Workflows, business models and economic activity continue to undergo secular digitalisation. There are incredible opportunities in reimagining how to reach customers or innovating new digital products and services.

But those opportunities come with risks—cybercriminals are ready to exploit unprotected openings that may emerge. According to research group Cybersecurity Ventures, the global cyber threat will cost an estimated US$10.5tn annually by 2025, equivalent to nearly half of US GDP.

Investors are increasingly turning their attention to cybersecurity due diligence. They need to know that target companies are installing measures to defend themselves and training staff to protect their most valuable data assets. Dealmakers are looking for companies prioritising cyber resilience and operating smoothly without disruptions.

In this report, the third in our series produced with Admincontrol, we surveyed 100 senior executives across Europe to understand potential shortcomings in current approaches to cybersecurity due diligence. We hope this study will serve as a valuable benchmarking tool for buy-side investors to understand how their peers are approaching this area.

Over the following chapters we will present the extent to which investors are prioritising cybersecurity due diligence, their outsourcing arrangements, the practicalities of robust risk assessments, and what are considered to be the biggest deal-breakers when performing these reviews. Given the speed with which the connected, digital world is constantly changing, cybersecurity due diligence can only grow more critical.

Key findings:

1. Over half of respondents (53%) report dedicating more resources to cybersecurity due diligence in their most recent deals compared to 12-24 months ago, including 21% who are dedicating many more resources.
2. More than two-thirds of respondents (69%) agree that a positive cybersecurity due diligence appraisal leads to a higher valuation, and vice versa.
3. The largest share of respondents (24%) say the cybersecurity due diligence for their most recent deal began only in the transaction execution phase. A further 14% say it only commenced during post-closing integration.
4. The biggest challenge identified by our survey respondents relating to the cybersecurity due diligence in their most recent deal was accurately vetting the relevant information (39% of first-place votes).
5. More than half of all respondents (52%) report that a major undiscovered or undisclosed cybersecurity risk came to light during the post-closing integration phase of the most recent deal on which they worked.

Methodology

In Q4 2022, Mergermarket surveyed 100 senior executives to gain insights on cybersecurity due diligence. The respondents comprised 25 investment banks, 25 law firms and 50 private equity (PE) firms. All are headquartered in Europe (including the UK) and were recently involved on the buy-side of an M&A deal. All responses are anonymous and results are presented in aggregate.