Title: Cybersecurity Risks in M&A: The Role of Cyber Due Diligence and

Insurance in Safeguarding Transactions

MERGERS AND ACQUISITION LAW

(HLAW 306)

SUBMITTED TO:

Prof. Vishal Babasaheb Ranaware

SUBMITTED BY:

Arava Sri Subbaraj Satyanarayana Murthy- 200401427009

BBA-LLB [2020-2025]

ALLIANCE SCHOOL OF LAW

ALLIANCE UNIVERSITY, BENGALURU

 Abstract

Cyber Attacks have become a significant threat In terms of Business mergers and Acquisition
in the recent times. To mitigate this risk and ensure a smoot transition, Cybersecurity Due
Diligence and Cyber Insurance play an essential role. This paper begins with the role of
Cybersecurity in the Merger and Acquisition. This paper also deals with the various types of
Cyber Risks that a company is prone at time of Mergers and acquisitions. This paper also
mainly with concept and the need for the Due diligence along with its key aspects. This also
analyses the concept of Cyber Insurance and Its Benefits during an M&A transactions. And
Analyses the Cybersecurity Landscape in India.
INTRODUCTION

With 75% of organisations experiencing at least one cyberattack; cyber resilience is now more
important than 1ever. Cybersecurity has become a crucial Consideration in Mergers and
acquisition transacts as cyber-attacks have significantly impact of the value of the transaction.
As the business started being dependent on the technology for daily operations, the potential
for the cyber risks has been grown exponentially. These cyber risk or threats not only pose
significant threat to day-to-day functions but also potentially impact the Mergers and
Acquisition in many ways.

In the recent years, the number of cyberattacks have to created noticeable shift in the Mergers
and Acquisition Transactions which lead to the emergence of Cybersecurity as primary concern
during Due Diligence. A 2021 report by Deloitte on the Role of Cyber Security in M&A
provides that around 53% of organizations have experienced a cyber-attack during the Merger
and acquisition process, with data breaches being huge threats.2

Traditionally Mergers and Acquisition transaction focused only on Financial, operational and
legal due diligence for identifying potential risk associated with the target company. But now
as cyber threats have become more prevalent and sophisticated, it is certain that the traditional
often overlook the impact of risk associated with the cyber threats. These vulnerable in the
companies have a far-reaching consequence, including legal liabilities related penalty and
reputational damage. A single data Breach or cyberattack can cause irreparable damage to a
company’s reputation and finance. In case of case of acquisition, this can result in drastic shift
in the valuations, delayed transactions or even collapse the deal sometimes further during a
post-merger integration, it on often involves merging information, systems, databases and
networks which can expose even the most secure companies to these cyber-attacks. These
Inadequate cyber security practises lead to a legal dispute, including breach of contract claims
or regulator investigations in disputes.

Response to these growing concerns, acquirers are increasingly focusing on cyber-attack

management charges during a transactions. This includes the cyber security audits, use of cyber

1
The State of Cyber Resilience report, By Marsh and Microsoft.

2
Role of Cyber Security in M&A- Deloitte Secure Now Agile Next.
insurance policies and integration of cyber security experts into the diligence process. This
raising concern of cyber security acquisition highlights the need for com and approach to
manage this risk which not only includes dues, but also certain post deal protection, cyber
insurance and contractual agreements.

This paper explores the growing significance of cyber threats in mergers and acquisition by
understanding, legal and operational aspects of the cyber security in case of acquisition, it also
analyses the role of cyber insurance pollution of their practices and recreation that effectively
manage this emerging risk

Research Objective

1. To identify Cyber Risk and the impact of the Cybersecurity in Mergers and
Acquisitions.
2. To analyse the need for and importance of Cyber Due Diligence in Mergers and
Acquisitions
3. To examine the role of cyber insurance in financial safeguarding during Merger and
acquisitions

Research Questions

1. What are the key cyber risks in mergers and acquisitions, and how do cybersecurity
issues impact the success and valuation of these transactions?
2. Why is cyber due diligence essential in mergers and acquisitions, and what role does it
play in identifying and mitigating cybersecurity risks?
3. How does cyber insurance contribute to financial safeguarding in mergers and
acquisitions, and what benefits does it provide during the transaction process?

Research Problem.

In the current digital era, Cybersecurity has become a crucial factor in success of the mergers
and acquisitions. Despite of the Increased number of Cyberthreats which lead to Financial loss,
reputational harm or deal undervaluation etc, Companies have remained unprepared to address
this risk. Creating an immediate need for Cyber Due Diligence and Cyber Insurance which help
in mitigating these cyber risks and financial losses. This study investigates the impact of cyber
security in M&A by exploring the need for cyber due diligence and assessing the role of Cyber
Insurance.

Chapter 1: Cyber Security Risks in Mergers and Acquisition

As companies combine systems, networks, and data, cybersecurity risks can escalate,
potentially threatening business operations, financial assets, and reputation. These cyber risks
are usually in terms of

1. Data Privacy and Integration Risks

Initially during Mergers and Acquisitions, The integration of data system usually rises
and makes the organizations prone to Cyber Attacks. The Target companies’ sensitive
information is Frequently accessed by the acquiring company during the due diligence
process. This information is in terms of customer information, proprietary company
information, or the intellectual property information are the type of data that are at the
risk of Cyber Attacks. And with Kind of Huge volume of Data is target for Cyber-
attacks and any lack of proper protection would be much prone to these Cyber-attacks
leading to Huge Data Breach.
2. Software Vulnerabilities.
Many Company usually operate on Older or outdate Software or Data Systems, which
are highly vulnerable to Cyber Attacks. This outdated technology maybe passed down
to the acquiring company and they might end up incapable in protecting the companies
for Cyber Attacks. The Cyber Criminals usually advantages of the flaws in these
outdated systems and open an network access point to the combined company risking
in ransomware or date breaches.
3. Third Party Risks
The Companies often rely on the Third-party Vendors or service providers for managing
critical Systems like data storage, cloud infrastructure and etc. During the Mergers and
Acquisition, the target company’s third-party Vendor’s Cyber Security must also be
assessed as these vendor party may create an path to the Cyber Criminal to gain
unauthorized access to the company’s Digital Systems.

These Certain Cyber Security Risks that hugely impact the impact the companies during the
Mergers and Acquisition Transactions. Cyberattacks can also occur in the case of operational
lapse that take place during integration. These Risks can be mitigated by identifying these
risks and a proactive cybersecurity strategy helps in mitigating Cyber Security Incidents.
Chapter 2: The Need for Cyber Security Due Diligence in Mergers and Acquisitions

As discussed, In the past, Due diligence focused primarily on financial, operational and legal
aspects of target company. But with the emergence of Cyberthreats becoming more
sophisticated day by day making the traditional aspects prone to potential risks occurring out
of the Cybersecurity vulnerabilities. Cyber risks include data breaches, intellectual property
theft, system outages which directly or indirectly leads to financial loss, legal liabilities, and
reputational damage.

Due Diligence in Cybersecurity refers to the process of conducting a thorough assessment of

security measure and practice of the organization or third party before entering into an
agreement or business relationship. It involves evaluating the cyber-Security policies,
procedure and mechanism of the company in identifying potential risks. Cyber security due
diligence gives a buyer a better understanding of the cyber security capability of the company
to be acquired, as well as any risks the acquisition might incur, It is significantly important in
terms of Mergers and acquisitions as it helps in identifying issue and that are require
renegotiating a deal.

The primary goal of the Cyber Due diligence is to identify and assess the cybersecurity status
of the target company. It involves activities like evaluating the target company’s current
security measures, policies and procedure, along with the companies previous historical
Cybersecurity incidents. As this helps the acquirers in identifying the potential risks.

It allows the acquirers to protect and avoid cross contamination of both companies' information
systems after Day One, by identifying and anticipating the measures to be implemented. When
separate systems of a transaction are interconnected, the new system resulting from this
combination is often exposed to the “weaknesses” of the system with the weakest level of
cybersecurity. Companies are particularly exposed to cybersecurity risks during M&A
transactions.

It also helps the Acquirers in Protection of protection of sensitive data from data breaches and
theft. The current scenario with the emergence of data breaches and sapphire attacks posting
and significant risk to the organization so full-size robust approach to security helps prevent
authorised access to that sensitive information, particularly in terms of business handling
personal data financial details are any proprietary technology.
In terms of risk management, the companies can identify the potential weakness in their
systems and allows the acquirers to proactively address these vulnerabilities. As aware of the
fact that these Cybersecurity incidents usually affect the reputational aspects of the companies
by the leak of personal data, and etc. This Cybersecurity allows the acquirer to avoid this risk
and preserve the brand value.

It enables the acquirers to evaluate the target company's regulatory compliance. Here, the
businesses comply with data protection laws such as the DPDP (Digital Personal Data
Protection Act, 2023), the California Consumer Privacy Act in the US, or the GDPR (General
Data Protection Regulation in the EU), which place strict requirements on how personal data
must be handled, stored, and transferred.

Another Aspect of Cybersecurity Due Diligence is the Third Party and Vendor Risk
Management as the third-party vendors and partners supply chain risk pose a significant threat
Security posture of the Target company. And helps in avoiding any threats arising out of the
Merger and Acquisition Transaction.

Cybersecurity due diligence also allows the acquirers in assessing the target company’s ability
to respond and recover from the Cyber Threat or Attacks and ensure that the target company
can recover from the Cyber Incidents and Reduce the downtime

By consider all the discussed aspects of the Cybersecurity Due Diligence, the Acquirers should
develop a comprehensive cybersecurity framework specifically tailored to these activities. This
framework should include guidelines for pre-merger due diligence, post-merger integration,
and enable monitoring and risk assessment. it is also essential of the companies to conduct a
cybersecurity audit and identify their vulnerabilities. Followed by adopting a cybersecurity
integration plan, setting security benchmarks, determining the timeline for integration, and
appointing a team responsible for monitoring any risks that arise during integration.
Chapter 3: Role of Cyber Insurance.

Cyber risk insurance helps business establishments to manage the risks associated with cyber-
attacks. It is a special insurance product that covers liabilities related to information technology
infrastructure and activities that are normally not covered by other insurance products. 3It is an
Insurance policy which covers cyber risks like Data Breaches, System failures and etc which
result in monetary loss to the company. Here, the company gain the ability to transfer some of
the Financial Burden to the Insurance Provider just as an insurance policy. This helps
Businesses in mitigating the impact caused by the Cyber-attacks. By providing this Support
and financial protection during a cyber-Incident, Cyber Insure is able to enhance the security
and Success of these complex Transactions. The cybersecurity insurance process works in a
similar way to other forms of insurance. Policies are sold by many suppliers that provide other
forms of business insurance, such as errors and omissions insurance, liability insurance, and
property insurance.

The cyber-Insurance coverage varies basically on what the business needs, as in the types of
data and business industry. These policies usually include First party coverages, which refer
to losses that directly impact an enterprise and Third-party coverages which refers to the losses
occurred due to a business relationship with affected Organization. Although policies may vary
by provider and plan, the main areas that cyber insurance covers include:

 Customer notifications: As aware after a data Breach incident it is essential for the
companies to notify the customers regarding the Data Breach essentially in case of
Personal Identifiable Information. As this Notification would bare huge costs, Cyber
Insurance covers the cost of these process.
 Recovering personal identities: As customer personal identity is a crucial data that a
company holds. It is important to recover those data at any costs. Cyber insurance helps
the companies by bearing the cost that occurs while restoring the personal information
of the affected customers.
 Data breaches: As discussed, Data Breaches being one of the higher threats in Cyber
Security, they come with higher financial loss to the company. The Cyber Insurance
helps such companies by transferring such Financial burdens.

3
Cyber Risk Insurance Policy to cover financial liabilities arising from cyber incidents by Mohan Das Viswam
  Cyber Liability Insurance policy: This policy enables the Business that are liable to pay
for the recovery of the data that have been compromised by attack because of its fault.
These types of policies are more prevalent in Mergers and Acquisitions.
 Ransomware attacks: Here, the cyber attackers use malware to lock or encrypt a victim's
files and systems, and then demands a ransom to regain access and demand a fee from
their victims to unlock or retrieve compromised data. Cyber insurance covers the cost
of these extortion demands.
 Attack remediation: A cyber insurance policy aids a victim company in terms of the
legal cost the companies bear as for violating privacy data laws and regulations and
also bares the expenses of the professional cost that hired to remediate the attack and
recover the compromised data.
 It also provides liability of cost incurred to the Business partners.

These are different types of Coverages Cyber Insurance policy offer. But not all Cyber
insurance provide all these aids. The Policies of the insurance from company to company and
place to place. But there are certain factors that the insurance policies often exclude that were
preventable as in terms of:

 Lack of proper security process which resulted to huge financial losses that company
could have avoided with an effective security procedure.
 Any kind of Cyberattack that has been caused due to Insider or By Human error by the
company’s employees.
 Any Cyber Attack occurring due to the company’s failure to address any previously
aware vulnerabilities that are highly prone to cyber-attacks.

By providing financial protection against potential cyber risk, Cyber insurance helps acquirer
bear the costs related to data breaches, ransomware attacks and expenses arising out of these
cyber-Attacks by transferring a portions of the financial risk to the insurer. By this Cyber
insurance supports merger and acquisition transaction by providing financial safeguards.
Chapter 4:Indian Scenario on Cybersecurity in Mergers and Acquisitions

In an era dominated by digital advancements and technological reliance, cybersecurity has

become increasingly crucial for nations across the globe. For India, a nation with a rapidly
growing digital footprint, the question of cybersecurity readiness takes centre stage. The recent
study by the IT and cybersecurity company Cloudflare named “Securing the Future: Asia
Pacific Cybersecurity Readiness Survey” revealed that 83% Indian organizations experienced
at least one cybersecurity incident, spanning from web attacks, phishing, supply chain attacks
in the past few years. In 2023, the country experienced over 79 million cyberattacks, ranking
it third globally in terms of the number of such incidents. This marked a 15% increase from the
previous year.4 And by the first four months of the year 2024, Indian Based Companies have
lost more than Rs. 1750 crore to cyber criminals.

With India's growing digital prowess and continued business reliance on technology, it is
critical for organisations to foster a security culture that empowers their leaders to approach
cybersecurity as a strategic business imperative.5 According to the CISCO Cybersecurity
Readiness Index, as of 2022, a mere 24 percent of firms and organizations in India have the
necessary resources and capabilities to effectively address their cybersecurity issues.
Meanwhile, more than 30 percent were still in the first stage of preparedness.

4
Incidents of cyberattacks on India may reach 17 trillion by 2047: Study

5
The Big Challenge Of Cybersecurity: How Indian Companies Are Facing Rising Threat Amid Relentless
Attacks

6
Securing India’s Digital Future: Cybersecurity Urgency and Opportunities
It can be said that there has been a considerable disregard for Cybersecurity in India resulting
in obstacles towards fulfilling the growing needs of the nations. The increasing reliance on
digital technologies, along with the constantly changing threat environment, presents unique
challenges for organizations in their efforts to protect sensitive information and maintain the
confidence of their consumers. The growing complexity of cyber assaults presents a significant
obstacle. With The fast progression of the digital transformation in India, the fast adoption of
technology in India has led to a significant digital footprint and weakness in its technical
Infrastructure which made it prone Cyberattacks.

Regulatory Body and Key legislation.

The Indian M&A landscape, cybersecurity regulation is governed by a combination of general

data protection laws and specific cybersecurity guidelines. The regulatory framework is aimed
at ensuring that both parties in an acquisition maintain strong data security and compliance.

1. Indian Computer Emergency Response Team (CERT-In)

The Indian Computer Emergency Response Team (CERT-In) serves as the national
agency for performing various functions in the area of cyber security in the country as
per provisions of section 70B of the Information Technology Act, 2000. CERT-In
continuously analyses cyber threats and handles cyber incidents tracked and reported
to it. 7In the context of M&A, CERT-In's guidelines are critical for ensuring that the
merging entities comply with national security standards
CERT-In provides for timely mandatory reporting of cybersecurity incidents.
Companies undergoing mergers or acquisitions are required to report any cyber
incidents that could affect data integrity or confidentiality. For acquiring companies, it
is crucial because undisclosed breaches in a target company can lead to legal
consequences and financial losses post-acquisition.
CERT-In regularly issues advisories to organisations and users to enable them to protect
their data/information and ICT infrastructure. 8During an M&A, such assessments help

7
CERT-In issues directions relating to information security practices, procedure, prevention, response and
reporting of cyber incidents for Safe & Trusted Internet

8
Supra 7
 acquirers identify potential vulnerabilities and cybersecurity risks in the target
company, shaping their due diligence and risk management strategies.
2. Information Technology Act, 2000 (IT Act) and IT (Amendment) Act, 2008
The IT Act is India’s primary legislation addressing cybercrime and electronic
commerce. It includes provisions that criminalize unauthorized access, hacking, and
cyber fraud. The IT Act also empowers CERT-In and defines legal recourse for cyber
incidents.
Section 43A: Under Section 43A, companies dealing with sensitive personal data are
required to implement “reasonable security practices” to protect such data. This section
is especially important to M&A transactions involving the transfer of sensitive data, including
financial records, customer information, and intellectual property. Any violation of these
principles by the target firm may affect the deal's value or call for corrective action, is
the acquirer's responsibility. 9
Amendment Act of 2008: The 2008 amendment expanded the IT Act's scope by
introducing provisions for data protection and establishing punishments for identity
theft and data breaches. It also empowers the government to mandate encryption and
data retention standards, impacting how companies in an M&A transaction handle data
migration and storage during integration.
3. Companies Act, 2013
Companies Act emphasizes the role of company directors in managing operational
risks, including cybersecurity. It mandates that the board of directors maintain oversight
over risk management, with cyber risk increasingly recognized as a key component.
This accountability framework impacts M&A, as acquiring companies need to ensure
that the target’s directors have adhered to risk management practices, including
cybersecurity.
Under the Companies Act, directors are responsible for ensuring that cybersecurity is
part of their corporate governance practices. Acquirers should review the board’s
commitment to cybersecurity and whether adequate policies were in place, as
deficiencies could reflect poorly on the target’s governance and affect its valuation.
The Companies Act mandates companies to disclose significant risks, including cyber
risks, to shareholders and regulators. This is crucial in M&A transactions, where

9
Information Technology Act, 2000
 undisclosed cyber vulnerabilities or past breaches may impact shareholder value and
influence the deal structure or valuation.
4. Digital Personal Data Protection Act, 2023
The DPDP Act was released in November 2022 by the MeitY, aiming to implement a
robust regime for data privacy. The Act has been passed by the Parliament, and the
implementation and roll-out of the Act are expected soon
The Act to provide for the processing of digital personal data in a manner that
recognizes both the right of individuals to protect their personal data and the need to
process such personal data for lawful purposes and for matters connected therewith or
incidental thereto.
The Data Protection Board (DPB) is the enforcement authority under the DPDP Act
which shall function as an independent body to govern non-compliance with the act's
provisions. 10
This DPDP Act also provides for Data privacy considerations through outa Mergers and
Acquisition Transaction. As in terms of Cyber Due Diligence, Initial Risk Assessments,
and etc.

10
Guide to India’s Digital Personal Data Protection Act, 2023 (DPDP Act) by Safna
Suggestions and Recommendations

1. Strengthen Cybersecurity Due Diligence Processes

It is important for acquirers to integrate a robust cybersecurity due diligence
framework into their pre-merger assessments which should also include conducting
detailed audits of the target company’s cybersecurity measures, prior incidents, and
potential vulnerabilities involving both internal and third-party systems. Reviewing
past cybersecurity incidents to gauge the target’s responsiveness and resilience to
cyber threats. This analysis helps acquirers understand potential risks that may impact
post-merger integration.
2. Adopt Cyber Insurance as a Risk Mitigation Tool
Companies should adopt customized policies to cover both first-party losses and
third-party liabilities to meet the transaction’s specific needs. And also, clearly
understand the policy exclusions.
3. Prioritize Third-Party and Vendor Risk Management
Companies need to conduct thorough evaluations of vendors and third-party service
providers that handle critical systems, data storage, or cloud infrastructure. This
assessment helps in identifying potential vulnerabilities introduced by external parties.
Ensuring contracts with third parties include robust cybersecurity provisions, such as
timely breach reporting, compliance with industry standards, and regular security
audits.
4. Establish Cybersecurity Standards for Post-Merger Integration
Develop a Cybersecurity Integration Plan Outlining specific steps, timelines, and
responsible teams to integrate both companies’ security measures involving activities
like aligning cybersecurity protocols, conducting joint security assessments, and
establishing shared security benchmarks. And Implement ongoing monitoring of
cyber risks throughout the integration process. This includes regular testing of
combined networks and systems to address emerging vulnerabilities and ensure
compliance with security standards.
5. Enhance Regulatory Compliance and Awareness
With evolving data protection regulations, particularly the Digital Personal Data
Protection Act (DPDP) in India and other international laws (e.g., GDPR), it is crucial
for acquiring firms to ensure the target company adheres to relevant compliance
standards.
 6. Investing in Cybersecurity Awareness and Training is essential to mitigate risks by
Implementing training programs for employees to educate them on cyber threats,
secure data handling, and incident response.
7. Adopt AI and Machine Learning for Threat Detection to identify threats in real-time,
allowing companies to proactively address risks before they escalate.

Conclusion

Cybersecurity has become a crucial factor in mergers and acquisitions (M&A), as the rising
number and complexity of cyberattacks present significant threats to businesses. Cyber risks
such as data breaches, obsolete systems, and weaknesses from third-party vendors can result in
financial losses, operational interruptions, and harm to reputation. These risks can substantially
influence deal valuations, prolong transactions, or even result in deal failures if not effectively
managed. Historically, M&A due diligence concentrated on financial, operational, and legal
risks. However, the escalation of cyber threats has rendered cybersecurity due diligence
imperative. Evaluating a target company's cybersecurity practices, previous incidents, and
system flaws aids in identifying risks that could impact the transaction and empowers acquiring
firms to implement proactive strategies. This procedure not only safeguards sensitive
information but also ensures adherence to regulations, protects intellectual property, and
upholds brand reputation. Moreover, cyber insurance has become an essential mechanism for
addressing risks during M&A. By covering financial damages related to cyber incidents, such
as data restoration, legal expenses, and system repairs, cyber insurance offers a financial buffer
for businesses. It enables organizations to transfer a portion of the risks associated with cyber
events, facilitating smoother post-merger integration and minimizing potential financial
repercussions of unexpected incidents. In the contemporary digital landscape, where businesses
are increasingly dependent on technology, integrating cybersecurity into the M&A process has
become essential. By merging thorough due diligence with instruments like cyber insurance,
firms can more effectively navigate risks, safeguard their investments, and promote successful
and secure mergers. Emphasizing cybersecurity not only reduces immediate threats but also
fosters resilience, securing long-term success in a climate in which digital risks are continually
increasing.