We use cookies to improve this site and enable full functionality. You can change your cookie settings at any time using your browser. Our cookie policy.

BT's Alex Foster on the cyber exposure created by mega-mergers

BT's Alex Foster on the cyber exposure created by mega-mergers | Insurance Business UK

BT's Alex Foster on the cyber exposure created by mega-mergers

Before the outbreak of the coronavirus pandemic, the merger and acquisition (M&A) sector within the insurance industry had seen consistent growth and 2020 appeared to be continuing the trend with the announcement of the Aon-Willis Towers Watson mega-merger.

Insurance Business recently spoke with BT’s director of insurance, wealth management and financial services, Alexandra Foster (pictured above), to examine how the M&A sector may develop in light of this mega-deal and to outline some of the key cybersecurity challenges that may face merging firms.

The Aon-WTW merger is still awaiting CMA approval, Foster said, and she believes that, following this, the insurance sector will continue to see additional transactions, noting that mergers and acquisitions tend to carry on at pace. The sector may see some mergers of more specialist units in order to maintain their USP in certain segments and to create a differentiation of their client offering in reaction to this deal. The coronavirus may also impact the rate of merger activity in the insurance industry, with more businesses coming together simply because this is necessary to survive.

The increased uptake of remote working has led to an enhanced cyber exposure for many organisations during this crisis, and Foster noted that cyber crime activity has grown exponentially in recent years. When mergers occur, they create an enormous amount of change within organisations, and present both opportunities and challenges when it comes to the cyber security of a business. A merger represents significant upheaval when it comes to the business processes and systems of both organisations and these require full integration.

Read more: Zurich outlines the cyber framework all businesses should be utilising

“This [integration process] can create opportunities or vectors for cyber criminals,” she noted, “and so we spend time working with organisations to make sure that they have the right security in and between the organisations coming together, along with the right technology and technology stacks, as well as an understanding of how to get these to work together to make sure that the systems have been configured correctly.”

Any misconfiguration when organisations come together leaves the business vulnerable to compromise, she said, and, as such, businesses should enlist expertise when it comes to bringing their systems together. When helping organisations to unite their cybersecurity platforms, two angles must be considered – the systems angle and the data angle.

“It’s really important to make sure that the people who ought to be seeing your data are the only people able to do so, and that this data is being stored correctly with adequate protections and policies around it,” she noted. “This back-end piece is something that we spent quite a lot of time on, helping customers stay protected.”

The data angle of mergers and acquisition activity is an area that Foster has noted movement in in recent years, with increased amounts of privacy expertise being drafted in advance of any deals. Since the implementation of GDPR, Foster said she has seen a lot more privacy practices brought into corporate M&A transactions far in advance of deal completion.

Due diligence for lawyers now is making sure that there is GDPR compliance around data and raising any red flags in this area of compliance as early as possible, though post-merger privacy expertise is still required.

Foster outlined how, when negotiating to buy a company, the lawyers or investment bankers involved should be looking at policies, systems, procedures and tools well in advance, and devising a traffic light system to allow for a thorough and complete assessment to be made of these areas.

When due diligence can honestly be said to have been done, the business can make a value judgement of the areas that need further examination. This can aid any company concerned about cyber security or data compliance.