Cyber Risk in M&A: the importance of transparency

A key principle that organisations must adopt when responding to a cyber attack is transparency. There are plenty of cautionary tales about poor levels of transparency from organisations that get caught out. They look dishonest to their customers, they receive a grilling by the media, their reputation and trust get eroded – and often very quickly.

The temptation to cover up a cyber-attack (whether it results in a data breach, significant outage or a loss of intellectual property) is to some extent a natural instinct, but should be avoided at all cost; it is likely to invite a world of pain from the Information Commissioner’s Office (or your own local regulator) and could lead to a very bumpy journey if you are planning to sell your company or merge with another. On this last point, we are likely to see a significant increase in M&A activity in the coming year as companies that have suffered from the downturn due to COVID court potential suitors. Under these conditions, transparency up front is by far the best policy (to be fair, it’s the best policy in any business context in our experience).

In a recent webinar with our partners at Collyer Bristow, CRMG addressed the importance of managing cyber risk in the context of mergers and acquisitions – and highlighted the importance of transparency throughout the due diligence process. It’s worth watching. Because let’s face it – the last thing you want after securing a lucrative sale is for the lawyers to come knocking on your door because you judged it best to leave those cyber skeletons hidden in the closet.

For further advice and guidance on cyber security in M&A, please contact us at