network prior to joining together its and the target’s IT infrastructures. If the target’s systems are vulnerable, those vulnerabilities may transfer to the acquirer’s systems when they are integrated. If the acquirer cannot get a sufficient level of comfort regarding the target’s systems, other steps may be necessary (even if those steps result in delayed operational efficiency and synergies).
Even if an investor is only taking a minority equity stake in a target, there is potential for the target’s cyber risk to spread to its new owners – especially if there are business or commercial arrangements that accompany the investment. And, of course, the physical and digital security of the digital assets themselves is critical to mitigating the risk of loss and theft.
Data collection and privacy
Another key part of due diligence in any investment or acquisition is determining what privacy policies – and restrictions – apply to a company’s data. These restrictions may thwart an efficient integration (in an acquisition) or monetization of data (in any deal), and limit the ways in which data may be used in future business plans.
A company’s right to use the data it collects is governed by the company’s privacy policies in effect at the time the data was collected and the applicable laws. This may include the laws of countries outside of a company’s home base.
An investor or acquirer cannot assume a target business’s data can be monetized without a thorough review of the policies under which the data was collected and stored. In addition, an investor or acquirer must also review the target’s compliance with its policies – in other words, how it functions day to day, not merely how it looks on paper.
The regulations that apply to cryptocurrency are numerous, overlapping, evolving and, in some cases, contradictory. In the U.S. alone, different states have taken vastly different approaches to regulating crypto.
Colorado and Wyoming have encouraged crypto investment in their states and passed pro-crypto regulations, while New York has pursued cases and fines against crypto businesses for running afoul of its existing financial services regulations.
While the U.S. federal government has been slow to adopt a broad regulatory position (other than selected enforcement actions, such as Ripple), the new chair of the U.S. Securities and Exchange Commission (SEC), Gary Gensler, said recently that a federal regulatory framework is needed for cryptocurrency exchanges in the U.S.
All of this means the crypto regulatory environment will be a key concern for operators in this sector and those that look to buy into it. This will require both an understanding of the current, complicated landscape and a watchful eye on regulatory changes as they develop.
If a crystal ball is not available, an experienced and thoughtful team of advisers is the next best thing.
With the massive amount of attention being given to crypto by global companies, financial institutions and central banks, it’s no surprise that investment cash is flooding this space. For those investments to pay off – and prevent damaging ripple effects for investors and acquirers – it will be important to closely examine these key areas of the target business.