UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
is an external crisis affecting the transaction. This can trigger litigation on the rights and duties of purchasers and the potential application of relevant contractual rights such as Material Adverse Effect (MAE) clauses. By way of example, in 2020, WEX Inc. entered into a share purchase agreement to acquire eNett International (Jersey) Limited (eNett) and Optal Limited (Optal), two business-to-business (B2B) payments technology providers, which derived the vast majority of profits from provid- ing B2B services to customers who operated in the travel industry. As a result of the COVID-19 pandemic and its extraordinary impact on travel, WEX declared an MAE and there then followed landmark litigation proceedings – commenced by the sellers of eNett and Optal – which raised questions concerning the proper interpretation of the MAE clause. Ultimately, the case was set- tled, with WEX securing the purchase for USD1.1 billion less than the original price. The legal overlay to any crisis tends to be one that invokes existing regulatory requirements designed to respond to operational and busi- ness disruption, as opposed to legislation that specifically addresses a crisis situation. The main risk for businesses amidst a crisis is the potential to fall foul of those requirements when battling to contain and resolve an emergency situation. However, there are specific regulations that will be relevant, depending on the type of crisis. For example, in the data and cyber space, there are currently strict requirements for ensuring data protection, particularly in response to a crisis 2. National Legal Framework 2.1 Legal Framework
where the security of data may be comprised. The UK’s Information Commissioner’s Office (ICO) has led the way in acting both indepen- dently and jointly with other regulators to take enforcement action in response to data secu- rity breaches threatening data security during a crisis. This has resulted in fines of more than GBP15 million against leading corporations, such as airlines and hotel providers, for failing to have adequate security measures in place to ensure personal data security. There are also regulatory requirements applicable to the reg- ulated sectors; for example, financial services firms are subject to wide-ranging requirements on responding to operational disruption associ- ated with a crisis. 2.2 Expected Legal Updates One notable development is the FTPF offence (see 1.1 Market Comparison ), which will come into force on 1 September 2025 and will result in widespread mandatory requirements to ensure the risk of fraud is addressed (including in a cri- sis scenario). On 6 November 2024, the UK government published final guidance on what constitutes reasonable prevention procedures (the “FTPF Guidance” ), organisations can seek to base a defence to the FTPF offence on this guidance. The FTPF Guidance explains that fraud risks may increase during emergencies, and warns that failing to undertake any risk assessment for emergencies may mean that the organisation is not considered to have “reasonable fraud pre- vention measures” in place. As such, it is impor- tant for companies to identify steps that may need to be taken in risk assessments, including identifying the way to transition smoothly from emergency measures to business-as-usual once the emergency has passed.
133 CHAMBERS.COM
Powered by FlippingBook