Global M&A activity continues to accelerate at a rapid rate in both private and public markets as the world recovers from the lows of the pandemic while analysts predict that the 2023 M&A market could represent a return to healthy volumes.
According to Aon’s Report, this accelerated M&A activity is also being characterized by complexity, with transactions including features that would have been unfamiliar to dealmakers just a few years ago, such as the prominence of ESG considerations, ferment in public markets, and digital technology becoming more central to most business models (see Cyber Risks, Climate Change & ESG – Main Challenges for Insurance Industry).
The rising influence of these factors on M&A demands new ways of thinking about value creation and risk.
With digital so undoubtedly central to how businesses operate and drive revenue today, digital assets and capabilities will be under even greater scrutiny
Alistair Lester, Aon’s global co-CEO for M&A and Transaction Solutions
Buyers are now looking closely at how an acquisition target runs its IT and other processes.
Global M&A activity will slow in 2023. Big-ticket M&A activity is off to a slow start in 2023 as the regulatory environment makes executing large deals more challenging, according to S&P Global. No global deals announced in January had a transaction value that reached $10 billion.
This marked the fourth calendar month since the start of 2022 that ended without an M&A deal surpassing that threshold.
The drop in larger deal activity suggests that acquirers are growing more cautious and avoiding the risks associated with more complex deals, as well as spending more time on due diligence in response to increased regulatory oversight.
- With digital so central to how businesses operate and drive revenue today, digital assets and capabilities are under even greater scrutiny during M&A today.
- As organizations navigate rapid digital evolution, deals can implode over cyber security risks.
- Cyber diligence can uncover potential additional costs, liabilities, and operational risks, bringing significant ROI, saving deal costs, and enhancing returns.
The scope of cyber cover was a hot topic for 2023, with Lloyds of London announcing there will no longer be coverage for some state-backed cyberattacks from March 2023 (see Cyber Insurance, Ransomware & Hybrid Warfare Outlook).
Alongside its announcement, Lloyds produced four new Lloyd’s Market Association (LMA) clauses for use in cyber policies, which exclude cover for losses incurred due to war and/or due to cyber operations launched during war, in retaliation by specific states, or which cause major detrimental impacts to the functioning of a state.
It will wait to be seen whether 2023 is the year in which the scope of the new LMA clauses are tested, according to Cyber Insurance Trends.
In the meantime, the market will have to continue balancing the needs of the insurance market in insuring knowable risk, the needs of the commercial sector in managing the risk of cyber threats, and the mutual need to keep premiums competitive and manageable (see about M&A in the Global Insurance Industry).
5 Cyber Risks that can Potentially Threaten M&A Deals
1. Investor Risks
According to Global Cyber Crime, Fraud & Ransomware Survey, cybercrime is seeing increasingly punitive data regulations, such as fines amounting to 4% of a company’s global turnover in Europe, up to 10% annual turnover in Singapore and a maximum penalty of 20 years in federal prison in the US. With business’ existing portfolios and new investments living inside such a cyber crime ecosystem, executing deals without cyber due diligence means taking unnecessary risks with investor capital.
2. Deal Execution Risks
Buyers or sellers can further expose themselves to known and unknown cyber risks when executing deal terms. Appropriate use of warranties and indemnities can help transfer the risk of cyber incidents, data regulatory non-compliance, system downtime and customer claimants. Specific pre-closing conditions and covenants can be used to better mitigate critical cyber risks before capital is released.
3. Value Creation Risks
Digital solutions such as smart technology, artificial intelligence, and robotics offer exciting possibilities to create business value, but also expand the cyber-attack surface. These solutions inherently contain unclear boundaries with multiple third-party providers. Digital operating models that are not adequately secured bring increased potential for business value to be destroyed in equal or greater amounts than the value created.
4. Carve-Out and Integration Risks
M&A activities can be the perfect incubator for lethal cyber-attacks. A hacker may be dormant for years only to awaken in a newly integrated parent business. In fact, it can take over 200 days to detect a breach. Executives should be highly risk-averse and assume that the other side has already been compromised, then set out the carve-out or integration strategy to help protect core business value.
5. Future Cyber Due Diligence Risks
A business’ digital footprint is easily visible for a period of 12-24 months. Therefore, investors and deal teams can get ahead by applying a buy-side cyber lens to their existing portfolio. Building a robust and evidenced cyber story as part of the pre-deal due diligence process will help to enhance the case for a strong exit valuation.
Deals can Implode over Cyber Security
Today, every business has a cyber story that you should know early in the deal lifecycle. We have seen compromised customer data for established online brands, single points-of-failure in major digital ecosystems, multi-million-dollar cyber investments required for industrial firms and a plethora of critical vulnerabilities.
Aon research and analysis has found that as organizations navigate rapid digital evolution, only 17% have adequate security measures in place.
Also, while 42% of respondents said that failure to identify cyber security and technology risks in M&A targets could prevent a deal from taking place, only a quarter cited cyber security as an important focus area for due diligence.
This could be a result of insufficient knowledge and expertise in the workforce to identify and highlight potential cyber security issues.
For some deal teams, cyber is not considered material enough to look at during pre-deal, being pushed to post-deal analysis at best. Some mistakenly believe IT due diligence covers cyber due diligence.
More worryingly, deal teams can become blinkered, having already emotionally bought into the target business and preferring not to know.
No deal has ever been made worse by performing cyber due diligence; a process that reveals a spectrum of cyber-related strategic deal issues, hidden costs, and operational risks before finalizing an investment in a business.
Cyber due diligence provides new insights to detect ‘bad eggs’, thereby helping to reduce risk to investor capital, whilst offering deal teams a competitive edge to enhance returns.
How can M&A Deal Teams Create a Competitive Advantage?
So, how can executives and deal teams solve the cyber puzzle? The key is to address and manage cyber risk as a balance sheet liability from an early stage of a transaction. Cyber diligence can uncover potential additional costs, liabilities, and operational risks, bringing significant ROI, saving deal costs and enhancing returns.
- Start early in the deal
Build a view of cyber risks and costs from the deal outset - Quantify the financial exposure
Understand your deal-specific financial exposure is critical - Factor into the cost model
Seek to offset risk through deal terms and valuation - Mitigate where possible
Remediate critical cyber activities pre-closing or during first 100 days - Transfer residual risk
Place latent liability into the insurance market such as Warranty & Indemnity or specific cyber insurance
While value creation opportunities in M&A transactions are abundant, so are the risks of leaving value on the table or worse, if litigation follows.
Dealmakers are listening and increasingly considering investing more in due diligence when considering a transaction. However, this process could lead to delays, and ones that last more than four months can cost parties an average of 16% of deal value.
Today every deal is a technology deal. Executives that can think about cyber risk in capital terms at the get-go will be ready for the next stage of the journey, avoiding delays in deal completion and unnecessary risk on investment capital and future returns.
Future of Global Cyber Insurance
Cyber insurance is at a decisive moment in its growth journey. Conditions are stabilising and by tackling key challenges around distribution, tail-risk and capital the market is on the cusp of transformational growth.
There are several reasons for this – the pervasive threat environment, its interactions with technology and geopolitics, the inherent unpredictability, the exciting growth potential but, above all, its relevance to clients worldwide.
Strengthened cyber resilience is paying dividends, as improved underwriting results yield positive outcomes for insurance buyers
These dynamics continue to play out in the market. Following a major market correction off the back of surging ransomware claims (see Global Cyber Insurance Claims Report), which led to the cost of cyber cover more than doubling, conditions started to stabilise last year as activity relented and more robust risk controls deterred or mitigated attacks.
………………
AUTHORS: Alistair Lester – Aon’s global co-CEO for M&A and Transaction Solutions, Ian McCaw – Aon’s head of Digital, M&A and Transaction Solutions, Adam Peckman – Aon’s head of Cyber Solutions for APAC
