The upshot, for busy people:
- Realizing value and managing risk in investments and acquisitions of digital assets businesses means understanding several key areas of the target’s business—among them, cybersecurity, data privacy and regulatory positions.
- This is particularly challenging in light of the pace of innovation in these technologies and the intersecting, evolving regulations that apply to digital assets.
- As valuations increase and investment capital flows into the digital assets sector, the negative impacts of missteps in these areas—especially risks of cybercrime and regulatory penalties and sanctions—have also expanded significantly.
As applications and use cases for digital assets and their blockchain infrastructure grow and become more sophisticated, investments and valuations for businesses in these areas have similarly grown and attracted a diverse group of stakeholders. Acquisitions and equity financings in digital assets businesses are being pursued by global financial institutions and some of the world’s largest institutional investors, among many others.
No matter who the buyer is—and no matter the size of the investment—understanding the assets and revenue streams of a target digital assets business is critical to capturing and realizing value in any equity investment or M&A deal. Given the complexity and nuances of digital assets businesses, this understanding requires a deep dive into several key subject areas—among them, cybersecurity, data privacy, and federal and state regulations.
These issues are not unique to businesses in the digital assets world—among others, financial services and healthcare businesses are also well acquainted with these issues. However, effective analysis and due diligence in this space is particularly complex and challenging in light of the pace of innovation in the technological foundations of these businesses and the rapid evolution of the products and services that are developed on them.
In order to validate an investment thesis, confirm valuation and manage risk, an early step in any proposed acquisition or investment in a digital assets business should be a careful analysis of the target’s cybersecurity, data privacy, and federal and state regulatory position.
While every company in the world should be concerned about cyberattacks (for several reasons1), digital assets businesses should be particularly focused on it. Digital native businesses exist exclusively in cyberspace, which means that a serious cyber threat is also an existential one. And while the use of distributed ledger technology—the backbone of digital assets—has certain inherent security benefits (as compared to centralized networks), there are still security vulnerabilities that arise through the security (or lack thereof) of individual participants and end-users, among others.
When these threats materialize as an attack or breach, there are a host of negative effects that can result. To name just a few:
- Attackers that are able to access bank account or crypto wallet information can reroute payments or currency (fiat or digital), often to opaque jurisdictions or untraceable accounts.
- Theft of data, trade secrets and/or other IP can result in a business’s “special sauce” being lost to competitors or bad actors.
- Loss of trust can destroy future revenues and cause reputational damage that is difficult (or impossible) to repair.
To guard against this, an investor or acquirer must have a thorough understanding of the data and software that are material to the target business and the ways they have been structured and protected against cyberattacks. This is especially true for any data and software that will be integrated with or otherwise linked to an acquirer’s IT infrastructure. A target company’s vulnerabilities will become the acquirer’s vulnerabilities.
Even if an investor is only taking a minority equity stake in a target, there is potential for the target’s cyber risk to spread to its new owners—especially if there are business or commercial arrangements that accompany the investment. The security, trustworthiness and ultimately the market position of a target digital assets business will be key drivers of the utility and value of a commercial arrangement with its acquirer or investor. In addition, the potential negative impact of reputational damage from a cyberattack on a digital assets business—and its owners, investors and vendors—really cannot be overstated. In highly competitive markets, reputational damage can sometimes be impossible to overcome.
As a result, the physical and digital security of the target and its digital assets themselves are critical to realizing deal value and mitigating the risk of damages, loss and theft. A few examples of areas of specific focus for digital assets businesses include:
- Whether there have been cyber breaches—keeping in mind that these can be unreported, or even undetected, for long periods of time;
- Scope of the target business’s internal testing of its cybersecurity program—including penetration testing and vulnerability assessments; and
- Method(s)/location(s) for storage and custody of digital assets, including the individuals that have access to multisignature wallets and cold storage devices.
Data Collection, Usage and Privacy
Another key part of due diligence in any investment or acquisition is determining what data policies—and restrictions—apply to a company’s data. These restrictions may thwart an efficient integration (in an acquisition) or monetization of data (in any business) and limit the ways in which data may be used in future business plans.
A company’s right to use the data it collects is governed by the company’s privacy policies in effect at the time the data was collected and the applicable laws. This may include the laws of countries outside of a company’s home base.
An investor or acquirer cannot assume a target business’s data can be monetized without a thorough review of the policies under which the data was collected and stored. In addition, an investor or acquirer must also review the target’s compliance with its policies—in other words, how it functions day to day, not merely how it looks on paper.
The regulations that apply to cryptocurrency are numerous, overlapping, evolving and, in some cases, contradictory. In the United States alone, different federal and state legal and regulatory regimes are relevant to digital assets businesses, and the positions of various regulators and legislators are continuously evolving. Because of this, many market participants have been hoping for clarity regarding which US federal agency or agencies have jurisdiction over digital assets.
For example, US federal regulators—including the Federal Reserve,2 Securities and Exchange Commission (SEC),3 Commodity Future Trading Commission (CFTC), Federal Trade Commission (FTC) and Department of Justice,4 among others—have all positioned themselves for a role in the future of regulation and enforcement relating to digital assets. The Biden administration has also weighed in recently with an executive order that sets in motion a process to produce regulatory proposals (and, perhaps, a consensus on) how Congress and financial regulators should modernize US regulation to incorporate digital assets.5
For example, under the federal securities laws, a cryptocurrency token can simultaneously be subject to the jurisdiction of the SEC (as a “security”), the CFTC (as a “commodity”) and the FTC (as a consumer-facing product). In addition, different types of transactions involving the hypothetical token may be governed by different regulators—the CFTC would have exclusive jurisdiction over token swaps, but the CFTC would share enforcement authority with the SEC for the token if it were both a commodity and a security.
Alongside the US federal regulatory landscape are different approaches to governing law and regulation at the state level. For example, states such as Wyoming and Colorado have encouraged digital assets investment in their states and passed regulations tailored to assist digital assets businesses. Most notably, Wyoming has passed laws that give decentralized autonomous organizations (DAOs) organized in the state the same legal status as limited liability companies. In addition, Colorado has announced that it plans to accept Bitcoin for payment of state taxes later this year. Other states, such as Arizona and California, have introduced legislation or proposals that would make Bitcoin legal tender in those states.
In contrast, New York requires a specific “BitLicense” for companies that want to conduct virtual currency activities in the state. The BitLicense is issued by the New York State Department of Financial Services and applies to a broad range of digital assets activities. New York’s attorney general has brought actions against digital assets businesses that operate in New York without the requisite licenses.
While these are some US-focused examples, debates about digital assets regulations and the policies that underlie them are similarly in motion around the world. The approaches and dispositions of different countries vary widely, from broad acceptance of virtual currencies as legal tender to outright bans on digital assets.
In light of these factors, the regulatory environment—and lack of regulatory clarity in key jurisdictions such as the United States —will continue to be a key concern for operators in this sector and those that look to buy into it. This will require both an understanding of the current, complicated landscape and a watchful eye on regulatory changes as they develop. If a crystal ball is not available, an experienced and thoughtful team of advisers is the next best thing.
With the massive amount of attention being given to digital assets by global companies, financial institutions, central banks and investors, it’s no surprise that deal activity and valuations have significantly accelerated. For investors and acquirers to realize the strategic and economic value of their investments in digital assets—and to prevent damaging ripple effects from missteps in diligence and deal execution—it will be important to closely examine these (and other) key subject areas of any target digital assets business.
1 Missiles, Malware and Merger Management: Why Cybersecurity and Data Privacy Matter to M&A Practitioners – Part 1: https://www.mayerbrown.com/-/media/files/news/2018/10/insight-missiles-malware-and-merger-management-why/files/pt1_spmissles-pt-1-oct-3-2018/fileattachment/pt1_spmissles-pt-1-oct-3-2018.pdf
2 US Banking Regulators Release Roadmap for Crypto-Related Activities by Banks: https://www.mayerbrown.com/en/perspectives-events/publications/2021/11/us-banking-regulators-release-roadmap-for-cryptorelated-activities-by-banks
3 SEC Examinations Division Issues Risk Alert Regarding Digital Assets: https://www.mayerbrown.com/en/perspectives-events/publications/2021/03/sec-examinations-division-issues-risk-alert-regarding-digital-assets
4 US DOJ Continues to Position Itself as Preeminent Global Enforcement Agency for Virtual Currency and Digital Assets: https://www.mayerbrown.com/en/perspectives-events/publications/2022/02/us-doj-continues-to-position-itself-as-preeminent-global-enforcement-agency-for-virtual-currency-and-digital-assets
5 Biden Executive Order Calls for Regulatory Proposals on Digital Assets and Central Bank Digital Currency: https://www.mayerbrown.com/en/perspectives-events/publications/2022/03/biden-executive-order-calls-for-regulatory-proposals-on-digital-assets-and-central-bank-digital-currency