United Kingdom

Top Five Cyber Risks in Mergers & Acquisitions

Fact: no deal has ever been made worse by performing Cyber Due Diligence; a process that reveals a spectrum of cyber-related strategic deal issues, hidden costs and operational risks before investing in a business. Cyber Due Diligence provides new insights to detect “bad eggs”, reducing risk to investor capital, whilst offering deal teams a competitive edge to enhance returns.

Today every business has a cyber story that you should know early in the deal lifecycle; I’ve seen compromised customer data for established online brands, single points-of-failure in major digital ecosystems, multi-million dollar cyber investments required for industrial firms and a plethora of critical vulnerabilities. No business is immune.

Consider these numbers, less than 10% deals globally contain Cyber Security Due Diligence today. For some deal teams, Cyber is not considered material enough to look at during pre-deal and that all this technical stuff is best to look at post-deal. Some mistakenly believe IT due diligence covers Cyber Due Diligence, when it does not. More worryingly, deal teams can become blinkered, having already emotionally bought into the target business and preferring not to know.

Executing deals without Cyber Due Diligence puts unnecessary risk on investment capital and future returns. Many investors and fund managers are unaware of the specific Cyber M&A risks and how these impact a broad range of business operating models, not just the high-tech and data-heavy.

Below are my top 5 Cyber risks in M&A:

General Population Risks – Global cost of cyber security is estimated at $600bn in 2017 and predicted to grow to $5.2 trillion in 5 years according to Accenture research. By the time you read this article 25,000 data records will have been breached and 1,000 new malware variants produced. Your existing portfolio and new investments live inside this cybercrime ecosystem and with increasingly punitive data regulations, such as 4% global turnover fines, executing deals without Cyber Due Diligence is taking unnecessary risks with investor capital.

Deal Execution Risks – buyers or sellers can further expose themselves to known and unknown cyber risks when executing deal terms. Appropriate use of warranties and indemnities can, for example, transfer the risk of cyber incidents, data regulatory non-compliance, system downtime and customer claimants. Specific pre-closing conditions and covenants can be used to mitigate critical cyber risks before capital is released.

Value Creation Risks – digital systems, ecosystems, smart technology, artificial intelligence & robotics offer exciting possibilities to create business value. But digital solutions expand the cyber-attack surface and inherently contain nebulous boundaries with multiple third-party providers. Executives need to change their thinking; digital operating models that are not adequately secured bring increased potential for business value to be destroyed in equal or greater amounts than the value created.

Carve-Out & Integration Risks – as many businesses have discovered at great cost, M&A activities are the perfect incubator for lethal cyber-attacks. Their downfall is often the result of partially integrated businesses in a complex patchwork of systems containing security blind-spots and vulnerabilities. A hacker may be dormant for years only to re-awaken in a newly integrated parent business. Executives need to be highly risk-averse and assume the other-side has already been compromised, then set out the carve-out or integration strategy with a clear target operating model. Protecting core business value comes first.

Future Cyber DD Risks – according to Coller Capital research, 55% of Limited Partners expect Cyber Due Diligence to be performed during pre-deal. Certainly, there is a trend where new deals have more cyber analysis than existing holdings. Deals executed in the pre-2018 vintage are very likely to have their first cyber diligence activity in the next few years, which may lead to cyber value erosion or showstoppers. A business “digital footprint” is easily visible for a period of 12-24 months, therefore investors and deal teams should get ahead now by taking a buy-side cyber lens on their existing portfolio. Building a robust and evidenced cyber story enhances the case for a strong exit valuation.

So, what do executives and deal teams need to do to create a competitive advantage? Cyber diligence brings a significant ROI, saving deal costs and enhancing returns.

The key is addressing and managing cyber risk as a balance sheet liability:

  1. Engage early in the transaction – build a view of cyber risks and costs from the deal outset
  2. Quantify the liability – understanding your deal-specific financial exposure is critical
  3. Factor into negotiation – seek to offset risk through deal terms and valuation
  4. Mitigate the liability – remediate critical cyber activities pre-closing or during first 100 days
  5. Transfer the liability – place latent liability into the insurance market such as Warranty & Indemnity or specific Cyber insurance

As one senior private equity professional said to us recently “today every deal is a technology deal”. Executives that can think about Cyber in capital terms will be ready for the next stage of the journey. But that will need to wait for the next iteration of the Cyber M&A blog.

Ian McCaw

Ian McCaw
Head of Cyber M&A
Aon’s M&A and Transaction Solutions EMEA