Mergers & Acquisitions
Data Transfer
The transfer of data is key to any successful M&A, however many companies neglect to safeguard their data even at the most basic levels.
In many cases, firms simply overlook the value of data because they would rather focus on the hard assets involved in the deal such as property and equipment.
But the consequences of ignoring the value of data as part of the transaction can be catastrophic, resulting in the loss of highly sensitive company information, the price of the deal being significantly affected or the deal falling through altogether.
M&As are big business in today’s fast-paced corporate world, with the total volume of global deals amounting to $2.33 trillion in 2013, according to Bloomberg, meaning that data handling is now more important than ever.
David Molitano, vice president, content, technology and services liability division, at OneBeacon, said data is often the No. 1 reason for a company to be acquired in the first place.
“It is difficult to place an average cost on data itself because it will have a different value from company to company,” Molitano said. “The true dollar value amount really depends on what a company is willing to pay for that data and the accompanying intellectual property.”
He said that any data transferred as part of a deal needs to be first clearly defined, evaluated and controlled just like any other asset.
However, despite all the checks in place, any company holding large amounts of data would naturally be a target for a data breach, he said.
“Since the data directly correlates to money on the black market, there is the constant threat of a data breach,” Molitano said. “In an M&A situation, a company must also look more closely to internal issues such as a disgruntled or recently discharged employee who may take confidential company information with them when they leave the company.
“Since so much of today’s data is easily portable, removing data from a network and a place of employment is unfortunately very easy.”
Richard Clark, UK-based Xuber’s head of specialist commercial, whose company services the Lloyd’s of London market, said that data is just as valuable as the systems and repositories where it is stored.
“In an M&A deal, the retention of existing customers and a base from which to grow the business are obvious imperatives,” he said.
“Therefore, the history or dealings (claims, customer information, premium payment records etc.) and the analyses that can be run from the existing data are vital.”
Clark said the risks involved in transferring data in any M&A include the loss of vital intellectual property and other unforeseen costs resulting from software access contracts not being properly checked.
The consequences of not getting the data part of the deal right could be loss of business as well as the absence of a statistical basis from which to operate when evaluating future opportunities.
Underestimating Value
“There isn’t an executive in the land that doesn’t know the true value of data,” said John Merchant, Head of Cyber Liability & Professional Liability Underwriting at Freedom Specialty Insurance Co.
“However, many times in an M&A deal, the value of that data is vastly underestimated and it isn’t nearly as well protected as it should be.”
Merchant places a higher value on data than on the hard assets involved in an M&A.
“During a deal, most people at the board of directors’ level look at the more traditional aspects such as the financials and pro-formas,” Merchant said. “I think that, however, is more of a generational issue and due to a general lack of understanding about company systems and data oversight.”
Security is the single biggest issue for companies transferring data, he said.
However, particularly in non-technology deals, the risk manager responsible for looking after the data is often brought in too late in the process, meaning that the data is never truly secure, he said.
From a buying perspective, he said, the buyer needs to assume all of the liabilities associated with the data.
“They have to look at exactly what the data is and what they are buying, who it belongs to and whether it is being handled properly,” Merchant said.
On the other side, he said, the seller is also responsible for the transfer of that data.
One of the biggest unknown risks, according to Merchant, is the security of cloud computing and the use of third-party providers such as Google or Amazon to handle any data involved in a deal, because it is still a relatively new area.
“On the carrier side,” he said, “we haven’t necessarily seen a lot of claims activity or lawsuits in that area. However that is not to say it isn’t happening, so it’s something we need to keep a very close eye on.”
In the worst-case scenario, said Merchant, there could be a loss of data or the deal could fall through because of the way the data was handled.
“If companies don’t start to look at their data as a hard asset such as property, then they could be in real trouble if something goes wrong further down the line,” he said.
Ryan Gibney, an underwriter at XL who specializes in technology, cyber liability and data protection, said that his clients realize the value of data and have taken the appropriate steps to protect it at source.
“It is particularly important for companies in the public eye and public companies with shareholders that whenever they transfer data as part of any deal that a nondisclosure agreement is signed and that all of the network security controls of the other party are properly audited,” Gibney said.
“On top of that, they need to ensure they have cyber insurance to protect themselves and their clients in the event of any loss of data shared as part of the deal.”
One of the biggest issues to be resolved, said Gibney, is the control of access to data, where it is stored and who uses it once it has been transferred.
“Companies want to make sure that any data transferred is fully protected so that if an improper disclosure of that data occurs, you can advise any inquiring parties that the proper controls were in place to safeguard that data.”
Most of the errors occur, he said, because companies don’t have the right basic encryption protocols in place.
Tim Crowley, director, management and professional risk group at Crystal & Company, said it is important to get the company’s IT team involved as early as possible in the process in order to evaluate all of the other company’s privacy and security protocols, and to align the two companies.
“I think the critical thing for the risk managers, particularly on the buying side, is to continually look at their policies as they add different entities from potentially different industry classes, because not one policy is the same.”
— Tim Crowley, director, management and professional risk group, at Crystal & Company
Crowley said the market for risk transfer policies has broadened considerably over the last few years in terms of the coverage provided for both first- and third-party liabilities.
“I think the critical thing for the risk managers, particularly on the buying side, is to continually look at their policies as they add different entities from potentially different industry classes, because not one policy is the same.”
Kevin Maloy, senior managing director, M&A, special practices, at the same brokerage, added: “From a risk management perspective, we are seeing more companies from a good governance standpoint, adopting the concept of a privacy committee and establishing privacy procedures.
“There are a number of clearly defined and set guidelines that companies can follow in order to take the right enterprise risk management steps to protect their balance sheets from an unintentional breach.”