Fundamental cyber considerations in M&A transactions

The following article was supplied by CNA Canada and originally appeared here in March, 2023.

The total value of mergers and acquisitions in the US and Canada was $1.477 trillion in 2022, which is cumulative of 20,965 transactions.[1] Although the number of transactions was down 21.2% from 2021, economists are predicting an uptick in 2023 driven by resets in valuations and lessened competition for deals. There are a number of reasons why a company would consider acquiring or merging - for example,  the ability to diversify, gain greater market share therefore removing competition, support expansion and growth or to be able to offer new products. It also may enable them to access talent and technology. 

With new technology platforms inherited from the transaction - such as digital systems, smart technology, and sometimes artificial intelligence – there is a set of cybersecurity risks as the cyberattack surface has increased. Prior to the completion of a transaction it is crucial for the acquiring company to evaluate the cyber risks of the target company through a comprehensive due diligence process so they are able to quantify and remediate these risks to avoid potential cyber breaches post-transaction; which can affect their reputation and disrupt operations. 

Cybersecurity considerations for the acquiring company prior to closing a transaction: 

• What do the technical security controls of the target entity look like? Are they as good or better than the acquiring company? Do they have security measures such as multifactor authentication, end point detection and response tools, a security information event management tool that is monitored by a security operation centre, etc?
   
• Has a comprehensive vulnerability scan been completed and have all vulnerabilities been remediated?
   
• What types of information are being inherited and are there proper security controls to protect this information? Are all privacy laws with regards to collection, use, disclosure, and retention of personal information being followed?
   
• When and how will integration of the networks happen? Which people roles of the target company will stay on post transaction? Will the chief information security officer or risk manager of the target company be around post transaction to assist with integration? 

Considerations for the cyber broker prior to a transaction closing: 

• Has the transaction been reported to the acquiring company’s cyber insurer?
   
• Does the agreement of sale outline if an extended reporting period needs to be purchased to cover past wrongful acts of the target company?
   
• How does the acquisition threshold clause read in the cyber policy? Is there a revenue threshold for reporting to the acquiring insured’s cyber policy?
   
• If the target company needs to maintain a cyber-policy – how does the waiver of control section read in the insurance policy?
   
• The broker will also need to gather information regarding the target company, such as revenue, operations and loss runs 

To effectively manage privacy and cyber risks in an M&A transaction, the acquiring and target company should consider both privacy and cyber risks throughout the transaction lifecycle – deal processes, due diligence, transaction agreement, and post-transaction activities including the above. 

To help businesses of all sizes stay prepared for any transaction type, CNA offers a market-leading suite of cyber insurance products and risk control resources. Our underwriting and risk control professionals offer tailored, industry-specific coverages and provide the tools and resources needed to help understand exposures and address potential losses. 

[1] M&A activity slumped in North America in 2022 after record 2021. S&P Global Market Intelligence. Retrieved March 1, 2023.

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Cindy Huang is an underwriting manager on the professional liability & cyber team at CNA Canada. Cindy is responsible for portfolio management and underwriting strategy to achieve growth. She is also responsible for marketing CNA’s various capabilities and educating junior staff on emerging cyber trends. Cindy has worked in the insurance industry for over eight years. Prior to joining CNA in 2018, Cindy worked at Trisura Guarantee and AIG holding various positions and various responsibilities. Cindy received a bachelor’s degree in Biomedical Science from the University of Waterloo and has earned her CIP.