Andrea García Beltrán - Ciberseguridad Organizacional

“Your Data at Risk? The Cyber Attack on Generali that Impacts Liberty and BBVA Seguros”.

Cybersecurity in M&A: Lessons from Recent Data Breaches and Sanctions

Mergers and acquisitions (M&A) bring significant growth opportunities, but they also introduce hidden cybersecurity risks—especially when integrating IT systems, managing legacy infrastructure, and ensuring regulatory compliance.

Several high-profile data breaches in the insurance and financial sectors have highlighted recurring challenges in post-M&A cyber risk management. In some cases, breaches have disproportionately affected customers from previously acquired companies, raising key questions:

The IT Integration Dilemma: Risk vs. Efficiency

While every M&A deal is different, some breaches have revealed that not fully integrating IT systems may have limited the impact of cyber incidents by keeping certain customer data isolated. Hypothetically, had these companies fully merged their infrastructures, a breach could have had a wider reach, exposing all clients instead of a subset from the acquired entity.

Key cyber risks that often emerge post-M&A include:

Inherited Security Weaknesses:

Acquired companies may have legacy vulnerabilities that require immediate remediation or weaker security frameworks than the parent company.

Fragmented Security Controls:

If systems remain separate for extended periods, inconsistent cybersecurity frameworks can create blind spots or gaps than can be exploited by attackers.

Access Management Gaps:

Credentials and permissions from acquired companies may not always be promptly audited, increasing the risk of credential theft or retained user credentials or outdated access controls can become attack vectors (as it seems was the case in the recent Generali incident in Spain affecting former clients of Liberty and BBVA Seguros).

Complex Incident Response:

If a breach occurs, disparate systems can delay detection and containment, potentially leading to higher financial and reputational damage.

Cyber Risk Management in M&A: Best Practices

Cybersecurity Due Diligence: Just as financial and legal risks are assessed pre-acquisition, cybersecurity posture should be evaluated in detail pre and post a transaction
Risk-Based Integration Strategy: Not all systems should be merged immediately—prioritize based on security posture.
Zero-Trust Approach: Assume that acquired systems need full verification and limit access until security measures are aligned ( secured, audited, tested and monitored)
IAM & Credential Review: Immediately reassess, revoke, and revalidate user credentials and third-party access across all business units.
Continuous Cyber Risk Monitoring: Use Extended Detection & Response (XDR) solutions across all business units, even if not fully integrated.
Unified Incident Response: Regardless of integration status, acquired entities should adopt a common security monitoring and response framework to act swiftly.
Cyber Insurance Review: Ensure policies are updated post-acquisition to cover inherited cyber risks and evolving exposure.

Regulatory & Privacy Compliance Considerations

Beyond security, M&A-related breaches raise data protection and compliance risks, especially under frameworks like GDPR, DORA, and NIS2. Companies must ensure:

Secure data migration and integration to avoid exposing legacy customer information and implement proper data classification and protection measures.
Timely breach reporting (e.g., 72-hour notification under GDPR) not only to regulators but also to affected individuals to mitigate potential damages.
Clear policies on data retention—if affected individuals were former customers, was retaining their data still necessary or compliant with data minimization principles?
Vendor & Partner Risk Management—third-party vendors, and supply chains may introduce additional vulnerabilities that must be assessed and continuously monitored. In cases where acquired entities continue to rely on third-parties, access controls and data-sharing mechanisms become critical. If a breach involves unauthorized access via a third party, it raises concerns about whether appropriate safeguards were in place to limit exposure and prevent credential misuse.

What Comes Next? A Regulatory Crossroad

Looking at recent cybersecurity incidents, such as the reported breach involving Generali this month and the previous sanction imposed by the Spanish Data Protection Agency (AEPD) earlier this year, it becomes evident that regulatory scrutiny is intensifying. In 2025, the insurer was fined €5M (later reduced to €4M due to early payment) for delayed breach notification, inadequate security measures, and failure to implement proper organizational safeguards on the 2022 breach incident.

With DORA and NIS2 tightening the regulatory landscape, the question remains: How will regulators respond to recurrent cybersecurity failures, and could we see harsher penalties or stricter enforcement measures in the future?

Companies navigating M&A must proactively strengthen their cybersecurity governance, as the regulatory tolerance for repeated breaches is rapidly decreasing:

When a company experiences recurring security incidents post-M&A, regulatory bodies often assess whether cybersecurity and compliance measures were adequately integrated across the newly merged organization. If breaches continue to arise from inherited security gaps, delayed incident response, or lack of uniform governance, it can lead to increased regulatory penalties, reputational damage, and potential legal actions.
This underscores the need for a structured cybersecurity integration plan, particularly when dealing with legacy systems, third-party dependencies, and evolving compliance requirements.

Regulatory Evolution: DORA & NIS2 in M&A Cyber Risk Management –

With the increasing frequency of cyber incidents post-M&A, regulations such as DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security Directive) introduce stricter requirements for cybersecurity governance, incident reporting, and third-party risk management, particularly in the financial and insurance sectors.
Under DORA, financial entities must ensure that operational resilience is integrated into IT systems before, during, and after acquisitions, minimizing disruptions from inherited vulnerabilities. NIS2, applicable to critical infrastructure and digital service providers, mandates enhanced incident response protocols, stricter access controls, and real-time cyber risk monitoring across business units, including acquired entities.

For companies that experience recurring breaches post-M&A, these regulations could mean higher scrutiny, mandatory security audits, and potential sanctions if security integration and risk mitigation measures are deemed insufficient. This reinforces the urgent need for cyber risk due diligence and structured IT integration planning during any merger or acquisition process and post-acquisition risk assessment and audit.

Final Takeaways

Cybersecurity must be a top priority in M&A, not an afterthought.
Cyber risk doesn’t end once the deal is signed—it’s a long-term process requiring active security oversight.
Do not wait to have a breach or hear of one in your industry to serve as a reminder that cybersecurity must be a board-level priority and during an M&A.
Whether integrating systems quickly or keeping them separate for security reasons, a proactive and robust cyber risk management strategy is critical to safeguarding both customers and corporate reputation as well as meet compliance obligations

What’s your perspective? Should companies prioritize full IT integration post-M&A, or adopt a phased approach to reduce cyber risk? Let’s discuss.

Compartir Post :