Why It’s Key to Conduct Cyber Due Diligence in Financial Services During Mergers and Acquisitions

Why It’s Key to Conduct Cyber Due Diligence in Financial Services During Mergers and Acquisitions
October 24, 2024 10 mins

Why It’s Key to Conduct Cyber Due Diligence in Financial Services During Mergers and Acquisitions

The Economic Importance of Conducting Cyber Due Diligence in Financial Services During Mergers and Acquisitions

A successful M&A strategy relies on due diligence across financial, legal, human capital, technology, cyber security and intellectual property risks. As cyber threats become more complex, robust cyber due diligence in private equity and acquisitions is increasingly necessary.

Key Takeaways
  1. Given the growing threat of cyber risks, the execution of cyber due diligence is a critical pre-signing step to identify known and unknown financial risks.
  2. By conducting thorough cyber due diligence, acquirers can identify vulnerabilities in advance, assess potential liabilities and develop strategies to address them post-acquisition, including likely financial risk exposure and impact.
  3. In mergers and integrations where system synergies and data are paramount, financial risks heighten. Implementing strategic risk transfer, like cyber insurance with a trusted global partner, can greatly enhance a business's resilience and recovery capabilities.

The financial services sector encompasses a broad array of industries that are integral to the functioning of the global economy. This sector includes corporate firms and institutions that provide essential financial services to both commercial and retail customers, such as banks, investment companies, insurance companies and real estate firms. These entities not only manage and facilitate the flow of capital, but also play a critical role in supporting economic stability and growth.

Financial sponsors, such as private equity firms, venture capitalists and institutional investors, are deeply intertwined with the corporate financial services sector. These sponsors rely on the infrastructure and services provided by corporate financial institutions to manage investments, execute transactions and ensure the efficient deployment of capital. As financial sponsors engage in mergers and acquisitions (M&A), their need for rigorous due diligence becomes increasingly paramount — especially in the realm of cyber security. Cyber risks pose significant threats to both the corporate financial services sector and the investment portfolios managed by financial sponsors, making cyber due diligence a critical aspect of any M&A strategy.

For every potential M&A target, it’s necessary for an acquirer to establish a minimum cyber security baseline. Every company, regardless of sector, revenue or geography, is expected to have a foundational level of cyber controls to operate at an acceptable risk level.

Given their critical role in the global economy, financial sponsors are highly scrutinized and regulated. When it comes to cyber security, these entities must set a high standard to meet regulatory requirements. Depending on operational location, industry holdings may need to comply with new regulations such as the EU's Digital Operational Resilience Act (DORA) and the updated Network and Information Systems Directive (NIS2).

Securing Business Deal Value with Cyber Due Diligence

While it’s uncommon for companies to abandon an acquisition due to identified cyber risks, investors and corporates must understand the critical red flags that require action. If no hidden dangers are found, companies should still be aware of the target’s cyber maturity to determine necessary investments for achieving acceptable cyber security levels. When risks are understood, a clearer strategy to manage them through different methods, such as transferring, mitigating or accepting, can be undertaken.

#1

Cyber-attacks or data breaches are the number one risk for organizations today.

Source: Aon’s 9th Global Risk Management Survey

Quote icon

Addressing cyber risks early in the M&A process protects the investment and ensures long-term stability and success. Proactive cyber due diligence can make the difference between a seamless integration and unexpected financial losses.

Dritan Saliovski
Executive Director & Co-Head of M&A Digital Transaction Advisory Services, EMEA

Given the growing threat of cyber risks and the eroding shareholder value following a single cyber-incident, the application of cyber due diligence is a critical pre-acquisition step to securing business deal value.

Key Considerations for Cyber Due Diligence

Cyber due diligence is a proactive strategy to assess and quantify cyber risks. It includes a comprehensive assessment of the target company's cyber security posture, external tech, deep and dark web analysis, policies, standards, procedures and resilience capabilities, ultimately feeding into a financial risk quantification of a cyber security incident. By conducting thorough due diligence, acquirers of listed entities can secure up to 21 percent of shareholder value based on a single cyber security incident.1

Quote icon

The chances of cyber risks become even greater in mergers and acquisitions since the integration of systems and data is the order of the day.

Pulkit Saxena
M&A Cyber Associate Director AMATS, Benelux

The recent CrowdStrike outage event serves as a powerful reminder of the dynamic nature of cyber and technology resilience. This incident underscores the importance of robust business continuity and incident response protocols, as well as the need for a fit-for-purpose cyber insurance policy.

According to Aon’s 2024 Intangible versus Tangible Risks Comparison Report, the likelihood of a loss is significantly higher for intangible assets than for tangible ones, with the average probable maximum loss for intangible assets almost 43 percent higher. Despite this, insurance coverage is only in place for 17 percent of information assets compared to 60 percent for property, plant and equipment (PP&E). Moreover, 54 percent of organizations reported a material or significantly disruptive security exploit or data breach in the past 24 months. This gap in coverage highlights the critical need for comprehensive cyber due diligence and strategic risk transfer solutions to protect against the increasing threats to intangible assets like intellectual property and data.

As the report reveals, 69 percent of organizations use or intend to use AI products or services, with a growing interest in adopting AI to strengthen their security posture. This trend further emphasizes the need for investors to ensure their portfolio companies are conducting proper cyber and technology due diligence, particularly as they integrate new technologies like AI.

5 Considerations for Financial Sponsors in Cyber Due Diligence
  • 1. Program and System Resilience

    Assess the target company's external and internal IT infrastructure, including networks, servers and endpoints. Evaluate existing security measures, such as firewalls, encryption protocols and access controls. Identify any weaknesses or outdated systems that could be exploited by malicious actors.

  • 2. Data Protection and Privacy Compliance

    Investigate how the target company handles sensitive data, including customer and financial information. Ensure compliance with relevant regulations, such as GDPR, DORA and NIS2, to mitigate regulatory risks.

  • 3. Security Policies and Procedures

    Review the target company's cyber security policies, standards, and procedures, including incident response plans, employee training programs and access control protocols. Determine the level of awareness and compliance with security best practices across the organization.

  • 4. Third-Party Relationships

    Assess relationships with third-party vendors and service providers, as they can pose additional security concerns. Review contracts, service level agreements and security assessments performed with third parties to ensure they meet minimum acceptable technology and security risks.

  • 5. Cyber Insurance Coverage

    Determine whether the target company has cyber insurance and assess whether the policy is adequate and aligned with the financial risk quantification performed. Understand the scope of coverage, limits and exclusions to gauge the level of financial protection in the event of a cyber incident.

8%

of the IT budget is dedicated to security as reported by finance and insurance companies in 2022.

Source: Aon’s 2023 Cyber Resilience Report

Benefits of Cyber Due Diligence in Mergers and Acquisitions

In acquisitions, the integration of systems and data introduces significant cyber risks. An incident can compromise sensitive information, leading to financial losses, reputational damage and legal fines.

Risk Handling
Address cyber risks early to limit the potential impact on performance and reputation.

Preservation of Value
Protect the integrity and confidentiality of data and intellectual property to protect acquired asset value and customer confidence.

Enhanced Integration
Understand the target company’s cyber security posture for a smooth transition with aligned strategies and controls across the combined entity.

Investor Confidence
Be committed to cyber security due diligence to build investor and stakeholder confidence in management practices.

Regulatory Compliance
Ensure regulatory requirements are met to reduce the risk of costly fines and penalties tied to a cyber security incident.

Key Actions for Financial Sponsors

Global cyber risk regulations signal a seismic shift toward strengthening cyber resilience and enforcing accountability. Championing regulations is not just a matter of checking the boxes. By leveraging compliance as a strategic advantage, you can turn a necessity into an opportunity, especially during mergers and acquisitions.

Consider These Key Actions When Determining Deal Strategies:
  • ↗ Comprehensive and Advanced Cyber Due Diligence

    When able, perform a deep dive into the target’s governance and security capabilities, including management and stakeholders, to identify how the organization perceives and manages cyber risk. Post-signing, advanced technical assessments, such as compromise assessments, continuous vulnerability scanning and threat detection activities, may be performed.

  • ↗ Data Protection and Compliance

    Review the potential exposure to data privacy laws such as the General Data Protection Regulation (GDPR), international, and U.S. state-specific regulations where one operates.

  • ↗ Recovery Plan for the First 100 Days

    Formulate a concise list of remediation activities identified during cyber security review that must be carried out post-deal to safeguard the assets.

  • ↗ Engage a DFIR Provider

    Engage a Digital Forensic and Incident Response (DFIR) provider to obtain a frame agreement that allows your portfolio companies to act quickly in the event of an incident, ensuring rapid mitigation and business recovery from damage caused by cyber security threats.

  • ↗ Build a Diligence Framework

    Build a diligence framework to align with the minimum operating security baseline set forth by the investors and define this as part of the diligence process.

  • ↗ Ensure Portfolio Company Diligence

    Work with portfolio companies to ensure they are conducting proper diligence for their acquisitions. Ensure they have developed a cyber and technology diligence framework that aligns with their environment for integration, including areas such as infrastructure, licensing, people, applications and services.

While M&A work with financial sponsors shares many synergies with corporate transactions, nuances in the deal process differentiate the two. In corporate financial services, particularly on the retail side, transactions often resemble those of a corporate nature, where the focus may often be on growth through the acquisition of markets and intellectual properties.

This focus shifts the emphasis toward understanding the integration risks faced by the acquirer, including human capital considerations, technology and governance processes. Ensuring that these aspects align with the acquirer’s business strategy is critical, as any misalignment can have significant implications both internally and externally, affecting customer satisfaction and stakeholder trust.

In such cases, thorough diligence across cyber security, technology, human capital and intellectual property plays a pivotal role in identifying and mitigating risks that could disrupt business continuity or erode value post-acquisition.

Successful M&A transactions require not only financial and operational alignment, but also careful consideration of human capital risks, as these can be pivotal in the overall success of the transaction. The full understanding of the employment context, as well as the purposeful integration of people, culture, and leadership with the acquirer's strategic vision, is critical to both minimizing business disruption and ensuring long-term success.

Quote icon

Human capital plays a key role in the overall risk landscape, and a robust approach that combines strategic risk transfer with an understanding of workforce dynamics is key to protecting and enhancing value throughout the transaction process.

Rui Ventura
M&A Human Capital Transaction Advisory Services Executive Director, EMEA

*While many of our services do not require engagement from the target and are often performed without their knowledge, these areas may require access to people, processes and technology, including management interviews and information requests.

Aon’s Thought Leaders
  • Ian McCaw
    Head of Digital and Transaction Advisory Solutions, Europe, the Middle East and Africa
  • David Molony
    Head of Cyber Solutions, EMEA
  • Dritan Saliovski
    Executive Director & Co-Head of M&A Digital Transaction Advisory Services, EMEA
  • Pulkit Saxena
    M&A Cyber Associate Director AMATS, Benelux
  • Rui Ventura
    M&A Human Capital Transaction Advisory Services Executive Director, EMEA

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner