Home Insights Dynamic due diligence: managing new and emerging acquisition risks

Dynamic due diligence: managing new and emerging acquisition risks

Recent well-publicised incidents of cyberattacks, breaches of whistleblower requirements, environmental, social and governance (ESG) issues, breakdowns in governance of tax risk, rapid developments in artificial intelligence (AI) and associated intellectual property (IP) issues, and an increased government focus on supply chains are demanding a more dynamic approach to M&A, both as a driver for acquisitions and as a fundamental requirement to better manage acquisition risk.

In one sense, this is not new – M&A professionals have always known that acquisition due diligence needs to be bespoke. What has changed, however, is the list of matters that can have a material impact on the value of that target post-acquisition and on the buyer’s own brand.

Unsurprisingly, buyers are focused on how they can best capture opportunities and achieve maximum value while also assessing a heightened and expanded risk matrix. This may take the form of straight risk assessment or integration diligence to dovetail the acquisition with their own processes.

Below is a discussion of new and emerging trends in cyber security, ESG, supply chain management, tax risk, AI and IP that require greater attention in acquisition due diligence.

Cyber security

In the field of cyber, buyers must be diligent in assessing cyber risks during due diligence. Any vulnerabilities in the target’s IT systems may be exploited by malicious actors, and buyers should be conscious that companies are often unaware that they have suffered a cyberattack for many months after it occurs.

A failure to identify a cyberattack during due diligence will put the buyer’s own systems at risk when completion of the transaction occurs. Further, the buyer may well become liable for significant penalties imposed by regulators on the target (including under the Privacy Act 1988 (Cth)) and susceptible to shareholder or consumer class actions. In addition, buyers should review the technical defences of the target and the robustness of its incident response plans and other organisational frameworks to prevent and recover from cyber incidents.


Now widely accepted as a key consideration for dealmakers on acquisitions, ESG due diligence goes beyond compliance to include a qualitative review of systems and processes that address underlying ESG risk management. Some buyers use ESG due diligence as a tool to protect existing ESG portfolios that require certain ESG thresholds to be met in any new deal. Others see ESG as an opportunity for value add and value creation and, in these cases, ESG due diligence is much more than box ticking exercise.

Poor ESG decisions and processes can have reputational, financial and legal consequences for the buyer. Buyers are looking for due diligence that includes a distinct ESG focus and is multi-disciplinary across advisers. That due diligence must be designed to both understand the risks and to identify value opportunities.

Supply chain management

The impact of ‘homecoming’ and ‘decoupling’ on the target and its key suppliers and customers is on the rise. Increasingly, we are seeing government industrial policies that are designed to build redundancies and resilience in supply chains both at home and in ‘friendly’ destinations to reduce the impact of potential conflict and economic coercion.

These friend-shoring commitments have the potential to be extremely important to some industries. Through the Quadrilateral Security Dialogue, Australia, India, Japan and the United States are building resilient supply chains for COVID-19 vaccines, semiconductors and emerging and critical technologies, including those related to clean energy.

Tax risk

Tax risk in the context of M&A due diligence is well known. But like so many other disciplines, the increasing emphasis on the application of the ESG lens requires buyers, more than ever, to focus on tax risk from the perspective of a number of stakeholders, including investors, employees, customers and regulators. These stakeholders have a heightened interest in a company’s social contribution by way of complying with its tax obligations.

The risk of reputational and financial contagion to a buyer’s existing business in an era of increased tax transparency and the attention given to specific risk areas (particularly in areas of interest to the Australian Taxation Office such as transfer pricing, research and development and intellectual property), should not be underestimated. Tax due diligence now requires a more nuanced and qualitative approach (rather than just the traditional quantitative exercise) and buyers are more regularly asking advisers for an assessment of the appropriateness of the target’s internal tax function, the approach to tax risk management and governance more generally, and the process adopted for the selection of suitably expert and reputable tax advisers.


Another emerging area requiring greater attention in acquisition due diligence is how the target business is using AI. This is made more difficult by the limitations of the existing legislative environment, which is not designed to address or regulate non-human operations.

In an M&A context, buyers need to recognise the uncertainties of the use and development of AI, and test how the target is using AI, in particular:

  • the complexities of what it means to “own” AI and AI-generated content to ensure that proprietary or intellectual property rights can even be established in the first place and then that they are capable of transfer under a sale agreement; and

  • to understand the potential existing risks in a business using AI (e.g. in businesses that are data mining, establishing that no copyright or other intellectual property rights are being infringed in this process).

Buyers also need to understand the future risks of using AI when legislative reform is pending but unknown. This includes understanding the impact on businesses if Australia follows the risk-based approach to AI regulation adopted by the EU or whether it will carve its own path. Existing and future risks need to be properly understood to ensure they translate to the bottom line and are reflected in the deal terms.


In addition to the IP challenges identified in the AI context above, the focus on ensuring the target business owns the relevant know-how, methodologies and other key IP required to continue business operations remains an ongoing challenge in an environment where many organisations outsource the development and ongoing management of key systems, processes and works.

Ensuring key IP has been developed by employees of the target business within the scope of their employment remit or else appropriately assigned into the target business, with relevant moral rights consents secured, remains a continuing area of due diligence focus.

Key considerations for M&A professionals

Having a strong understanding of these new and emerging risks and weaknesses provides a buyer with the opportunity to build and strengthen the saleability and value of the target post acquisition. At a macro level, an acquisition thesis needs to incorporate all different types of risk, but these new risks require a particular focus and a deep understanding of how the transaction will fit and be consistent with the overall strategy of the buyer.

By building consideration of these new issues into the M&A process, acquirers can find assets that address existing issues in the acquirer’s business, for example, supply chain vulnerability. Conversely, M&A deal teams and boards are increasingly looking to identify whether new businesses have the potential to create a contagion, undermining the existing business by introducing new risks to the acquirer’s business.

Due diligence can of course take many forms but should be undertaken with subject matter expertise and a clear understanding of the interrelation between the myriad risks. Many of these risks require a careful understanding of a wide variety of issues to ensure any risk profile is rigorous and provides the acquirer with an accurate picture in the acquisition documents. In some cases, there may be issues that need to be remedied or certified as conditions precedent to ensure the matters are addressed before completion. In other cases, issues arising at the time of purchase may create opportunities for value creation as the buyer works with the new acquisition to build and strengthen performance.


It is clear that effective and focused due diligence has the potential to create, preserve and identify value in the acquisition process. The nature of many of these risks means this will need to be a bespoke process, both in terms of understanding the underlying issues that the target business faces and how those challenges need to be addressed through appropriate policies and procedures.

Age of Acceleration

Staying at the forefront of change in an evolving legal landscape

View insight collection


James North

Head of Technology, Media and Telecommunications

Dr Phoebe Wynn-Pope

Head of Responsible Business and ESG

Eugenia Kolivos

Head of Intellectual Property

Madeleine Kulakauskas

Special Counsel


Corporate/M&A Capital Markets Technology, Media and Telecommunications Responsible Business and ESG Tax Intellectual Property

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.