NAVEX Global General Counsel Discusses M&A Due Diligence
"In this current environment it’s not enough to simply confirm there haven’t been any prior data breaches or cybersecurity incidents," said Shon Ramey, general counsel of NAVEX Global Inc.
August 12, 2019 at 01:58 PM
6 minute read
As compliance software company NAVEX Global Inc. expands alongside rapidly evolving data privacy and security laws, the firm has looked to its general counsel, Shon Ramey, to help ensure that the growth goes smoothly.
Ramey, a former Big Law attorney who has served as NAVEX’s top lawyer for more than six years, has helped the company navigate several mergers and acquisitions, the most recent of which occurred earlier this month.
NAVEX announced Aug. 6 that it had acquired Lockpath Inc., a software company that was founded in 2010 in Overland Park, Kansas, and specializes in integrated risk management, or IRM, software solutions.
NAVEX, which is headquartered near Portland in Lake Oswego, Oregon, pursued Lockpath after recognizing that businesses are increasingly seeking IRM solutions for a broad range of risks, according to Ramey. NAVEX did not disclose the financial terms of the deal.
In an email exchange with Corporate Counsel, Ramey discussed how he ensured there were no nasty surprises during the Lockpath acquisition. The discussion has been edited for clarity and length.
Corporate Counsel: Describe the role you played and your responsibilities in negotiating and finalizing NAVEX’s acquisition of Lockpath?
Shon Ramey: As legal counsel, I and members of my legal team were responsible for interacting with outside counsel (both NAVEX Global’s and those of our investors, Vista Equity and BC Partners). We were also responsible for conducting due diligence and reviewing and commenting on all the documentation connected with the transaction.
CC: What were the main challenges/hurdles you faced during the transaction and how were they resolved?
SR: All of the typical challenges: different timing expectations, deal terms, etc. All were resolved through communicating and listening to positions of both sides and arriving at mutually agreeable compromises. It’s always challenging when entering into a transaction to walk that thin line of supporting your own business objectives—which may be in conflict with the acquisition target—and understanding you’re likely going to be working closely with the newly acquired company very soon. You want them to be very motivated and excited by the transaction. I think all aspects of both sides’ deal teams were able to do this very effectively.
CC: Cybersecurity and data breach threats are often at their height when two companies are merging. How are you helping to ensure that NAVEX and Lockpath prevent any breaches during the merger?
SR: Cybersecurity issues and data breach threats are always paramount and can be increased during transactions. Thankfully both NAVEX Global and Lockpath prioritize these issues in their day-to-day operations and took that focus into this transaction. There was a comprehensive due diligence review of cybersecurity and privacy and it was very apparent our corporate philosophies are very similar and were never an issue.
CC: What are your primary responsibilities as general counsel in ensuring that the merger goes smoothly?
SR: As part of our acquisition process, Shane Harrison, senior vice president of corporate development, has a very defined acquisition procedure, which details an acquisition from pre-contact of a target through full integration. He’s a very big proponent of ensuring all departments which will be responsible for the post-acquisition integration are involved in the transaction. This identifies potential issues in an acquisition as the process progresses, but equally important gives ownership to all departments to ensure they are invested in the success of the acquisition. In essence, avoiding the ‘I didn’t buy it, so it’s not my problem’ kind of thinking. In line with this, I’m responsible for ensuring all legal aspects of the merger go smoothly, from contracting through vendor management. And our entire executive team, as reinforced by Shane Harrison, understands the only way to maximize the value of the acquisition is to ensure both companies are fully integrated (where appropriate) after the acquisition. In my experience, the post-acquisition process (not having planned for it or executed against the plan) is where most acquisitions either fail, or fail to realize their true potential.
CC: Describe the due diligence that NAVEX carried out ahead of the acquisition of Lockpath to determine whether Lockpath had experienced any prior data breaches or cybersecurity incidents?
SR: Our due diligence process is what you’d expect in the acquisition of a software or technology business. Distributing initial due diligence questionnaires, reviewing the responses and the associated documentation, doing outside checks (lawsuits, adverse media, etc.), and due diligence calls to review all of the information. And in this current environment, it’s not enough to simply confirm there haven’t been any prior data breaches or cybersecurity incidents. Companies need to include in their due diligence reviews of code and current practices, to ensure there are no weaknesses or potential vulnerabilities which may be exploited in the future. Obviously, we included those reviews in our process as well.
CC: As the top lawyer for an ethics and compliance software and risk management, you must be hyper-aware of the myriad threats facing companies these days. What, in your experience, are some of the threats most overlooked by businesses?
SR: “Hyper-aware” is a great characterization. As a provider to over 14,000 customers, we are in the unique position of seeing issues across multiple business verticals. The two most overlooked threats I would call out are on opposite ends of the spectrum: people and data. I say people, not because I think they themselves pose a threat. Most are trying to do the right things, but without adequate training and understanding of the threats, they can very unwittingly put businesses at great risk. And the other end of the spectrum is data. For companies who’ve not yet undertaken the process they need to do a very thorough data mapping exercise. Understanding what data your company receives and thoroughly understanding what is done with the data received, where it’s transmitted (internally and externally), how, why and where it’s stored and when it’s destroyed. This also applies equally well of your suppliers, vendors and partners when you transmit data to them. It’s a daunting task to be sure, but one every company needs to undertake immediately.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
'Unlawful Release'?: Judge Grants Preliminary Injunction in NASCAR Antitrust Lawsuit
3 minute readEx-Red Robin CLO Joins Norton Rose Fulbright After Helping Sell Latest Employer for $4.9 Billion
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250