We saw robust deal activity in global mergers and acquisitions (“M&A”) in 2024. We continued to see strong interest in acquisitions of technology companies, including those that support high growth technologies, such as artificial intelligence (“AI”). After seeing interest rate decreases in 2024, M&A activity in the AI sector is poised to continue its strong momentum into 2025 being driven by pent-up demand and significant “dry powder” within private equity funds and strategic acquirors.
Across various industries, organizations are rapidly investing in and acquiring AI software companies to enhance value and broaden their capabilities. AI companies offer notable advantages due to their ability to scale operations swiftly with minimal capital investment, ensuring operational efficiency. However, companies leveraging AI also present distinct challenges and unprecedented risks. These risks are particularly pronounced for AI companies employing cutting-edge technology or operating in highly regulated industries, such as FinTech, RegTech, biomedical solutions, digital health devices, or autonomous vehicles. Buyers, ranging from private equity funds to strategic and tech-savvy acquirers, must not only recognize these risks but also seek the guidance of advisors experienced in acquiring companies with AI solutions (“AI Companies”) to structure transactions in a manner that mitigates risk and maximizes value.
This article will highlight five key AI-specific issues to consider when acquiring an AI company and will offer strategies to mitigate these risks. Screening for such AI-related concerns will supplement the standard considerations typical of ordinary acquisitions. As with any acquisition, buyers must thoroughly assess all aspects of the target company’s operations, encompassing employment practices, tax implications, commercial agreements, and any specific issues arising from the acquisition (e.g., regulatory scrutiny of the transaction).
1. Target company intellectual property (“IP”) rights
In the realm of AI enterprises, having clear ownership or sufficient rights to utilize all critical IP is imperative. IP forms the foundation of AI business activities. Without unequivocal ownership rights, a company faces the risk of third-party infringement assertions, which can pose existential threats to its business viability and profitability.
Buyers should first identify the essential IP assets and AI solutions fundamental to the target company’s operations. They must then ascertain whether the target holds exclusive ownership or has adequate rights to use the IP and AI solutions incorporated into its operations or offered in its products and services. This process entails verifying that any entities involved in developing the target company’s IP and AI—such as employees, contractors, service providers, or research institutions—have duly assigned and transferred all relevant rights to the target company. Buyers should meticulously scrutinize databases maintained by relevant administrative bodies, such as the Canadian Intellectual Property Office, and conduct thorough IP searches. This diligence ensures that the target company is the rightful owner of any registered IP and that there are no encumbrances from third-party interests registered against the IP.
In instances where the target company does not possess outright ownership of the underlying IP, buyers must assess the extent of ownership and the terms governing the target company’s use of the IP. This includes evaluating any associated risks relating to potential IP infringement claims that could be levied against the target company.
For AI Companies utilizing employees or independent contractors to develop their AI solutions, it becomes imperative to ensure that the company has obtained waivers of moral rights and consents from these third-party contributors. Moral rights grant creators of original works, protected under copyright laws, specific rights to their creations, independent of formal registration. In Canada, moral rights cannot be transferred or licensed; they must be explicitly waived.
Another consideration for buyers is whether the target company has incorporated open-source software into its AI solutions, which carries inherent risks. The use of open-source software can create obligations for the company to disclose, free of charge, the source code of any software or program integrating the open-source software. Given these substantial risks, prospective buyers should consider enlisting a third-party evaluator to scrutinize the target company’s AI solution source code. Such an audit helps identify any potential open-source challenges or infringements on third-party intellectual property associated with AI ventures.
2. Ownership and voting structure
During the launch and initial phases of growth, diverse investors may acquire equity in a company. However, early-stage enterprises often struggle with maintaining precise corporate records, which can pose challenges during the acquisition process. Therefore, buyers must meticulously identify the target company’s shareholders and the attendant rights they hold, which could significantly influence the acquisition. These rights might include voting privileges or dissolution rights linked to specific share classes or investors.
Emerging and rapidly expanding firms frequently employ options or warrants to motivate both internal stakeholders (e.g., employees, board members, and contractors) and external counterparts (e.g., lenders, strategic allies, and key clients) to support their growth through investment endeavors. Consequently, buyers must scrutinize the terms and vesting schedules of any options, warrants, or convertible securities (if issued) by the target company, as these factors could impact future control and ownership.
Buyers must also ensure all appropriate shareholders approve the share purchase transaction or agree to sell their shares (pursuant to the articles or shareholders’ agreement). A thorough examination of the target company’s minute books and relevant agreements, such as shareholder agreements, is imperative to comprehensively understand the company’s ownership and voting framework. Additionally, scrutinizing the chain of share ownership is vital for buyers to ascertain the identity of each shareholder and confirm their authorization to transfer shares to the buyer.
3. Data rights and use of personal information
For AI Companies, data and quantitative metrics often serve as pivotal value drivers. Prospective buyers must strive to gain a comprehensive understanding of how the target company leverages data and its corresponding data practices, with a particular focus on contractual obligations pertaining to data collection, usage, and transfer. This examination should include an assessment of the target company’s policies regarding personal information, ensuring compliance with relevant laws, including data protection and intellectual property regulations, and securing necessary consent for data transfer and utilization where applicable. Comprehensive scrutiny should extend to all privacy policies and internal data handling procedures employed by the target company. Verifying the adequacy of consents for data usage is essential to mitigating associated risks.
In scenarios where the target company’s data practices involve handling and processing personal data, buyers must identify the relevant legislation governing such activities and evaluate whether the target has established protocols that align with applicable data protection and privacy laws, as well as any existing third-party agreements. Given the potential complexities and costs associated with rectifying data misuse issues, buyers must clearly understand the target company’s data practices. Noncompliance by the target company could present significant challenges, potentially necessitating consent from relevant third parties to rectify.
In cases where the proposed transaction entails a transfer of data ownership, buyers must ensure that the target company possesses the requisite rights and consents for such transfer. Failure to secure appropriate consent could result in the target company breaching its contractual obligations and facing subsequent liability.
4. Regulatory risk and life cycle issues
During the initial phases of software development, AI Companies typically concentrate on crafting products that fulfill specific functional criteria. However, in doing so, these entities may overlook the regulatory obligations that apply to them and their clientele. This oversight can occur when a solution initially tailored for a particular industry or jurisdiction is later offered to customers operating in different regulatory environments. As regulations constantly evolve, products and services must be monitored and continually updated to reflect these changes to avoid regulatory violations.
Buyers must verify that the target company’s AI aligns with the legal and regulatory requirements applicable to all involved parties, considering both the technological aspects of the solution and the specific functions or industries it serves. Additionally, they should anticipate potential legal changes to ensure the longevity of the AI solution and prevent unforeseen regulatory breaches. Failure to meet regulatory standards could expose the target company to substantial liabilities from customers, third parties, and governmental entities.
Beyond regulatory compliance, the dynamic nature of disruptive AI solutions necessitates consideration of the life cycle of the target company’s AI solution. In conjunction with legal and financial due diligence, cyber diligence efforts should assess the scalability, functionalities, and growth potential of the AI solution slated for acquisition in the M&A transaction.
5. Cybersecurity
Ensuring data security is paramount in safeguarding an AI business’s assets and operations. A breach in data integrity can inflict severe damage on a company’s value; unauthorized access to confidential business data or sensitive customer information has the potential to cause significant financial losses and tarnish the company’s reputation, thereby impacting its credibility and revenue streams. Cybersecurity due diligence, commonly referred to as “cyber diligence,” serves as a proactive measure to mitigate the risk of future data breaches, regulatory penalties, and privacy infringement litigation.
Engaging in cyber diligence is advantageous for buyers because it allows for a comprehensive review of a target company’s cybersecurity practices, identifies potential vulnerabilities, and implements preemptive measures to address cybersecurity risks before they become threats. Furthermore, cyber diligence should meticulously evaluate the sensitivity or value of stored data and monitor any gaps in data security protocols. Engaging cybersecurity experts may be necessary to assess the adequacy of security measures and identify vulnerabilities within the system. Buyers should also scrutinize the target company’s cybersecurity incident response plan to assess its readiness to manage, mitigate, or resolve cyber threats if they arise.
6. Addressing the risks
Upon identifying issues, buyers should assess the feasibility of mitigating these risks and how they can be addressed. Depending on the severity of the issue, the target company might have the capacity to rectify concerns before the closing of the deal. Buyers may choose to address identified issues related to the AI solution through the representations and warranties outlined in the share purchase agreement.
In instances where issues cannot be resolved before closing, such as concerns surrounding the utilization of open-source software in the target company’s products or services, buyers are advised to negotiate a reduction in the purchase price to reflect the assumed risk and the anticipated cost of post-closing remedies. Additionally, buyers may consider securing a specific indemnity to address known issues or withholding a portion of the purchase price, which can be used to offset losses stemming from identified issues post-closing. The parties involved may also explore restructuring the transaction to mitigate associated risks.
Certain issues, such as significant infringement of third-party intellectual property or noncompliance with privacy laws, may not be possible to address before closing. Consequently, buyers must weigh the potential reputational risk of proceeding with the transaction without resolving such concerns.
Conclusion
The points discussed in this article are by no means an exhaustive list of all issues related to M&A where the target has developed or incorporated AI solutions; the aim is to highlight certain unique challenges inherent in the AI landscape. The identified issues should be closely monitored and thoroughly assessed during the due diligence phase of any transaction. Based on the findings, these issues may be able to be addressed in the purchase agreement. This will help protect buyers and establish a meaningful valuation for the target company, as the parties can seek to mitigate the risk through a reduction in the purchase price.
Engaging legal counsel well-versed in AI solutions and experienced in AI M&A transactions is crucial for both buyers and sellers. Such expertise ensures comprehensive protection of their respective interests throughout the transaction process.
