The total value of mergers and acquisitions in the U.S. and Canada was $1.477 trillion in 2022, which is cumulative of 20,965 transactions.[1] Although the number of transactions was down 21.2% from 2021, economists are predicting an uptick in 2023 driven by resets in valuations and lessened competition for deals. There are a number of reasons why a company would consider acquiring or merging, for example, the ability to diversify, gain greater market share therefore removing competition, support expansion and growth or to be able to offer new products. It also may enable them to access talent and technology.
With new technology platforms inherited from the transaction such as digital systems, smart technology, and sometimes artificial intelligence brings with it its own set of cybersecurity risks as the cyber-attack surface has increased. Prior to the completion of a transaction it is crucial for the acquiring company to evaluate the cyber risks of the target company through a comprehensive due diligence process so they are able to quantify and remediate these risks to avoid potential cyber breaches post-transaction; which can affect their reputation and disrupt operations.
Cybersecurity considerations for the acquiring company prior to closing a transaction:
- What do the technical security controls of the target entity look like? Are they as good or better than the acquiring company? Do they have security measures such as multifactor authentication, end point detection and response tools, a security information event management tool that is monitored by a security operation center, etc?
- Has a comprehensive vulnerability scan been completed and have all vulnerabilities been remediated?
- What types of information are being inherited and are there proper security controls to protect this information? Are all privacy laws with regards to collection, use, disclosure, and retention of personal information being followed?
- When and how will integration of the networks happen? Which people roles of the target company will stay on post transaction? Will the chief information security officer or risk manager of the target company be around post transaction to assist with integration?
Considerations for the cyber broker prior to a transaction closing:
- Has the transaction been reported to the acquiring company’s cyber insurer?
- Does the agreement of sale outline if an extended reporting period needs to be purchased to cover past wrongful acts of the target company?
- How does the acquisition threshold clause read in the cyber policy? Is there a revenue threshold for reporting to the acquiring insureds cyber policy?
- If the target company needs to maintain a cyber-policy – how does the waiver of control section read in the insurance policy?
- The broker will also need to gather information regarding the target company such as revenue, operations and loss runs
To effectively manage privacy and cyber risks in an M&A transaction, the acquiring and target company should consider both privacy and cyber risks throughout the transaction life cycle – deal processes, due diligence, transaction agreement, and post-transaction activities including the above.
To help businesses of all sizes stay prepared for any transaction type, CNA offers a market-leading suite of cyber insurance products and risk control resources. Our Underwriting and Risk Control professionals offer tailored, industry-specific coverages and provide the tools and resources needed to help understand exposures and address potential losses.
[1] M&A activity slumped in North America in 2022 after record 2021. S&P Global Market Intelligence. Retrieved March 1, 2023.
Canada (English)
United States (English)
Belgium (English)
Denmark (English)
France (English)
Germany (English)
Italy (English)
Netherlands (English)
United Kingdom (English)