Cybersecurity due diligence on acquisitions

The Lloyd's building, in Central London

Michael Corcione explains why cybersecurity needs to be one of the priority areas for acquiring firms’ transaction due diligence and highlights the key areas for focus.

Many firms in the insurance sector look for acquisition targets to grow their organisation and support the needs of their customers and investors. Making acquisitions and conducting due diligence is not new, but new risks continually emerge, and one of the latest, and maybe most damaging risk if exposed is cybersecurity risk. We are seeing that cybersecurity risk has risen in recent years to a top-three risk concern for the executive board and senior leadership of companies around the globe.

Cybersecurity’s primary risks are theft (monetary, intellectual property, etc), data breaches, and business disruption or outages. Exposure to these risks can lead to several equally or more impactful secondary risks including reputational damage, regulatory fines and penalties, legal damages, or loss of revenue.

The cyber threat landscape is more challenging than ever. Global tensions have heightened the threats of nation-state cyber-attacks, and the capabilities of threat actors are greater than ever. The attack surface for firms increases every day with the addition of new computers, mobile devices, applications, vendors, and employees, etc. These factors are why firms must include a thorough cybersecurity assessment to their due diligence efforts for acquisitions.

Pre-acquisition

Pre-acquisition due diligence efforts should include assessing an acquisition target’s current cybersecurity maturity and cyber risks. The assessment should identify implemented controls and, most importantly, highlight any control gaps and weaknesses that may expose the acquisition target to cyber risk.

The need to fully understand and get a deeper view into an acquisition target’s cybersecurity controls, gaps, and weaknesses, has risen to a new level. Until recently, cybersecurity due diligence reviews were more of a “check the box” exercise, if conducted at all. Cyber risk is a real business risk. Acquiring firms must ask more questions, and engage the expertise of third-party cybersecurity specialist firms, where needed, to conduct a thorough and appropriate assessment of an acquisition target’s cybersecurity maturity and areas for improvement.

Post-acquisition – cyber risk remediation and monitoring

Once an acquisition is completed, remediation efforts should begin regardless of whether the firm will be integrated, held separately, or acquired for investment purposes with an exit strategy. An oversight and remediation plan must be established, implemented, and maintained. Oversight and monitoring of remediation efforts and conducting routine cyber risk assessments are crucial to the success of integrating acquired firms or avoiding surprises upon exit.

Routine cyber risk assessments and regular testing of all cybersecurity controls should be conducted to ensure they are efficient and effective. Cybersecurity is not a one-off or “check-the-box” exercise, it’s a continual process of assessing risks, threats, and testing and refining controls.

Cyber attackers and their methods are getting more complex and sophisticated. These evolving threats must be monitored, and cybersecurity controls will require continual review and enhancement.

Exiting/selling

Exiting an investment is hopefully a rewarding proposition for the selling firm and its investors. Years of hard work to improve the business and increase its institutional value will be rewarded. Of course, the next acquiring firm will conduct its due diligence, so it is critical for the selling firm to have confidence and visibility over the current state of the cybersecurity risks, and the maturity of the cybersecurity control of the firm they’re selling. Cybersecurity control weaknesses, failures to keep up with industry best practices, and cyber-attack and breach history will be discovered, and then the deal’s value will be diminished, or the deal could fall apart.

Cybersecurity risk is a business risk

Cyber attackers operate real businesses, and their industry is growing year after year with no slowdown in sight. Firms must be diligent in identifying and fully understanding a firm’s cybersecurity risks before making an acquisition. After the acquisition is completed, monitoring and remediation of cyber risks is a continual process all the way until the acquired firm is exited or fully integrated into another organisation.

Discover more about our Cybersecurity services here.

Contact our experts