publication | GIR

Key Cyber and Data Privacy Considerations in M&A Due Diligence

July 31, 2025
Intelligence That Works

Cyberattacks and data breaches are increasing around the world – and no industry or organisation is impervious to them. Over 3,000 data breaches occurred in 2024 alone, as well as a record-breaking heist by state-sponsored hackers of US$1.5 billion in cryptocurrency.

The growing adoption of generative artificial intelligence (AI) creates even more risk, as threat actors leverage these tools to launch ever more sophisticated attacks. For example, in early 2024, threat actors used AI-powered deepfakes to pose as a British engineering company’s chief financial officer, duping an employee to pay US$25 million. There’s a reason that 66 per cent of organisations believe AI will have the biggest impact on cybersecurity this year, according to the World Economic Forum’s Global Cybersecurity Outlook.

These risks, while a top priority for business leaders, are often under-accounted for when conducting merger and acquisition (M&A) due diligence. On the one hand, the rush to close a deal can mean organisations focus on financial and operational due diligence rather than digital risks, particularly from third-party vendors. On the other, integrating two companies’ complex information technology (IT) systems creates additional cybersecurity risk. The growing presence of new AI tools will exacerbate the challenge, and missteps can have severe consequences – from major valuation impacts to higher integration costs to the deal falling through altogether.

Thus, organisations evaluating – or in the process of executing – an M&A transaction should undertake a comprehensive cybersecurity and data privacy due diligence exercise to accurately assess their acquisition target’s level of security and uncover potential compromises or data breaches. Whether you are a dealmaker or simply want to assess your own company’s cybersecurity and data privacy controls, this guide document can help.

Read the full article in GIR’s The Guide to Cyber and Data Privacy Investigations, fourth edition.

Prepare for what's next.

ThinkSet magazine, a BRG publication, provides nuanced, multifaceted thinking and expert guidance that help today’s business leaders adopt a more strategic, long-term mindset to prepare for what’s next.