Managing cybersecurity risk in mergers & acquisitions

In today’s world, many of the key assets that make a business attractive for a merger or acquisition – like intellectual property or customer information – are digital. As M&A activity returns to pre-pandemic levels, and with the potential for unforeseen events to affect the value of a deal, it makes sense to measure and manage the potential risks to important digital assets.

Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
October 4, 2023
October 4, 2023
Reading time
migrate m&a activity

Experts from C-Risk and RiskLens took part in a webinar discussion aimed at shedding light on how to avoid common pitfalls and more effectively assess controls and their effect on cyber risk. This was the second in a three-part series of webinars under the theme of calculating cyber risk in financial terms.

Jacqueline Lebo, a senior risk consultant with RiskLens LLC who specialises in cybersecurity and privacy in the healthcare sector, says evaluating security controls can be a “massive undertaking” and it’s not practical or possible to do this in a finite amount of time – such as during a due diligence process. That’s why it’s essential to focus on what’s most important.

"You can boil the ocean and understand every single risk, or you can prioritise," she says. It’s important to establish a baseline understanding of a company’s security. Some large healthcare organisations are already using Cyber Risk Quantification (CRQ) to understand their M&A activity, Jacqueline Lebo adds.

CRQ is a way to measure risk in financial terms that helps businesses to define and model controls, mapping them to cyber risk scenarios.

“Having the CRQ component to be able to compare rather than a high/medium/low critical risk, on what the potential for loss is, is really helpful in being able to make more informed decisions,” says Zack Sumney, senior risk consultant with RiskLens, a specialist in quantifying enterprise risk.

Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter, says that a quantified view of controls can help in assessing and managing the cyber risk related to M&A. It’s valuable both in pre-acquisition and post-acquisition M&A situations by avoiding an unnecessarily broad examination of the entire controls landscape in favour of focusing on key assets and risk scenarios.

Build your organization's cyber resilience with Cyber Risk Quantification

Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience.

The full 51-minute webinar is available to watch back free on the C-Risk website, where you’ll learn best practice tips for assessing security controls during M&A activity:

  • Identify what will be the most valuable assets in a post-acquisition operating model
  • Build risk scenarios around those key assets and focus on the financial impact
  • Scope scenarios properly to understand what the potential loss would be
  • Understand the acquisition strategy to see what decisions the risk assessment supports

The webinar also includes sample real-world scenarios from sectors such as healthcare and high-end luxury retail. This covered valuable tips to assess the cyber risk of an acquired company, such as:

  • During due diligence, assess if there is a lot of legacy technology and establish how that fits into the security control landscape
  • How much is the risk you are acquiring with this legacy tech?
  • Do you need to renegotiate terms or account for this?

In this article
Cyber Risk Quantification for better decision-making

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.