Cyber Liability Issues in Mergers & Acquisitions


During merger and acquisition deals, data privacy, cyber security, and data breach risks are the major due diligence issues that pose risks for all stakeholders. After an acquisition is done, the discovery of security issues and breaches is too little too late, and now, too common.

In fact, half of IT decision makers found critical cyber security issues that put mergers or acquisition deals in limbo during their upfront assessments. What’s more, more than a third of acquiring companies engaged in a merger and acquisition deal said they saw a significant cyber security problem during the follow-up integration of the acquired company.

These issues represent millions of dollars in reduction in the purchase price paid by companies and major penalties wracked up in the process in order to settle charges alleged by the U.S. Securities and Exchange Commission (SEC).

Here’s a closer look at how companies and stakeholders can avoid these penalties, fines, and broken M&A deals through a better understanding of cyber liability issues and how to avoid them.

Threat Outlook and Legal Landscape

The focus on privacy and not proper security is due in part to a lack of awareness of long-tail cyber security issues at hand. Criminal hackers are turning to a broader range of techniques to monetize and exploit sensitive information during an M&A deal, and the methods used to gather that information are becoming more sophisticated and hard to detect as well as hard to protect against.

And while sensitive information is the target for hackers, it’s the goal of taking down entire networks and systems of some of the largest companies in the world that is a major driver. Regulators and investors are starting to react better to these evolving threats, like beefing up their cyber security protection measures and installing better cyber liability insurance options to have a more widespread approach. A delay by a company in discovering a data breach can result in major criticism from the public, loss of customers, and major fines.

Vendors, suppliers, and other providers of companies that are regulated are now more contractually required to follow requirements in order to keep threats and risks in M&A deals at bay. More and more frequently, contracts in M&A deals are requiring stakeholders across industries to comply with specific security requirements.

Cutting Out Risk Through Due Diligence

It’s important that an acquirer considering an acquisition fully look into and identify particular cyber security and data privacy risks and liabilities exposed by a transaction. It’s important that the company selling in a deal anticipate cyber security issues along the way as well. To help cut out risks, the due diligence portion of a deal should include the following:

  • Identifying particular kinds of privacy and cyber security risks the target company faces. This includes looking at industry sector, geographic reach, and the products they provide.
  • Understand the extent to which the company selling something gathers and utilizes personal information, such as information provided by business partners.
  • Recognize whether the acquirer will need to obtain any consents to use private and personal data of the company post-closing.
  • Assess the acquirer’s potential liability and obligations that might exist after completion of the M&A deal.

About Axis Insurance Services

Our mission is to help customers identify and prioritize their Professional Liability & Management Liability insurance needs, provide the most competitive coverage options available, and offer superior customer service. Each and every business has a distinctly unique set of products or services. We are committed to offering flexible and intelligent coverage solutions tailored to meet our customers’ needs. Put our experience and expertise to work for you. Give us a call at (201) 847-9175.

cyber security, Cyber Liability, Cyber Liability Insurance, Mergers and Acquisitions, M&A, M&A Cyber Liability

Recent Posts


See all