Partner Piece – Aon plc – Top 5 Cyber M&A Risks

February 26, 2020

Top 5 Cyber M&A Risks

By Aon plc


Fact: no deal has ever been made worse by performing cyber due diligence, a process that reveals a spectrum of cyber-related strategic deal issues, hidden costs and operational risks before investing in a business, according to Ian McCaw, Head of Cyber M&A for Aon’s M&A and Transaction Solutions team in EMEA. Cyber due diligence provides new insights to detect “bad eggs”, reducing risk to investor capital, whilst offering deal teams a competitive edge to enhance returns.

Today, every business has a cyber story that businesses should be aware of early in the deal lifecycle; McCaw has seen compromised customer data for established online brands, single points-of-failure in major digital ecosystems, multi-million dollar cyber investment required for industrial firms and a plethora of critical vulnerabilities. No business is immune.

Consider these numbers, says McCaw: less than 10% of deals globally contain cyber security diligence today. For some deal teams, cyber is not considered material enough to look at ‘pre-deal’ and that all this ‘technical stuff’ is best to look at post-deal. Some, mistakenly, believe IT due diligence covers cyber due diligence, when it does not. More worryingly, cautions McCaw, deal teams can become blinkered – already emotionally bought into the target business and preferring not to know.

Executing deals without cyber due diligence can put unnecessary risk on investment capital and future returns. Many investors and fund managers are increasingly unaware of the specific cyber M&A risks and how these impact a broad range of business operating models, not just the high-tech and dataheavy.


Below are McCaw’s top 5 cyber M&A risks:

1. General Population Risks – Global cost of cyber security is estimated at $600bn in 2017 and predicted to grow to $5.2 trillion in 5 years according to Accenture research. By the time you read this article 25,000 data records will have been breached and 1,000 new malware variants produced. Your existing portfolio and new investments live inside this cybercrime ecosystem and with increasingly punitive data regulations, such as 4% global turnover fines, executing deals without Cyber due diligence is taking unnecessary risks with investor capital.

2. Deal Execution Risks – buyers or sellers can further expose themselves to known and unknown cyber risks when executing deal terms. Appropriate use of warranties and indemnities can, for example, transfer the risk of cyber incidents, data regulatory non-compliance, system downtime and customer claimants. Specific pre-closing conditions and covenants can be used to mitigate critical cyber risks before capital is released.

3. Value Creation Risks – digital systems, ecosystems, smart technology, artificial intelligence & robotics offer exciting possibilities to create business value. But digital solutions expand the cyber-attack surface and inherently contain nebulous boundaries with multiple third-party providers. Executives need to change their thinking; digital operating models that are not adequately secured bring increased potential for business value to be destroyed in equal or greater amounts than the value created.

4. Carve-Out & Integration Risks – as many businesses have discovered at great cost, M&A activities are the perfect incubator for lethal cyber-attacks. Their downfall is often the result of partially integrated businesses in a complex patchwork of systems containing security blind-spots and vulnerabilities. A hacker may be dormant for years only to re-awaken in a newly integrated parent business. Executives need to be highly risk-averse and assume the other-side has already been compromised, then set out the carve-out or integration strategy with a clear target operating model. Protecting core business value comes first.

5. Future Cyber DD Risks – according to Coller Capital research, 55% of Limited Partners expect cyber due diligence to be performed ‘pre-deal’. Certainly, there is a trend where new deals have more cyber analysis than existing holdings. Deals executed in the pre-2018 vintage are very likely to have their first cyber diligence activity in the next few years, which may lead to cyber value erosion or showstoppers. A business “digital footprint” is easily visible for a period of 12-24 months, therefore investors and deal teams should get ahead now by taking a buy-side cyber lens on their existing portfolio. Building a robust and evidenced cyber story enhances the case for a strong exit valuation.


So, what do executives and deal teams need to do to create a competitive advantage? Cyber diligence brings a significant ROI, saving deal costs and enhancing returns. The key is addressing and managing cyber risk as a balance sheet liability:


1. Engage early in the transaction – build a view of cyber risks and costs from the deal outset

2. Quantify the liability – understanding your deal-specific financial exposure is critical

3. Factor into negotiation – seek to offset risk through deal terms and valuation

4. Mitigate the liability – remediate critical cyber activities pre-closing or during first 100 days

5. Transfer the liability – place latent liability into the insurance market such as warranty & indemnity or specific cyber insurance


As one senior private equity professional said to us recently: “today, every deal is a technology deal”. Executives that can think about cyber in capital terms will be ready for the next stage of the journey.

About Aon
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Its 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.

Aon’s M&A and Transaction Solutions team comprises a global team of experienced professionals, drawn from the insurance, legal, financial and investment banking industries, which focuses on helping clients secure investments and enhance returns in M&A transactions through the deal lifecycle, from entry to exit.

Supported by a unique breadth of experience, the Aon M&A team advises clients across key value areas, ranging from risk/insurance and human capital (pensions, benefits, health, talent) to cyber/data security and intellectual property, leveraging its industry expertise and insurance market insights. Aon’s advisory capabilities are complemented by the firm’s position as one of the leading brokers of transaction solutions, advising and arranging warranty & indemnity, tax and litigation/contingent insurance, as well as innovative credit/surety solutions, in M&A.

In 2019, Aon launched its C-Suite Series, in collaboration with The Financial Times, publishing thought-leadership reports on M&A (Leaving nothing on the table: unlocking off-radar value) and Cyber (Prepare for the expected: safeguarding value in the era of cyber risk)


© Copyright Aon UK Limited 2019. All rights reserved. Disclaimer: Prepared by Aon UK Limited for information purposes only. The information and statements expressed herein are of a general nature and not intended to address the circumstances of any particular person. No representation or warranty is made with respect to the accuracy, adequacy or completeness of the contents herein nor with respect to the validity of the matters referred to herein at any given date. No reliance should be placed on the contents herein and no liability is assumed for any loss incurred by any person who may seek to place such reliance.
quote marks icon