Skip to main content

Cyber due diligence in M&A

We understand the importance of managing cyber risks to protect the value of your transactions.

Conducting a thorough due diligence investigation is a key part of any successful merger and acquisition (M&A). It is crucial to uncover any potential issues early on to protect the value of the deal. However, traditional due diligence may not adequately address cyber vulnerabilities, which can be inherited through transactions and put the new venture at risk.

While it may be impossible to gain visibility into the network prior to a deal, identifying potential vulnerabilities visible to both insurers and threat actors via external scanning will help manage risk and smooth the insurance procurement process. At Marsh, we can assist you with this through tools like Searchlight.

Cyber due diligence is essential to de-risk transactions and protect value. Cyber risks are pervasive across all sectors, with a significant number of organisations experiencing cyberattacks. To effectively manage cyber risk, buyers must carefully evaluate a target company’s potential cyber deficiencies during pre-acquisition due diligence.

Key considerations for cyber insurance due diligence:

  1. Evaluating coverage: Buyers should evaluate any existing cyber insurance coverage to assess whether it aligns with the level of risk exposure. Enlist specialists to review policies and quantify potential uninsured or underinsured losses post-transaction.
  2. Cost accuracy: Identify recurring cyber insurance costs and understand how they may change post-close. Consider one-off costs related to improving the cyber insurance programme, such as coverage enhancements or increased limits. Estimate cyber insurance costs accurately for financial modelling.
  3. Continuity and replacement coverage: Evaluate the impact of separating or combining IT systems, networks, and data. Understand how existing cyber insurance policies will respond to the transaction to promote continuity of coverage during the transition period.
  4. Claims considerations: Review the target company’s claims history to assess the quality of its cyber protocols and future insurability. Understand the extent of coverage based on the retroactive date to seek to avoid liabilities arising from prior cyber events or litigation.
  5. Sale and purchase (SPA) warranties: Review SPA warranties to assess cyber risk protection. Consider continuity and replacement of cyber coverage in carve-out scenarios.

Action-planning your cyber insurance programme:

Develop a phased cyber insurance programme action plan to maximise deal value and create value through strategic and technical responses to cyber risk management. Address both completion requirements and longer-term strategies.

With a more complete understanding of the cyber risks you may be taking on, as well as an appreciation of the strategies available to mitigate them — whether as a principal or a dealmaker, a buyer or seller — you may be better able to manage your investments both pre- and post-acquisition.

For more information on how we can help you manage your cyber risk in M&A transactions, please contact your Marsh representative.