Cyber attacks targeting M&A processes can have financial, reputational and opportunity costs for vendors, buyers and advisers. Dealmakers cannot afford to ignore the risks. Nicholas Neveling reports.
Last month, JLR revealed it had been the victim of a cyber attack. The UK auto manufacturer owned by Tata Group had little choice about disclosing its predicament – it had been forced to shut down production, at an estimated cost of around £5m-a-day. At the time of writing the carmaker had not reopened, had not had a car roll off its production line for two weeks and estimated it would be at least another week before it was up and running again. The impact on businesses in JLR’s supply chain, which reportedly employs a quarter of a million people, was obviously also beginning to prove critical. By the end of September the government was looking at various options, including buying parts from JLR suppliers to protect jobs, and potentially financial support for affected suppliers to furlough workers.
When compared with coverage of cyber attacks targeting government departments or consumer-facing companies such as JLR, or M&S or the cyber attacks last month on European airports, cyber security incidents in M&A processes rarely hit the headlines. There is little data tracking cyber incidents involving M&A directly, but examples are relatively few when compared with the large body of case studies exploring breaches suffered by corporates and states.
It is a mistake, however, to assume this means M&A processes have somehow been insulated from the steady increase in this form of exploitation that’s now observed across all industries. Figures from Check Point, a cyber-security software company, show that the average weekly number of cyber attacks per organisation increased by 21% year-on-year in Q2 2025; over a 24-month period, attack volumes are 58% up.
Sector cyber challenges
The finance industry has been particularly vulnerable, with an IBM and Ponemon Institute report flagging that financial services companies suffer the second-highest average cost per breach; only breaches in healthcare cost more. In addition to exposure to financial losses, a breach in financial services also carries significant regulatory and reputational risks.
“As a professional working in the finance industry, with a specific interest in cyber security within corporate finance, incidents in M&A processes are likely to be a much more common occurrence than official data and specific publicly known instances would suggest,” says Adam Avards, principal, cyber and third-party risk, at UK Finance. “Globally, and the financial sector is likely to be no different, cyber-security incidents, including those involving M&A are underreported.”
Within the finance sector as a whole, cyber-security incidents are under-reported.
As M&A processes involve large groups of bidders, vendors and associated advisers, there are multiple channels for bad actors to exploit, ranging from directly targeting deal investors and companies involved in transactions, to trying to compromise the virtual data rooms that deal parties rely on to access and share commercially sensitive documents in deal processes.
When it comes to attacks aimed at deal targets and dealmakers specifically, the stakes are higher than ever. The discovery of a cyber incident in due diligence, or a breach suffered mid-process, can lead to significant valuation impairment, large fines or the failure of a deal process altogether.
A survey by cyber-security company Forescout Technologies found that 53% of respondents had encountered a critical cyber-security issue that had put a deal at risk. Verizon’s $4.48bn acquisition of Yahoo, for example, was nearly scuppered because of two major data breaches discovered by the buyer. Eventually the deal did progress, but Yahoo had to cut its valuation by $350m as result of the cyber compromises.
“If a breach is discovered during the M&A process,” says Grant Thornton director Charlotte Devlin, “the buyer will typically work out the degree to which they believe the breach is going to impact the value of the business. It might be that they feel they can gain some advantage through that, and potentially pay a lower purchase price. They might need to invest in subsequent controls. But if a compromise is significant to the extent that they believe it’s going to be a quite serious problem going forward, they’d probably walk away. We’ve certainly seen instances where deals have collapsed because of cyber attacks.”
We’ve certainly seen instances where deals collapse because of cyber attacks.
Weakest link
Companies are also vulnerable immediately after transactions, with bad actors seeking to exploit gaps in cyber-security coverage that emerge as two business integrate systems. Indeed, a CEO survey by M&A dataroom provider Datasite found that technology and cyber security was one of the most complex areas to manage in post-deal integrations.
“Without the proper security measures in place, there are business vulnerability opportunities during the due diligence process and even following deal announcements,” Datasite’s EMEA chief revenue officer Jerome Pottier says. “In fact, there is evidence of specialist hackers tracking when companies are closing deals, demonstrating that IT infrastructure changes during deal completion can create openings for malicious activity.”
There is evidence of specialist hackers tracking when companies are closing deals.
Bad actors will also seek to compromise virtual datarooms, which hold vast troves of sensitive commercial and personal information and can be exploited in various ways for financial gain.
Ransomware and kidnap for ransom attacks, where data is encrypted and locked up until a ransom is paid, are one way for hackers to extract finances from dealmakers, who will often be facing tight deadlines.
There is also evidence of malicious parties seeking access to datarooms to raid email addresses, passwords and bank account details than can be used in other scams. These include impersonation, fraud intercept payments, hijacking accounts, business email spoofing and harvesting credentials to produce deepfakes. In some cases, such activities are sponsored by nation state adversaries, not to seek financial incentives but instead solely focused on causing maximum disruption to any and all core financial infrastructure.
The widening array of bad actors and motives for such activity broadens the exposure to risk of M&A processes, and while the technical architecture of virtual datarooms is robust and difficult to penetrate, hackers can still aquire dataroom passwords and access codes indirectly by breaching deal counterparties and advisers.
“Social engineering remains one of the fastest and easiest ways to compromise systems,” says Akber Datoo, CEO and co-founder of D2 Legal Technology. “Bad actors are increasingly adept at resetting multifactor authentication using SIM swaps to infiltrate datarooms and access non-public information.” Datoo, who is also co-chair of the Law Society’s Technology and Law Committee, warns: “Law firms and other advisers continue to be prime targets for social engineering attacks, with unmanaged contractor and other third-party devices being a particular weak point. In cyber security, you are only ever as strong as your weakest link.”
The big challenge with AI-driven attacks is their sheer relentlessness.
Gamechangers
Rapid gains in artificial intelligence (AI) capability have taken the risk of exposure to these threats to the next level. “A bad actor used to require a certain level of coding ability to orchestrate an attack,” UK Finance’s Avards says. “Now it is possible to get AI to do that. The barrier to technical entry has been significantly lowered, enabling less technically minded bad actors to get into this field and be effective.”
Grant Thornton’s Devlin adds: “Years ago, when you received a scam email it would often be poorly written and quite obvious. AI has changed that completely. What used to be the exclusive domain of a small group is now open to anyone. This has increased the frequency and sophistication of attacks and made it more and more difficult to distinguish between genuine and malicious outreach.”
Dealmakers, however, can also use AI to defend their systems, although investment and technical expertise is required to fully harness this cyber-security potential. “The big challenge with AI-driven attacks is their sheer relentlessness,” D2 Legal Technology’s Datoo says. “But research shows that on the defensive side AI is highly effective at spotting attack vectors and patterns. AI can review code to identify gaps, alert triage and enforce guardrails, for example, blocking any payment release without multi-party verification. That is where AI really comes into its own. But it remains a cat-and-mouse game and for those unprepared, the risks of AI-powered cyber attacks are highly significant.
Datasite’s Pottier adds: “With an increase in cyber attacks and the continued growth of AI, the data protection landscape will continue to evolve as a priority for the industry. AI technologies are providing new tools for dealmakers to strengthen their security postures, enhance their due diligence and streamline document reviews and analysis.
“By embracing technology as a strategic enabler, dealmakers can now navigate the complexities of data protection in M&A with greater confidence and success.”
Focus on attacks
In April, FTSE 100 retailer M&S suffered a ransomware attack that forced it to close its click-and-collect service for 15 weeks and put a £300m dent in annual profits. In addition, M&S also disclosed that some personal customer data had been compromised, potentially escalating cyber risk into other areas.
A week after M&S reported its incident, the Co-op announced that it had also been attacked, with the details of 6.5 million customers stolen. The group was able to avoid being locked out of its own systems, but suffered store supply and contactless payment disruption in the days after the announcement.
These incidents highlight the growing risk all companies face from cyber attacks, even sizeable companies with large IT teams being vulnerable. They also showed how social engineering was a vector for bad actors, with SIM swaps – where criminals hijack and impersonate a person’s phone – used to hurdle two-factor authentication protection and gain illegitimate access to IT systems. As cybercriminals adopt increasingly elaborate methods in order to breach organisations’ systems, both staff and customer cyber-risk training and awareness are becoming as important as investment in cyber-security technology and software.
Cyber Security Awareness Month
ICAEW’s Corporate Finance faculty has played a key role in leading and coordinating the wider corporate finance community’s response to cyber-security threats in deals. In 2024 the faculty led the formation of a taskforce to develop and share best practice for cyber security in M&A, and each year in October participates in global Cyber Security Awareness Month, an initiative promoting online safety and digital resilience. In the constantly evolving cyber-security space, these events raise awareness of cyber risk in deals, providing insights into lessons learned from recent hacks and breaches, and practical steps to protect deals and deal processes.
This month, ICAEW will host a series of workshops, lectures and events on cyber security and AI, including ICAEW’s Annual Conference on 17 October 2025, which will include sessions on generative and agentic AI. The Annual Cyber Lecture on 6 October 2025 at Chartered Accountants’ Hall will focus on ransomware threats and a webinar will be hosted with the City of London Police on cyber security for the finance professional.
