Insight Archive | Subscribe to our insights >>

Aon | Professional Services Practice

M&A Transactions and Professional Service Firm Cyber Risk

Release Date: September 2025

When a professional service firm is making an acquisition or completing a major transaction, how should cyber risk be addressed? Is there a residual risk associated with the acquired firm? Can, and should, the cyber policy be extended? Is it enough to purchase an extended reporting period? How does cyber coverage apply following the acquisition?

Key Takeaways

Cyber risk is a major concern for professional service firms and must be considered when completing M&A transactions.
The structure of the deal will determine what coverage is needed post-close.
Knowing the applicable cyber policy terms and conditions regarding change of control, reporting and extended reporting periods is essential for managing protection for parties through the transaction.

For the questions above, as with so many issues in cyber, the answer is “It depends”:

on the structure of the acquisition
on whether there are any residual liabilities to address, and
on whether there is a remaining, non-operational, entity that will run-off leases, sell assets etc. before being dissolved.

Structure of the Transaction

The structure of the transaction and the look of surviving entities are the most important considerations in managing cyber risk throughout the transaction.

Some examples:

People and Assets Only

Most professional services M&A transactions we experience are in this category. The deal is akin to a large lateral movement, involving most or all the employees and partners. The “acquiring” firm is the survivor (often the name is changed to recognize the goodwill of the acquired brand) and the “acquired” firm is dissolved on completion. In some cases, the “acquired” firm will not be dissolved immediately and will be put into run-off (e.g. to dispose of assets, leases & other contractual obligations) over a period that may last for several years.
Full Merger

In this structure both entities are dissolved and join into a new entity.
Full Acquisition

Here the acquiring firm is the surviving entity and fully absorbs the other entity, including people, assets and liabilities.

Cyber Policy Response

If the target firm has a cyber policy, it is important to understand how the policy will respond to the transaction. Policy wordings vary among insurers, with some terminating the coverage on deal completion and others continuing coverage through expiry.

For the policies in force, the exact terms and conditions that apply to a transaction will determine what actions need to be taken to protect all parties’ interests.

What and Where is the Residual Risk?

The Target Firm

Before the completion of the deal it is essential to report to the cyber insurer any circumstances that may give rise to a claim and any claims from third parties that relate to a cyber incident. This ensures that valuable potential coverage for incidents prior to completion is not prejudiced by late notice.

If the target entity is dissolved on completion of the deal, there will be no “insured” and nobody to act on behalf of the now-dissolved entity, so the reporting of past incidents can become difficult even if the policy is technically still available for this purpose.

Most cyber policies provide an automatic “Extended Reporting Period” on expiry of the policy, typically 30-60 days, to allow for reporting of incidents or claims that come to light after the policy expires. It is usually possible, on payment of an additional premium, to increase the extended reporting period by up to 3 years.

In some cases, dissolving the target entity may take time and there will potentially be a few remaining people, assets, office leases and data systems that will require active cyber insurance during the runoff period.

In these cases, timing is important. Firstly, it is crucial to ensure that the cyber coverage does not automatically terminate on completion of the deal. This can be a challenge as there is no guarantee that the incumbent insurer will agree to waive the “Change in Control” provision; transactions may involve a material change in the risk profile and the underwriter is entitled to understand the risk post-transaction before deciding on whether to allow coverage to continue through expiry of the policy.

The residual entity may have little or no revenue, so the cyber insurer may not be willing to renew the policy on expiry. It is vitally important to know the expiry date of the target firm’s cyber policy as it may expire shortly before or after the completion date, in which case some advanced planning is essential. The incumbent insurer may not be willing to renew the policy in light of the transaction, but they may be willing to waive the Change in Control provision and extend coverage for a few months and to allow the insured time to find an insurer willing to provide coverage for the entity as it is being run off.

The Firm Making the Acquisition

The cyber insurance clause that grants automatic coverage for acquisitions up to a specific size (often determined as a percentage of the insured’s revenue) and whether the insured has “full prior acts” coverage are important cyber policy provisions for the acquiring firm.

If the acquisition is people and assets only, with no acquisition of liabilities, the acquiring firm may be able to roll the target into its cyber policy, subject to appropriate insurer declarations and underwriting. Depending on the size of the acquisition (and whether it includes systems assets) the insurer may underwrite the acquisition and adjust the premium accordingly. Otherwise, the acquiring firm’s coverage may apply to the expanded firm from the completion date.

The acquiring firm’s cyber insurer may ask for certain declarations and warranties around any outstanding events or claims relating to the target firm. It is vital for the acquiring firm to do appropriate due diligence to ensure that any incidents or circumstances that may give rise to a claim are reported by the target firm to their cyber insurer in accordance with the policy terms and conditions.

It is also important for the acquiring firm’s coverage to be on a Full Prior Acts basis. This ensures that if alleged prior and unknown cyber harm results in a claim against the acquiring firm, or if the firm discovers a previously unknown exploit in acquired assets, there will be no time bar to coverage.

In a full merger, where a new entity is created or a full acquisition of the target firm’s people, assets and liabilities, there is no residual risk as the historic risk attached to the surviving entity.

Typically, treatment of both transactions will be the same for insurance purposes. The cyber policy of one of the parties will be retained and the transaction treated as an acquisition including liabilities for insurance purposes. There is no surviving entity and therefore no residual risk. As with the “full acquisition” example above and for the same reasons, it is important to report known cyber events to insurers on both sides before completion and for the continuing coverage to be on a Full Prior Acts basis.

Timing is Everything

The timing realities of cyber incidents and the focus of cyber policies on first party as well as third party risks mean that extended reporting periods are a very different proposition to policies that exclusively address liabilities.

Cyber events tend to evolve from initial discovery, with the associated liabilities arising out of the discovery and disclosure to victims that their data has been compromised. Cyber policies are typically discovery-based meaning that if a firm makes an acquisition and there is a hidden exploit that is only discovered months or years after, it is reported to the current cyber policy and is treated as a “new” event. The “claims made” and “Full Prior Acts” provisions ensure that the actual compromise of systems, which may have occurred prior to the transaction, will not time-bar liability claims from third parties.

If a compromise of the target firm’s systems is discovered prior to a transaction, the incident can be notified to its insurer and this “locks in” future liability claims associated with that event to that policy.

The extended reporting period will not be required for these claims because the event has been reported within the policy period and would attach to that policy.

Conclusion

Cyber events by their nature tend to be binary – they are either known or unknown.

If known, then the reporting of the incident ties any future liability claims arising to the policy that received the notice whether reported as a circumstance or an actual incident.

If unknown, for cyber policy purposes, there is no incident and, importantly, no liability claim. The “victims” are unlikely to find out they are victims until the event is discovered and reported to them.

Cyber policies typically provide a short automatic extended reporting period of 30 (sometimes 60) days at the expiry of the policy term so incidents discovered immediately prior to expiry can be reported.

This allows for reporting of known incidents and for the appropriate investigation of whether there are past incidents at the target firm that should be reported as circumstances.

Most importantly, it is essential to:

Understand the structure of the transaction, what entities will survive and the nature of their coverage needs going forward
Assess incumbent coverage prior to completion and understand all terms and conditions that may apply to the transaction
Report all incidents and circumstances to incumbent insurers ahead of the completion date
Provide disclosure to incumbent insurers to ensure that they understand the transaction prior to completion
Negotiate with incumbent insurers to understand what they require and what coverage they will agree to provide and on what terms on completion
Place new coverage for any run-off entity if the incumbent insurer declines to waive the change in control provision or if the policy otherwise expires prior to the run-off entity being dissolved

Contact

The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Brendan Groarke.

Jake Delman

Brendan Groarke
Managing Director
New York

About Aon

Aon (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.

Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.

The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.

Professional Services Practice
Article Subscription Form

Sign up here to receive our insights on an automatic basis, as soon as they are available

_{All fields marked with an asterisk are required}

First Name * Last Name * E-mail (articles will be delivered to this address) * Industry segments: *
Law Firms
Accounting Firms
Consulting Firms
Design & Construction Firms
Location * Aon and other Aon group companies will use your personal information to contact you from time to time about other products, services and events that we feel may be of interest to you. All personal information is collected and used in accordance with our privacy statement.

Please click here to manage your communication preferences.
You may unsubscribe from PSP Thought Leadership by using the “unsubscribe” feature on the article notification email.