Top 5 Cyber Threats To Mergers and Acquisitions

Global mergers and acquisitions (M&A) activity continues to accelerate at a rapid rate1 in both private and public markets as the world recovers from the lows of the pandemic while analysts predict that the 2023 M&A market could represent a return to healthy volumes².

This accelerated M&A activity is also being characterized by complexity, with transactions including features that would have been unfamiliar to dealmakers just a few years ago, such as the prominence of ESG considerations, ferment in public markets, and digital technology becoming more central to most business models³.

The rising influence of these factors on M&A demands new ways of thinking about value creation and risk. “For instance, with digital so undoubtedly central to how businesses operate and drive revenue today, digital assets and capabilities will be under even greater scrutiny,” says Alistair Lester, Aon’s global co-CEO for M&A and Transaction Solutions. “Buyers are now looking closely at how an acquisition target runs its IT and other processes.”

“We can expect more scrutiny and critical challenges around deals going forward,” he adds.

Top Five Cyber Risks that can Potentially Threaten M&A Deals

1. Investor Risks: Cyber crime is seeing increasingly punitive data regulations, such as fines amounting to 4 percent of a company’s global turnover in Europe, up to 10 percent annual turnover in Singapore and a maximum penalty of 20 years in federal prison in the US. With business’ existing portfolios and new investments living inside such a cyber crime ecosystem, executing deals without cyber due diligence means taking unnecessary risks with investor capital.
2. Deal Execution Risks: Buyers or sellers can further expose themselves to known and unknown cyber risks when executing deal terms. Appropriate use of warranties and indemnities can help transfer the risk of cyber incidents, data regulatory non-compliance, system downtime and customer claimants. Specific pre-closing conditions and covenants can be used to better mitigate critical cyber risks before capital is released.
3. Value Creation Risks: Digital solutions such as smart technology, artificial intelligence, and robotics offer exciting possibilities to create business value, but also expand the cyber-attack surface. These solutions inherently contain unclear boundaries with multiple third-party providers. Digital operating models that are not adequately secured bring increased potential for business value to be destroyed in equal or greater amounts than the value created.
4. Carve-Out and Integration Risks: M&A activities can be the perfect incubator for lethal cyber-attacks. A hacker may be dormant for years only to awaken in a newly integrated parent business. In fact, it can take over 200 days to detect a breach(4). Executives should be highly risk-averse and assume that the other side has already been compromised, then set out the carve-out or integration strategy to help protect core business value.
5. Future Cyber Due Diligence Risks: A business’ digital footprint is easily visible for a period of 12-24 months(5). Therefore, investors and deal teams can get ahead by applying a buy-side cyber lens to their existing portfolio. Building a robust and evidenced cyber story as part of the pre-deal due diligence process will help to enhance the case for a strong exit valuation.

Deals can Implode over Cyber Security

“You do not only acquire a company, but also its cyber security risks,” says Ian McCaw, Aon’s head of Digital, M&A and Transaction Solutions. “Today, every business has a cyber story that you should know early in the deal lifecycle,” McCaw explains. “We have seen compromised customer data for established online brands, single points-of-failure in major digital ecosystems, multi-million-dollar cyber investments required for industrial firms and a plethora of critical vulnerabilities.”

Yet, Aon research and analysis has found that as organizations navigate rapid digital evolution, only 17 percent have adequate security measures in place. Also, while 42 percent of respondents said that failure to identify cyber security and technology risks in M&A targets could prevent a deal from taking place, only a quarter cited cyber security as an important focus area for due diligence. This could be a result of insufficient knowledge and expertise in the workforce to identify and highlight potential cyber security issues.

For some deal teams, cyber is not considered material enough to look at during pre-deal, being pushed to post-deal analysis at best. Some mistakenly believe IT due diligence covers cyber due diligence. More worryingly, deal teams can become blinkered, having already emotionally bought into the target business and preferring not to know.

“No deal has ever been made worse by performing cyber due diligence; a process that reveals a spectrum of cyber-related strategic deal issues, hidden costs, and operational risks before finalizing an investment in a business,” says Adam Peckman, Aon’s head of Cyber Solutions for APAC. “Cyber due diligence provides new insights to detect ‘bad eggs’, thereby helping to reduce risk to investor capital, whilst offering deal teams a competitive edge to enhance returns.”

How can Executives and Deal Teams Create a CompetitiveAdvantage?

So, how can executives and deal teams solve the cyber puzzle? “The key is to address and manage cyber risk as a balance sheet liability from an early stage of a transaction,” Peckman advises. “Cyber diligence can uncover potential additional costs, liabilities, and operational risks, bringing significant ROI, saving deal costs and enhancing returns.”

• Start early in the deal
  Build a view of cyber risks and costs from the deal outset
• Quantify the financial exposure
  Understand your deal-specific financial exposure is critical
• Factor into the cost model
  Seek to offset risk through deal terms and valuation
• Mitigate where possible
  Remediate critical cyber activities pre-closing or during first 100 days
• Transfer residual risk
  Place latent liability into the insurance market such as Warranty & Indemnity or specific cyber insurance

While value creation opportunities in M&A transactions are abundant, so are the risks of leaving value on the table or worse, if litigation follows. Dealmakers are listening and increasingly considering investing more in due diligence when considering a transaction. However, this process could lead to delays, and ones that last more than four months can cost parties an average of 16 percent of deal value.⁶

“Today every deal is a technology deal,” says McCaw. “Executives that can think about cyber risk in capital terms at the get-go will be ready for the next stage of the journey, avoiding delays in deal completion and unnecessary risk on investment capital and future returns.”

¹ C-Suite Series: M&A report – Better decisions for deal value
² Bloomberg Law: 2023 M&A Market May Reveal a Return to Pre-2021 Levels
³ C-Suite Series: M&A report – Better decisions for deal value
⁴ Cost of a Data Breach Report 2022 | IBM
⁵ The Cyber Loop: Managing cyber risk requires a circular strategy
⁶ TMF Group: Cross-border carve-outs 2020 – Why one third fail and how to get them right