M&A Insights
Cyber Risk Warranties in Share Purchase Agreements
Simone Nogara
August 2025 · 8 min read
Most share purchase agreements still treat cybersecurity as an afterthought — a sub-clause within general IT warranties that provides neither adequate protection for the buyer nor reasonable certainty for the seller. Cyber-specific warranties, indemnities, and related mechanisms demand dedicated treatment in modern M&A transactions.
Sophisticated buyers — particularly Private Equity firms with experience of cyber incidents in portfolio companies — now insist on dedicated cyber warranty packages. Yet drafting remains inconsistent, and both buy-side and sell-side practitioners frequently lack the technical understanding to negotiate provisions that are commercially reasonable and practically enforceable.
Standard Cyber Representations and Warranties
A comprehensive cyber warranty package should address five core areas: the target's current security posture, its compliance position, its incident history, the integrity of its data assets, and its third-party risk profile.
Security Posture Representations
The seller should warrant that the target maintains information security measures consistent with industry standards applicable to its sector and commensurate with the sensitivity of its data. This warranty should reference specific standards — such as ISO 27001, NIST CSF, or sector-specific frameworks — against which the target's controls can be objectively assessed. It should also cover specific technical domains: current and supported software versions, access controls following least-privilege principles, monitoring and detection capabilities, and tested backup and disaster recovery.
Sellers typically resist highly prescriptive technical warranties. The practical compromise: tie the warranty to the buyer's cyber due diligence findings. The seller warrants that information provided during diligence was complete and accurate, and that no material deterioration has occurred between the diligence date and closing.
Compliance Representations
The seller should warrant compliance with all applicable data protection and cybersecurity laws, including GDPR[1], national data protection legislation, and sector-specific regulations such as NIS2[2], DORA[3], or PCI DSS. Qualify for materiality — absolute compliance with every provision is unreasonable — but not so broadly as to render the warranty meaningless. Specific areas to cover: current DPIAs where required, an adequately resourced DPO, appropriate technical and organisational measures per GDPR Article 32, and valid legal mechanisms for international data transfers.
Incident History Representations
The buyer should insist on a warranty that no security incident within a defined lookback period (typically three to five years) has resulted in, or could reasonably result in, material loss, regulatory action, or notification obligations. This warranty should be supported by a disclosure schedule itemising all known incidents, regardless of whether they were considered material at the time.
The definition of “security incident” requires precision. It should encompass: unauthorised access to personal data or confidential information;ransomware or malware infections affecting production systems; social engineering resulting in financial loss or data disclosure; and regulatory investigations relating to information security or data protection.
Data Integrity Representations
The seller should warrant data asset integrity, particularly where those assets are material to business value. This includes representations that customer databases are accurate and complete, that data was collected in accordance with applicable privacy notices and consent requirements, that no data has been lost or improperly disclosed, and that valid legal bases exist for all material processing activities.
Third-Party Risk Representations
Given the prevalence of supply chain attacks, the warranty package should include representations that the target has assessed cybersecurity risk from material third-party providers, that appropriate contractual provisions are in place, and that no material third-party security incident has affected or could reasonably affect the target.
Material Breach Definitions
Standard materiality thresholds tied to fixed monetary amounts are often inadequate for cyber risk, where consequences range from trivial to existential. A more effective approach combines quantitative and qualitative criteria.
Quantitatively, a breach should be deemed material if remediation costs, regulatory penalties, and directly attributable business losses exceed a defined threshold. Qualitatively, materiality should attach if the issue creates risk of regulatory enforcement, requires notification to data subjects, results in loss of a material customer relationship, or triggers obligations under the target's cyber insurance. The qualitative criteria matter because many cyber liabilities are difficult to quantify at discovery — materiality should not depend on whether consequences have yet crystallised.
Disclosure Schedules for Cybersecurity
The disclosure schedule creates an objective record of what the buyer knew about the target's cybersecurity posture at transaction time. Buyers should request disclosures covering: all security incidents during the lookback period (including those assessed as immaterial); known unresolved vulnerabilities; pending or threatened regulatory investigations; known non-compliance instances; and third-party provider incidents affecting the target.
The completeness of the disclosure schedule should itself be warranted. If subsequent discovery reveals undisclosed incidents or vulnerabilities, this provides a clear basis for a warranty claim — incentivising thorough disclosure from the seller.
Escrow Mechanisms for Remediation Costs
Where cyber due diligence identifies specific post-closing remediation requirements, escrow mechanisms ensure funds are available and costs are properly allocated. The escrow amount should include contingency of twenty to forty percent above initial estimates — cybersecurity remediation costs routinely exceed projections due to discovered additional issues and the complexity of implementing changes in production environments.
The escrow agreement should specify release conditions, remediation timelines, and dispute resolution mechanisms. An independent cybersecurity advisor should provide periodic verification of progress. In transactions where due diligence was limited (e.g. competitive auctions with restricted access), a general-purpose cyber escrow covering issues discovered post-closing provides the buyer with protection analogous to a specific indemnity, with the certainty of available funds.
Warranty and Indemnity Insurance: Cyber Exclusions
Most W&I policies contain significant cyber risk exclusions: complete exclusion of losses from cyber incidents; exclusion of losses from data protection non-compliance; exclusion of consequential losses from cyber events; and sub-limits materially lower than the overall policy limit.
Buyers relying on W&I insurance may find themselves without meaningful recourse for the risk category most likely to generate a claim. The response is twofold. First, engage W&I insurers early and provide a comprehensive cyber due diligence report — this enables specific risk underwriting rather than blanket exclusions. Second, consider a standalone cyber insurance policy placed at closing to fill W&I gaps, covering incidents including those arising from pre-existing conditions discovered post-closing.
Practical Drafting Guidance
Be specific but not prescriptive. Address identified risk areas with specificity — incident history, compliance status, data integrity, third-party risk — without codifying specific technical requirements that may be inappropriate or become outdated. Reference recognised standards for objective benchmarks.
Align warranties with due diligence findings. Where diligence identified specific risks, address them specifically. Where diligence was limited, draft broader warranties to account for information asymmetry.
Define key terms with technical precision. “Security incident,” “personal data,” “data breach,” and “information systems” should reference applicable legal and technical standards. Ambiguity in these definitions is the primary source of warranty disputes.
Provide for post-closing cooperation. Cyber warranty claims require technical investigation. The SPA should require both parties to cooperate, including buyer access to the seller's records and personnel, and seller cooperation in regulatory investigations arising from pre-closing issues.
Consider the warranty period carefully. Standard periods of twelve to twenty-four months may be insufficient for cyber claims, where consequences of pre-closing incidents may not surface for years. GDPR enforcement limitation periods vary by member state and can extend well beyond standard warranty periods. Align cyber warranty duration with applicable regulatory limitation periods.