Why Cyber Risk Should be Quantified in M&A Transactions

Cyber risk presents a particular challenge for dealmakers, as cyber vulnerabilities can be inherited through transactions. The acquisition and/or integration of portfolio assets may bring exposure to cyber risk and technical debt through vulnerable legacy technology, inadequate cyber security controls, or compromised supply chains.

Traditional due diligence may not pick up on or adequately quantify these risks, which increases the likelihood of cyberattacks or cyber-related incidents causing significant losses that could destroy deal value post-acquisition. In some cases, hidden cyber vulnerabilities have led to losses for dealmakers that were greater than the value of the asset they had acquired.

What Should Dealmakers Do?

As part of the due diligence process, dealmakers should seek to quantify the potential financial impact of a cyber-attack or incident taking place at one of their portfolio assets, and reflect the outcome in their deal strategy.

Quantifying the financial impact of a cyber-attack or incident is not straightforward, but, when done well, it can provide a reasonable estimate of the categories and scale of the direct costs that may be incurred by dealmakers if the worst was to happen. Attention must be given to tangible costs such as investigative costs, fines and penalties, as well as intangible costs such as reputational damage.

This quantification can be combined with more traditional due diligence to gain a fuller and finan

Why Cyber Risk Should be Quantified in M&A Transactions