Legal issues relating to M&A in the information security industry

In the past, users paid insufficient attention to information security, leading to the slow development of the industry. In recent years, on the one hand, policy support for the information security industry by the Ministry of Industry and Information Technology and the National Development and Reform Commission has been increasing. On the other hand, the development of the information application field has been broadening and deepening, thereby increasing the demand for information security.

The Snowden incident this year has given an increased push to the development of the information security industry. For those information security enterprises that wish to expand, or wish to improve their product lines, acquisitions or restructurings may be their best options.

In 2012, this firm assisted Venustech in completing its acquisition of LeadSec. The authors would like to share with readers the legal issues in M&A in the information security industry that are worth attention, based on our experience in that project.

For M&A and restructurings in the information security industry, in addition to general legal compliance issues, there are also some special points that are intimately connected with factors such as limitations on access by foreign investors, product and business qualifications, research and development (R&D) and business teams, intellectual property, etc.

Access for foreign investors

The extent of the openness of China’s information security industry to foreign investors differs, depending on the clients toward whom the information security information products and services are targeted. Downstream demand for information security products and services in China is mainly concentrated in a few large sectors such as government, the military, telecoms, finance and the internet at the moment. Policy barriers are relatively high in government and the military, whereas there is a greater degree of openness in finance, telecoms and the internet.

If a company mainly targets its information security products and services at the government or the military, pursuant to article 6 of the Administrative Measures for the Qualifications for the Integration of Computer Information Systems that Involve State Secrets, entities that integrate systems that involve secrets are required to be enterprises or institutions in the PRC with independent legal personality; wholly foreign-owned enterprises, Sino-foreign equity joint ventures and Sino-foreign co-operative joint ventures may not engage in the integration of systems involving secrets. In other words, only wholly Chinese-owned enterprises are allowed in this area. Under such conditions, acquisitions usually take the form of control by agreement, so as to satisfy the restrictive provisions of China on foreign investors investing in information security business involving state secrets.

Product and business qualifications

The scope of business of information security enterprises is mainly divided into two categories, information security products and information security services. The product and service qualifications of a target company represent its overall strengths, and are key points to which an investor should pay attention when contemplating M&A. The major legal issues that need to be verified include: whether the target company has secured all of the product qualification certificates and business qualification certificates required for its operations; whether its product qualification certificates and business qualification certificates are valid; for its expired product qualification certificates and business qualification certificates, whether it has carried out or is carrying out the procedures for their renewal; and whether the product qualification certificates and business qualification certificates for which the target enterprise has yet to carry out or complete the renewal procedures will have an adverse impact on its business operations.

R&D and business teams

The features of the information security industry determine that technical personnel are its most valuable asset. Accordingly, the quality of the R&D and business teams, and whether they are stable, are important factors that an investor needs to consider when contemplating M&A. The major legal issues that need to be verified include: whether the target company has executed lawful, valid and long-term employment contracts or co-operation agreements with the major members of its R&D team; whether such agreements can legally ensure the target company’s human resource strengths in terms of its R&D team; whether the target company has established an incentive mechanism for its R&D team, and whether such incentive mechanism is lawful and valid; and whether there exists any pending or potential disputes or controversies between the target company and its R&D team.

Intellectual property

The core assets of an operating entity in the information security industry manifest themselves in the form of various core technologies such as patents, trademarks, software copyrights, domain names, etc. Accordingly, in the course of carrying out M&A or restructuring, it is necessary to pay particular attention to the target company’s intellectual property (IP) issues. The most common legal issues include: whether the IP rights in the main assets – e.g. patents, trademarks, software copyrights, domain names – owned by the target company have been lawfully secured; whether the above-mentioned lawfully secured IP is co-owned, jointly used, developed in co-operation with another party, used under licence, etc., and whether the rights are restricted as the result of a pledge, placement under seal, etc.; whether the target company is involved in an IP dispute or controversy with a third party; and whether the target company has established a sound IP management system.

Paying attention to IP issues not only makes it possible to discover and guard against the potential legal risks that the target company faces, but is also intimately connected to the valuation of the target company when contemplating M&A. The quantity of IP rights owned by the target company and the degree of legal risk associated with such IP affect to a great extent its valuation.

This column cannot cover all the common issues involved in M&A in the information security industry, and different sub-industries all have specific regulations that require the attention of the investor and his or her lawyers, when formulating and carrying out the M&A/restructuring plan. Additionally, they further require the lawyers to do a comprehensive and careful investigation and study, and provide a risk warning in the course of their due diligence.

Yuan Dongmei is a partner and Lucia Young is a paralegal at Concord & Partners