Shon Ramey, general counsel of NAVEX Global.

As compliance software company NAVEX Global Inc. expands alongside rapidly evolving data privacy and security laws, the firm has looked to its general counsel, Shon Ramey, to help ensure that the growth goes smoothly. 

Ramey, a former Big Law attorney who has served as NAVEX’s top lawyer for more than six years, has helped the company navigate several mergers and acquisitions, the most recent of which occurred earlier this month. 

NAVEX announced Aug. 6 that it had acquired Lockpath Inc., a software company that was founded in 2010 in Overland Park, Kansas, and specializes in integrated risk management, or IRM, software solutions. 

NAVEX, which is headquartered near Portland in Lake Oswego, Oregon, pursued Lockpath after recognizing that businesses are increasingly seeking IRM solutions for a broad range of risks, according to Ramey. NAVEX did not disclose the financial terms of the deal. 

In an email exchange with Corporate Counsel, Ramey discussed how he ensured there were no nasty surprises during the Lockpath acquisition. The discussion has been edited for clarity and length.

Corporate Counsel: Describe the role you played and your responsibilities in negotiating and finalizing NAVEX’s acquisition of Lockpath? 

Shon Ramey: As legal counsel, I and members of my legal team were responsible for interacting with outside counsel (both NAVEX Global’s and those of our investors, Vista Equity and BC Partners). We were also responsible for conducting due diligence and reviewing and commenting on all the documentation connected with the transaction.

CC: What were the main challenges/hurdles you faced during the transaction and how were they resolved?  

SR: All of the typical challenges: different timing expectations, deal terms, etc. All were resolved through communicating and listening to positions of both sides and arriving at mutually agreeable compromises. It’s always challenging when entering into a transaction to walk that thin line of supporting your own business objectives—which may be in conflict with the acquisition target—and understanding you’re likely going to be working closely with the newly acquired company very soon. You want them to be very motivated and excited by the transaction. I think all aspects of both sides’ deal teams were able to do this very effectively.

CC: Cybersecurity and data breach threats are often at their height when two companies are merging. How are you helping to ensure that NAVEX and Lockpath prevent any breaches during the merger?

SR: Cybersecurity issues and data breach threats are always paramount and can be increased during transactions. Thankfully both NAVEX Global and Lockpath prioritize these issues in their day-to-day operations and took that focus into this transaction. There was a comprehensive due diligence review of cybersecurity and privacy and it was very apparent our corporate philosophies are very similar and were never an issue.  

CC: What are your primary responsibilities as general counsel in ensuring that the merger goes smoothly? 

SR: As part of our acquisition process, Shane Harrison, senior vice president of corporate development, has a very defined acquisition procedure, which details an acquisition from pre-contact of a target through full integration. He’s a very big proponent of ensuring all departments which will be responsible for the post-acquisition integration are involved in the transaction. This identifies potential issues in an acquisition as the process progresses, but equally important gives ownership to all departments to ensure they are invested in the success of the acquisition. In essence, avoiding the ‘I didn’t buy it, so it’s not my problem’ kind of thinking. In line with this, I’m responsible for ensuring all legal aspects of the merger go smoothly, from contracting through vendor management. And our entire executive team, as reinforced by Shane Harrison, understands the only way to maximize the value of the acquisition is to ensure both companies are fully integrated (where appropriate) after the acquisition. In my experience, the post-acquisition process (not having planned for it or executed against the plan) is where most acquisitions either fail, or fail to realize their true potential.

CC: Describe the due diligence that NAVEX carried out ahead of the acquisition of Lockpath to determine whether Lockpath had experienced any prior data breaches or cybersecurity incidents? 

SR: Our due diligence process is what you’d expect in the acquisition of a software or technology business. Distributing initial due diligence questionnaires, reviewing the responses and the associated documentation, doing outside checks (lawsuits, adverse media, etc.), and due diligence calls to review all of the information. And in this current environment, it’s not enough to simply confirm there haven’t been any prior data breaches or cybersecurity incidents. Companies need to include in their due diligence reviews of code and current practices, to ensure there are no weaknesses or potential vulnerabilities which may be exploited in the future. Obviously, we included those reviews in our process as well.

CC: As the top lawyer for an ethics and compliance software and risk management, you must be hyper-aware of the myriad threats facing companies these days. What, in your experience, are some of the threats most overlooked by businesses? 

SR: “Hyper-aware” is a great characterization. As a provider to over 14,000 customers, we are in the unique position of seeing issues across multiple business verticals. The two most overlooked threats I would call out are on opposite ends of the spectrum: people and data. I say people, not because I think they themselves pose a threat. Most are trying to do the right things, but without adequate training and understanding of the threats, they can very unwittingly put businesses at great risk. And the other end of the spectrum is data. For companies who’ve not yet undertaken the process they need to do a very thorough data mapping exercise. Understanding what data your company receives and thoroughly understanding what is done with the data received, where it’s transmitted (internally and externally), how, why and where it’s stored and when it’s destroyed. This also applies equally well of your suppliers, vendors and partners when you transmit data to them. It’s a daunting task to be sure, but one every company needs to undertake immediately.