From Risk to Reward: Turning Data Breaches into Deal Value

From Risk to Reward: Turning Data Breaches into Deal Value
Cyber Labs

03 of 11

This insight is part 03 of 11 in this Collection.

September 13, 2023 14 mins

From Risk to Reward: Turning Data Breaches into Deal Value

From Risk to Reward: Turning Data Breaches into Deal Value

Cyber security due diligence failure can vaporize value during strategic transactions such as M&A deals. Use of assessments helps decrease risk exposure and improve company valuation.

Key Takeaways
  1. Cyber security due diligence is crucial during M&A deals. Forgoing cyber security assessments can increase risk exposure, leading to target company devaluation.
  2. Companies that have experienced a breach can gain intimate knowledge of security gaps and how to secure their assets. Demonstrating proactive security measures can enhance the attractiveness of such companies during M&A deals.
  3. Companies can turn cyber risks into opportunities by identifying realized risks and documenting remediation steps to help avoid them in the future, enabling reputational resilience through preparedness.

A cyber event can be a dealbreaker, as headlines in recent years have shown. In 2017, Verizon lowered its original offer1 for Yahoo Inc by US$350 million in the wake of two massive cyber attacks, exposing its three billion user accounts.

Further, a US$13.6 billion deal between Marriott International and Starwood Hotels to create the world’s largest hotel operator was jeopardized2 after a major breach within Starwood's reservation system. The hack was a result of a four-year attack and appeared to be the second largest on record.

The fallout from such attacks goes beyond immediate financial loss. In cases of leaked customer data, trust in a company is easily lost and hard to regain.

Corporate reputation crises spanning the last four decades have destroyed more than 50 percent of value in over 12 percent of cases, as well as $1.2 trillion in shareholder value over a 40-year period. Further evidence shows that shareholders can lose an average of 26 percent of value during the year after a major reputation crisis.

What is the True Value of Reputation?

Today's risks of damaged reputation are amplified by interconnectivity, social media, and a 24/7 news cycle. But it is often the way that companies react to reputational risk events that have an even greater impact than the initial threat.

“The way leaders respond to a reputational risk event such as a cyber attack is a key indicator of leadership strength, and speaks to the value of their underlying business,” says Jason Disborough, Aon’s CEO of Multinational Clients (International). “This in turn has a very tangible effect on shareholder value and should be taken into consideration during M&A deals.”

Based on Aon research of 340 reputation events over the last 40 years, the average impact on shareholder value has been 7 percent over the post-event year, with losses equivalent to around US$830 billion. Read more about Aon’s research and practice on reputational risk analytics.

7-22%

Impact on company value following an unresolved cyber event

Source: Aon’s 2023 Cyber Resilience Report

Read the Report
Turning Threats Into Opportunity

Companies can turn cyber risks into opportunities through preparation and remediation — allowing both target companies and potential acquirers to see the bigger strategic picture.

Will Shortt, Director of Cyber M&A for Aon, shares a case study of a corporate travel company that turned a cyber breach from a dealbreaker into a dealmaker. “The company experienced a phishing attack that resulted in a data breach. However, it had a robust incident response plan, which enabled the firm to quickly contain the incident and minimize the impact.”

The plan also allowed the company to capture and document the story, providing a positive discussion point when acquired. “We ran a series of customer briefings post incident to engage the corporate travel company’s customers,” Shortt explained. “They were seen as the good guys, with integrity during the entire process of assessing, mitigating, transferring, and recovering from the cyber event.”

Aon’s Cyber Loop model for sustained cyber resilience aims to quantify insights for improved future decision making. By developing relevant quantified risk scenarios and assessing control effectiveness against these loss models, businesses can quickly decide how to best allocate budget to maximize resilience.
“Building a cyber resilience strategy that centers on an understanding of managing the most material risks to shareholder value is not only good risk management; it also demonstrates robust leadership and risk governance to potential acquirers, regulators, and involved financial market participants,” says Adam Peckman, Aon’s APAC Head of Cyber Solutions.
From Risk to Reward: Turning Data Breaches into Deal Value

The company was able to demonstrate to the potential buyer the proactive measures taken to improve cyber security, including multi-factor authentication and regular third-party assessments. This increased the attractiveness of the company during the M&A deal, ultimately leading to a higher valuation.

  • Case study 1: Caught on Camera

    As part of a tier-1 cyber due diligence, Aon’s non-intrusive technical analysis discovered live camera feeds of the internal data centers, creating a physical security risk. With reputational impacts for the target company averted, Aon structured clear remediation activities and costs — and the private equity client proceeded with the deal.

  • Case study 2: Saving a Deal

    A non-intrusive analysis by Aon’s incident response team as part of a tier-2 cyber due diligence of an online retailer revealed the customer database was the target of a cyber attack. Investigators did not find any customer data actively being sold on major dark web forums, indicating the attack was not successful. The private equity investor was happy with new risk measures and proceeded with the deal.

  • Cyber Due Diligence Can Be Powered by W&I Insurance

    By default, cyber risk is excluded from standard Warranty and Indemnity (W&I) insurance. However, through a structured cyber due diligence process, it can be included into the W&I policy.

    “While anything historical will not be covered, any unknown unknowns will be,” explains Will Shortt, Director of Cyber M&A for Aon. “Having cyber due diligence proactively included in the contract can strengthen a target entity’s sell price.”

Cyber Readiness in Action

Cyber breaches are now not a question of “if,” but “when”. However, such events can be a catalyst for improving cyber security and building resilience — adding value in the long-run. Companies that have experienced a breach gain first-hand knowledge in understanding security gaps and how to take action to secure their assets. By contrast, companies that simply assume they are secure may have a gap in maturity3, a misalignment on risk management.

“When you've been through the process of actually having a major cyber incident where you have engaged experts, resolved the underlying issue, and improved your cyber security, this could be seen as a positive,” says Ian McCaw, Head of Digital M&A for Aon.

“By identifying realized risks and documenting steps to avoid them in the future, target companies can build trust among customers and prove their value to potential acquirers in ways that would not have been possible prior to threats manifesting,” he adds.

M&A Cyber Security Readiness Checklist

1. Assess
Ensure a robust and documented process exists to demonstrate good risk governance to potential acquirers: Have you assessed cyber threats and determined how security controls directly impact balance sheet exposure?

2. Mitigate
Technology or cyber due diligence will be a key workstream in any M&A transaction: Have you employed security controls based on industry standards to minimize financial impact from cyber risks?

3. Transfer
Protection against financial volatility that may impact shareholder value is a critical component of M&A risk management: Have you adopted reasonable risk transfer strategies for cyber and transaction risk to safeguard the valuation?

4. Recover
Cyber events may occur during delicate stages in the M&A transaction: Have you implemented threat and security monitoring, business continuity, and incident response protocols to expedite recovery?

Regardless of the company’s breach experience, cyber security should always be a priority when preparing for M&A deals. “This will allow companies to demonstrate their proactive security measures, enabling reputation risk resilience through preparedness,” McCaw advises. “After rising from the ashes of a cyber incident, companies can navigate to increased attractiveness and a positive deal outcome.”

Quote icon

By identifying realized risks and documenting steps to avoid them in the future, target companies can build trust among customers and prove their value to potential acquirers in ways that would not have been possible prior to threats manifesting.”

Ian McCaw
Aon’s head of Digital M&A in EMEA
Aon's Thought Leaders
  • William Shortt
    Managing Director of Cyber M&A – M&A and Transaction Solutions North America
  • Ian McCaw
    Aon’s head of Digital M&A in EMEA
  • Adam Peckman
    Global Head of Cyber Risk Consulting

1 Verizon, Yahoo agree to lowered $4.48 billion deal following cyber attacks
2 Marriott's Starwood hack hits up to 500 million customers
3 Companies That Assume They Are Secure Risk Being Devalued in M&A Deals

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. All descriptions, summaries or highlights of coverage described herein are also for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any policy. Coverage is governed only by the terms and conditions of any relevant policy. Insurance coverage in any particular case will depend upon the type policy in effect. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of their particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted, or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q3 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

More Like This

View All
View All
Subscribe CTA Banner