Assessing and mitigating cyber risk in M&A

James Arthur James Arthur

As part of our SPA warranties and indemnities series of articles on cyber, accounting and tax, our specialists look at assessing and mitigating cyber risk in mergers and acquisitions.

Buyers are right to be increasingly concerned about the cyber security defences of their acquired companies. With the potential to severely impact operations, the reputation of the business and its value, as well as regulatory fines, it's not surprising that the risk of cyber attack is now being taken seriously.

Two salutary tales

  • In September 2018, an American printing business suffered a ransomware attack that caused it to cease operations. Accessing the company's systems, criminals demanded payment or they would disable the firm's computers. As a result, the company that bought the business the previous year suddenly suffered a significant decline in value.
  • Marriott International was recently fined almost £100 million under GDPR as a result of a data breach that the company said it had unknowingly ‘acquired’ along with its Starwood division. A lack of proper cyber due diligence was specifically referenced by the Information Commissioner's Office when it levied the fine.

How can you mitigate cyber risks when buying a company?

In the US, buyers are increasingly carrying out extensive cyber due diligence, looking for weak links in the chain. Other jurisdictions such as Europe are catching up, cyber due diligence should be considered on every acquisition.

The strength of warranties given by the seller in the sale and purchase agreement (SPA), in terms of what they cover and the caps and thresholds for claims, are important to consider. It is not sufficient for sellers to simply warrant that they have ‘industry standard’ or ‘industry best practice’ protections in place, because what satisfies industry standards varies significantly depending on the nature of the business and what would be appropriate in each case.

Warranties that refer to data breaches and cyber attacks restricted by reference to seller’s knowledge may not provide adequate protection for the buyer; it takes on average 191 days for a breach to be detected. It is therefore important to know what steps the seller has taken to identify potential breaches and strengthen its cyber security posture, including testing carried out and ongoing controls.

Specialist insurance cover

A buyer could ask the seller to warrant that the target has adequate cyber insurance cover in place, but the buyer should still satisfy themselves as to the level of cover obtained and any exclusions. Cyber warranties are typically carved out of general warranty and indemnity (W&I) policies and, therefore, specialist cyber cover will be needed.

If cyber due diligence is undertaken, it is more likely that W&I insurers will agree to cover cyber risks in W&I policies.

Other benefits of cyber protection

Effective cyber security protections can provide wider benefits. If a business is being acquired for its intellectual property, for example, it’s essential that this is protected against employee theft and commercial espionage. Additionally, cyber security protections may also provide mitigation in the event of reporting a breach to a regulator.

Buyers should also be thinking about the supply chain of the business they are acquiring. Cyber security processes are moving away from just considering the traditional perimeter defences of a business to looking more proactively at what data might be made available across the supply chain. This is particularly pertinent to online businesses.

Making cyber risk a board-level priority

Some businesses choose not to deal with, or share data with, another entity that doesn’t have basic cyber security certification. In the UK, ‘Cyber Essentials’ is a certification that requires self-assessment against five technical control areas. Other certifications require testing against additional benchmarks, for example, ISO27001 and NIST.

Cyber attacks are increasing at an exponential rate. In the last 12 months, the total cost of cyber security breaches to UK mid-market businesses has reached at least £30 billion. And yet, according to our recent research, 63% of mid-size businesses in the UK still don't have a board member with specific responsibility for cyber security. Additionally, over half of those businesses surveyed (59%) do not have a cyber incident response plan in place.

Buyers need to be cognisant of cyber threats in their acquisitions and the effect this may have on value. Given that cyber attacks are a matter of ‘when’ not ‘if’ for businesses of all sizes, in all sectors, the old adage, ‘buyer beware’ has never been more relevant. We provide global intelligence-led cyber risk and current threat profiling solutions, with specific, pragmatic and actionable industry best practice to improve cyber security posture and help manage security incidents.

Our cyber services

We provide global intelligence-led cyber risk and current threat profiling solutions, with specific, pragmatic and actionable industry best practice to improve cyber security posture and help manage security incidents. If you have any questions or would like some advice, please contact James Arthur or Vijay Rathour.

For general SPA enquiries please contact Patrick O'Brien.

Mitigating digital risk in M&A deals Find out more

CEO insights: tailored content for CEOs and business owners

Receive the latest insights to stay on top of the issues that matter to you. Let us help you set the agenda for the year ahead.