Did You Buy a Digital Crisis?

The modern brokerage landscape is defined by relentless consolidation.

Amid the focus on valuation and strategic fit, a consequential moment can be overlooked: the point when an acquired firm plugs into the parent organization’s systems.

Insurance brokerages are high-value targets for cyberattacks: data-dense, transaction-heavy hubs between carriers, clients, and regulators. This connectivity is a competitive advantage, but it can be a liability. In an era of rampant ransomware and sophisticated business email compromise, an acquired firm may become the soft underbelly of a larger enterprise.

For regulated entities, the technical threat is only part of the battle. M&A leaders must also contend with the risk of internal and external scrutiny that follows a crisis. We surveyed experts to identify five questions that should be at the top of every M&A leader’s cybersecurity list. Responses to these questions reveal an organization’s ability to absorb shocks, make decisions under pressure, and contain cascading harm.

1) Who is in charge immediately following an incident?

The gap between when this question is asked and answered is revealing. Resilient organizations answer without hesitation. A cyber incident creates a multidimensional business crisis in which decisions made in the first hour span legal privilege, technical containment, customer service, and financial considerations. The incident response lead must have cross-functional authority to bind these disparate departments to a single, cohesive response.

Resilient organizations have identified a clear chain of command with the authority to sever network connections, oversee recovery, and make executive decisions in the first hours. “Clear ownership and defined responsibilities make a major difference in how quickly and effectively an organization can respond,” says Alex Zuehlke, a cybersecurity engineer at M3 Insurance.

Without this clarity, authority becomes dangerously ambiguous during an incident involving a newly acquired business unit. Is the parent organization in command, or does the acquired brokerage maintain the lead? Whose cyber insurance policy is triggered? Who sets the pace of recovery? When roles and the authority to make high-stakes decisions remain unclear, response times lag and risk multiplies exponentially when time is the most expensive commodity. Failure to act can result in lost business and damaged reputations, among other impacts.

Regulators also care deeply about the first hours of a crisis. Confusion during this phase can lead to delayed reporting, which serves as an aggravating factor that can escalate enforcement actions under frameworks such as New York state’s cybersecurity rule (23 NYCRR Part 500).

2) How does the new organization’s security posture compare to ours?

This question tests operational maturity; most experts we surveyed indicate it’s the most important question regarding a business’s resilience to cyberattacks. Too few organizations can demonstrate how their security operates day-to-day, so M&A leaders must demand operational evidence during due diligence on a prospective acquisition. Executives need a plan of execution for Day One regarding enforcing controls, handling exceptions, and detecting risky behavior in real time.

“Interviews provide deeper insights into program maturity,” offers Jonathan Hay, Amwins vice president of information security, “and often lead to conversations around areas of risk that have always been a concern by the technology teams.” This conversation is essential because the primary resilience signal here is identifying an acceptable range of variance between the two companies’ risk postures. Resilient leaders understand that differences in security posture are inevitable, but unmanaged and undocumented differences create hidden fault lines. Resilient organizations identify these gaps and manage them intentionally rather than assuming uniformity.

Regulators are also skeptical of “paper compliance.” Examiners today want signs of operational effectiveness, such as logs, not just documented policy. If an acquired brokerage technically meets regulatory requirements but operates with weak enforcement or shadow workarounds, the parent organization inherits that weakness and the attendant regulatory risk.

Ultimately, a truly resilient organization is transparent about its flaws; it can explain where it is weak, how it compensates, and what it is actively improving. In contrast, fragile organizations may default to perfection narratives or defer responsibility entirely to third-party vendors.

3) Is connectivity required for network integration?

Linking a newly acquired entity to the parent network is one of the most consequential digital risk decisions an executive can make. While executives naturally focus on the probability of an incident, a key dimension of resilience is how quickly an incident can spread. “Resilient organizations challenge the assumption that connectivity is mandatory, instead asking if the environment can be pared down to only the essential functions required for the transition to avoid wholesale network merging,” according to Hay. “The safest approach is to keep the networks air-gapped until the newly acquired unit fully transitions to the core technology,” he adds. “This ensures there is little risk of lateral contagion to the larger organization because the networks never touch.”

Connecting the two organizations’ systems is only half the story. Amy Mushahwar, a partner at law firm Lowenstein Sandler who specializes in data security, says the real danger in M&A begins when identity and authentication systems begin to trust each other. Connectivity creates the pipeline, but identity federation provides the permissions. The moment an acquisition’s usernames and passwords work on your network, your security postures become inseparable—meaning their compromised keys can now unlock your doors. Mushahwar cautions that by opening these trust relationships, an organization may immediately inherit “MFA gaps, excess permissions, and dormant but not deactivated” accounts, effectively leaving internal doors wide open if inherited keys are compromised.

Without strict limits on both connectivity and identity federation, a threat actor needs only minutes to facilitate lateral movement from a brokerage laptop into a sensitive network. By limiting connectivity during integration, an organization ensures that the “blast radius” remains contained to the acquisition rather than the enterprise.

This risk extends beyond your own servers. Leaders must also understand the connections between a newly acquired entity and its partners and suppliers. A brokerage is rarely an isolated entity; in a digital ecosystem, it may be connected to a network of carriers. If your new office is breached, how many connected external partners could be compromised?

From a regulatory standpoint, this interconnectivity defines your third-party risk profile. Under frameworks like the National Association of Insurance Commissioners’ Insurance Data Security Model Law, regulated entities are increasingly expected to conduct oversight of these digital bridges. An uncontrolled blast radius doesn’t just hurt the firm; it jeopardizes supervisory trust and the perceived credibility of management representations to the state.

4) What is the “minimum viable office” to maintain if systems go dark?

A resilient incident response identifies critical workflows, such as claims, renewals, binding, billing, and compliance, and maintains an “out-of-band” contingency to execute them manually for 72 hours or more. If your integration plan lacks an analog fallback, you are potentially acquiring a digital liability.

This is ultimately a question of fiduciary continuity. If ransomware encrypts the agency management system for 14 days, how does a broker fulfill the obligation to process a first notice of loss or prevent a client’s policy from lapsing? Resilient leaders prioritize and plan for this level of process survival.

From a regulatory perspective, this question shapes your exposure map. Regulators scrutinize operational governance; if you cannot service your book of business because your digital tools failed, you haven’t just suffered a cyber incident, but a failure of leadership. The potential results encompass financial and administrative penalties, which vary widely by regulator.

5) What behavior and security debt is tolerable on Day One but never in Year Two?

M&A is fundamentally an exercise in integration, which almost always necessitates temporary compromises such as tolerating legacy systems, shared accounts, and delayed upgrades. The risk is not the compromise itself, but the failure to map out a sunset date for those temporary compromises. “Infosec concerns are rarely going to block a deal, and leaders can quickly get themselves shut out of the room by having that attitude,” says Chris Clark, head of information security at Coalition. “Your job during the M&A process is to understand the risks and costs for mitigation, ensuring they are factored into the decision and integration plan.” Braden Pitts, chief information security officer for the MJ Cos., concurs: “Technical debt becomes an exercise in deliberate risk management,” and regulators typically understand transitional risk during integration only when it is intentional and time-bound. Open-ended cases that fail to resolve issues are common findings in post-incident regulatory examinations.

Leaders must ask what security debt they are consciously accepting and how they will amortize it over the integration life cycle. This scrutiny “forces explicit decisions about inherited risk rather than accidental acceptance,” testing long-term discipline, Pitts says. Unmanaged exceptions accumulate over time and eventually become systemic vulnerabilities.

As a proxy for resilience, leaders should watch for a specific milestone or budget cycle when “good enough” stops being acceptable. From a practical standpoint, Pitts prioritizes checks that address foundational regulatory and insurance requirements, which if not met “must be resolved immediately.” Without a firm timeline and an owner to address the issue, the organization has simply postponed a crisis. Ultimately, integration must be “managed like any other major program,” he says, executed over a strictly defined time horizon.

Resilience is not about the impossible goal of preventing every incident. It is about knowing what matters most, identifying who decides, and ensuring the organization is prepared to protect its clients and reputation when systems go dark.