Cyber Risks Not Adequately Assessed During Acquisition Deals, Survey Finds

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

July 16 -- Despite the increasing regulatory focus on cybersecurity , a new survey concludes that the issue still is not analyzed in great detail in the mergers and acquisitions context.

In a survey of 214 global dealmakers, Freshfields Bruckhaus Deringer found that 78 percent of the respondents believe cybersecurity is not analyzed in great depth or specifically quantified during the M&A due diligence process.

Meanwhile, 87 percent of the respondents said that although cybersecurity due diligence is reviewed as part of their assessment of the target company's information technology systems, it is not handled as its own risk category.

“It's surprising that dealmakers recognize the growing threat of cyber-attacks to businesses, but generally aren't addressing that risk during deals,” Chris Forsyth, co-head of the law firm's international cybersecurity team, said in a release. “You wouldn't dream of buying a chemicals plant without assessing environmental risk, so why would you buy a data-driven business without assessing the risks it faces around data management and cyber-security?”

Risks Difficult to Quantify.

The survey results were released July 10. Of the 214 survey respondents, 50 percent were corporations, 19 percent were financial services providers, 14 percent were investors and 10 percent were legal services providers. Sixty-three percent of the respondents were based in North America, 34 percent were based in Europe and 3 percent were based elsewhere.

Fifty-seven percent of the respondents had completed a deal in the past 12 months, while 56 percent had been involved in an aborted deal in the past 12 months.

In other survey findings, 66 percent of the respondents said that cyber risks are “very difficult” to quantify given the time constraints of the acquisitions process. At the same time, 73 percent of the respondents said that due diligence questionnaires tend to focus on historic cyber breaches rather than future problems.

The survey found that only 39 percent of the respondents said they make cybersecurity policies a condition precedent to be addressed prior to completing the deal.

The survey is available at