Skip to main content
main content, press tab to continue
Article

Cybersecurity considerations in Merger and Acquisitions transactions: An in-depth analysis

By Olivia Lovitt , Michélle Lawson Hughes , Ellen Snow and Dave Dhillon | August 28, 2024

Specialists in the Canadian and London markets navigate the complex world of cybersecurity risks in Mergers and Acquisitions (M&A) transactions.
|Financial, Executive and Professional Risks (FINEX)|Mergers and Acquisitions
N/A

Executive summary

This article discusses the significant liabilities that can arise when acquiring a company with inadequate cybersecurity safeguards, including legal penalties and reputational damage. Regulatory bodies are increasingly vigilant, with stringent requirements that can result in heavy fines and sanctions for non-compliance. For example, Quebec’s Commission d’accès à l’information may now impose administrative monetary penalties (AMPs) of up to CAD 10 million or 2% of the company’s worldwide turnover for violations of Quebec’s Act respecting the protection of personal information in the private sector (PPIPS). Additionally, data breaches or cyber incidents occurring post-acquisition can be traced back to pre-existing vulnerabilities, leading to legal disputes and financial losses. Read the full article for more details on:

Verizon’s acquisition of Yahoo in 2017, where the deal's significant price reduction was due to Yahoo's disclosure of two massive data breaches affecting over 1 billion user accounts. This case exemplifies the financial and reputational risks associated with acquiring a company with undisclosed or poorly managed cybersecurity issues.

Costs of Upgrading Cybersecurity Systems – The substantial costs associated with ensuring the acquired company's cybersecurity infrastructure meets the acquiring company's standards.

Insurance Considerations - The importance of reviewing the target company’s cyber insurance.

Best Practices for Cybersecurity in M&A - To mitigate risks and ensure smoother integration.

Cyber M&A Considerations from a Private Equity Perspective - How private equity firms must manage cyber risk throughout the lifecycle of their investments.

Insights from the 2024 Global Cyber Risk and Directors' & Officers' Liability Survey - Key findings from the survey to enhance cybersecurity strategies in M&A transactions.

Potential liabilities in M&A

Acquiring a company with inadequate cybersecurity safeguards can expose buyers to significant liabilities, including legal penalties and reputational damage. Regulatory bodies are increasingly vigilant, with stringent requirements that can result in heavy fines and sanctions for non-compliance. For example, Quebec’s Commission d’accès à l’information may now impose administrative monetary penalties (AMPs) of up to the greater of CAD 10 million or 2% of the company’s worldwide turnover for the preceding fiscal year for violations of Quebec’s Act respecting the protection of personal information in the private sector (PPIPS).

Additionally, data breaches or cyber incidents occurring post-acquisition can be traced back to pre-existing vulnerabilities, leading to legal disputes and financial losses.

 

Case study: Yahoo and Verizon (2017)

In 2017, Verizon acquired Yahoo for $4.48 billion, a deal initially valued at $4.83 billion. The significant price reduction was due to Yahoo's disclosure of two massive data breaches that occurred in 2013 and 2014, affecting over 1 billion user accounts. The breaches exposed critical user data and led to numerous legal challenges, regulatory scrutiny, and a severe hit to Yahoo's reputation. This case exemplifies the financial and reputational risks associated with acquiring a company with undisclosed or poorly managed cybersecurity issues.

Case study: Anthem Inc. and Cigna (2015)

In 2015, Anthem Inc., one of the largest health insurers in the U.S., attempted to acquire Cigna for $54 billion. However, a massive data breach at Anthem exposed the personal information of nearly 80 million individuals. The breach raised significant concerns about data security practices within the healthcare sector and contributed to the eventual failure of the merger. The case highlights the critical importance of robust cybersecurity practices in sectors handling sensitive personal data.

Costs of upgrading cybersecurity systems

Ensuring the acquired company's cybersecurity infrastructure meets the acquiring company's standards can incur substantial costs. These expenses often include upgrading outdated systems, implementing new security protocols, and conducting employee training. Integrating the acquired company's systems with the acquirers can be complex and resource-intensive, often involving compatibility issues, secure data migration, and adherence to the latest security standards.

For instance, when integrating cybersecurity systems, companies may face unforeseen expenses such as:

  1. System overhauls: Replacing legacy systems that are incompatible with modern security protocols.
  2. New security implementations: Deploying advanced security measures such as multi-factor authentication (MFA), intrusion detection systems (IDS), secure back-up procedures and encryption technologies.
  3. Employee training: Conducting comprehensive training programs to ensure all employees are aware of new security policies and procedures.
  4. Third-party audits: Hiring external cybersecurity firms to conduct thorough audits and penetration tests to identify vulnerabilities.

Insurance

Consideration should also be given to the target company’s insurance. Review whether they have Cyber insurance in place, and if so, perform due diligence on the coverage to identify any deficiencies that may exist. Nuances like the “change in control” provision would need to be addressed should the decision be made to keep the policy in force until such time that system integration can be considered. The acquiring company should also review their own Cyber policy to ascertain whether the target company would be able to benefit from automatic inclusion under their policy by reviewing the acquisition language, and if the target company falls outside of “automatic acquisition” threshold discuss options for inclusion at closing with their broker.

Types of insurance should also be understood/identified, to ensure that there are no gaps in coverage. For example, if the acquirer were to purchase a company that has business activities that slightly differ from their own, ensuring that coverage is fit for purpose is crucial. For example, a target company with Technology services, would likely have Technology E&O coverage in place, and therefore are likely to have contractual liability agreements in place so reviewing this exposure is also needed.

Case study: Equifax data breach and its aftermath

The 2017 Equifax data breach, which exposed the personal information of 147 million people, resulted in over $1.4 billion in security upgrades and legal costs. The breach highlighted the immense costs associated with upgrading cybersecurity systems post-incident. For companies involved in M&A, similar breaches could significantly affect the transaction's financial viability and reputation.

Deal delays due to cybersecurity issues

Cybersecurity deficiencies can delay M&A transactions, impacting the overall timeline and potentially the financial terms of the deal. Delays can arise from the need to conduct thorough cybersecurity assessments, remediate identified vulnerabilities, and obtain regulatory clearances. These delays can lead to increased transaction costs, extended periods of uncertainty, and potential loss of competitive advantage.

Case study: Discovery and Time Warner (2017)

Discovery's acquisition of Time Warner faced significant delays due to cybersecurity concerns. Regulatory scrutiny and the need for comprehensive cybersecurity assessments extended the deal's timeline, leading to increased transaction costs and market uncertainty. This example underscores how cybersecurity issues can impede the progress of even high-profile M&A transactions.

Best practices for cybersecurity in M&A

To mitigate risks and ensure a smoother integration process, we recommend our clients follow these best practices:

  1. 01

    Assess past cybersecurity incidents

    • Evaluate if the target company has completed necessary system updates and due diligence.
    • Consider lingering third-party claims from past incidents in the risk assessment.
  2. 02

    Evaluate data storage practices

    • Assess if data storage systems need updates to meet current cybersecurity standards.
    • Ensure third-party data stored in the target's systems is adequately protected.
  3. 03

    Review vendor agreements

    • Verify that necessary safeguards are in place, including audit requirements, continuous monitoring, and incident response plans for vendors.
    • Ensure privacy disclaimers are clear to third-party clients.
    • Clarify data ownership and the purpose for which it is collected.
  4. 04

    Update incident response plan

    • Review and update the target's incident response plan to align with the acquiring company's standards and practices.
  5. 05

    Due diligence 7-point checklist

    1. Assess potential liabilities and costs associated with upgrading cybersecurity systems.
    2. Determine if the acquisition involves healthcare, cross-border transactions, or specific federal jurisdictions.
    3. Evaluate past cybersecurity incidents and their impact on the target company.
    4. Examine data storage practices and identify necessary updates.
    5. Review vendor agreements for adequate safeguards, monitoring, and incident response plans.
    6. Clarify data ownership, purpose, and privacy disclaimers with third-party clients.
    7. Update the target's incident response plan to meet current cybersecurity standards.

Cyber M&A considerations from a Private Equity perspective

How cyber exposure differs for PEs versus corporates

The model of private equity (PE) M&A differs from corporate M&A in several key aspects. Unlike corporate acquisitions, PE firms typically do not integrate the IT systems of their portfolio companies, thus eliminating IT integration concerns. However, this lack of integration can result in heightened cyber risk. Each portfolio company retains its own cyber risk profile, but the associated costs, liabilities, and potential reputational damage can impact the PE firm, making cybersecurity a high priority.

Each portfolio company has different levels of cyber maturity and IT postures, influenced by their specific industry. A one-size-fits-all approach to cybersecurity may not be appropriate. Instead, tailored strategies that consider the unique risks and requirements of each portfolio company are essential.

Why PE companies need to be concerned

PE companies are exposed to cyber risk throughout the entire lifecycle of their investments. Effective management of cyber risk, from initial due diligence of a target to sale preparation, can significantly impact the investment's value. Failure to address cyber vulnerabilities can lead to decreased valuation and increased liabilities.

Additionally, there is a potential increase in cyber incidents post-deal closure. Portfolio companies of PE firms might be seen as lucrative targets for cyber attackers, as these firms generally have more capital available to pay ransom demands. Thus, robust cybersecurity measures are crucial to protect these investments and mitigate risks.

Insights from the 2024 Global Cyber Risk and Directors' & Officers' Liability Survey

The 2024 Global Cyber Risk and Directors' & Officers' Liability Survey provides crucial insights that can enhance cybersecurity strategies in M&A transactions. Here’s how these findings integrate into our recommendations:

Persistent cyber threats and emerging risks

The survey reveals that cyber-attacks and data loss remain major concerns, necessitating enhanced cyber risk management strategies. This aligns with our recommendation to implement multi-layered security measures, including robust firewalls, intrusion detection systems, and endpoint protection solutions. The evolving threat landscape includes sophisticated attacks such as ransomware, phishing, and advanced persistent threats (APTs).

Compliance challenges

Increased compliance challenges due to escalating geopolitical tensions are highlighted in the survey, focusing on systems and controls, and breach of sanctions. This supports our advice on evaluating data storage practices and ensuring compliance with regulatory requirements such as GDPR, HIPAA, and the California Consumer Privacy Act (CCPA). Understanding these nuances is crucial for successful M&A, especially in cross-border transactions where different jurisdictions have varying regulatory frameworks.

Increased oversight and strategic investments

The survey notes enhanced board and CEO involvement in cyber risk oversight, indicating a trend towards more integrated governance. This underscores the importance of updating incident response plans to align with acquiring company standards and fostering a culture of security awareness across the organization. Ensuring executive buy-in and oversight can significantly enhance an organization's ability to manage and mitigate cyber risks.

Investment in cybersecurity

The survey indicates that organizations are significantly increasing their budgets for cybersecurity. This supports our recommendation to assess the costs of upgrading cybersecurity systems during M&A transactions. Key areas of investment include advanced threat detection and response solutions, employee training, and cybersecurity insurance. Companies are recognizing the need to proactively invest in cybersecurity to protect their assets and ensure smooth post-acquisition integration.

Regional dynamics and insurance insights

The survey includes insights from regions such as Africa and the Middle East, highlighting specific regional challenges. This emphasizes the need for tailored cybersecurity strategies in cross-border M&A transactions and the importance of understanding regional regulatory frameworks. Different regions present unique cybersecurity challenges and opportunities, which must be factored into the due diligence process.

Insurance strategies

The rise in the use of captives and alternative risk transfer mechanisms, as noted in the survey, reflects strategic responses to the D&O insurance market's fluctuations. This aligns with our suggestion to explore innovative insurance solutions such as cyber risk pooling and parametric insurance. These strategies provide organizations with more flexibility and control over their cybersecurity risk management.

Preparedness and education

The survey highlights the need for better education and communication on D&O insurance coverage. This reinforces our call to review vendor agreements for adequate safeguards and clarify data ownership and privacy disclaimers. Educating stakeholders about the scope and limitations of their D&O insurance coverage is essential for ensuring they are well-prepared to respond to cyber incidents.

WTW’s unique approach

WTW stands out in the M&A space due to its specialized expertise and comprehensive solutions:


Conclusion and next steps

By following best practices and incorporating comprehensive cybersecurity assessments into the M&A due diligence process, organizations can mitigate potential liabilities, control costs, and ensure smooth transactions. For further information or to discuss tailored solutions for your needs, please contact us today. Additionally, explore our resources on cybersecurity in M&A for more insights.

Authors


Associate Director Private Equity

Cyber Practice Leader - Canada

Partner, Clyde & Co Canada LLP

Senior Counsel | Clyde & Co Canada LLP

SOLUTION

Cyber Insurance and Risk Management

Speak to a team that specialises in understanding your risk landscape and consulting on appropriate cyber insurance programmes.

Contact us