Mergers & Acquisitions

Data Transfer

The value of data in a merger cannot be underestimated.
By: | May 1, 2014 • 6 min read

The transfer of data is key to any successful M&A, however many companies neglect to safeguard their data even at the most basic levels.

In many cases, firms simply overlook the value of data because they would rather focus on the hard assets involved in the deal such as property and equipment.

Advertisement




But the consequences of ignoring the value of data as part of the transaction can be catastrophic, resulting in the loss of highly sensitive company information, the price of the deal being significantly affected or the deal falling through altogether.

M&As are big business in today’s fast-paced corporate world, with the total volume of global deals amounting to $2.33 trillion in 2013, according to Bloomberg, meaning that data handling is now more important than ever.

R5-14p30-31_02Data.inddDavid Molitano, vice president, content, technology and services liability division, at OneBeacon, said data is often the No. 1 reason for a company to be acquired in the first place.

“It is difficult to place an average cost on data itself because it will have a different value from company to company,” Molitano said. “The true dollar value amount really depends on what a company is willing to pay for that data and the accompanying intellectual property.”

He said that any data transferred as part of a deal needs to be first clearly defined, evaluated and controlled just like any other asset.

However, despite all the checks in place, any company holding large amounts of data would naturally be a target for a data breach, he said.

“Since the data directly correlates to money on the black market, there is the constant threat of a data breach,” Molitano said. “In an M&A situation, a company must also look more closely to internal issues such as a disgruntled or recently discharged employee who may take confidential company information with them when they leave the company.

“Since so much of today’s data is easily portable, removing data from a network and a place of employment is unfortunately very easy.”

Richard Clark, UK-based Xuber’s head of specialist commercial, whose company services the Lloyd’s of London market, said that data is just as valuable as the systems and repositories where it is stored.

“In an M&A deal, the retention of existing customers and a base from which to grow the business are obvious imperatives,” he said.

“Therefore, the history or dealings (claims, customer information, premium payment records etc.) and the analyses that can be run from the existing data are vital.”

Clark said the risks involved in transferring data in any M&A include the loss of vital intellectual property and other unforeseen costs resulting from software access contracts not being properly checked.

The consequences of not getting the data part of the deal right could be loss of business as well as the absence of a statistical basis from which to operate when evaluating future opportunities.

 Underestimating Value

“There isn’t an executive in the land that doesn’t know the true value of data,” said John Merchant, Head of Cyber Liability & Professional Liability Underwriting at Freedom Specialty Insurance Co.

“However, many times in an M&A deal, the value of that data is vastly underestimated and it isn’t nearly as well protected as it should be.”

John Merchant, Head of Cyber Liability & Professional Liability Underwriting for Freedom Specialty Insurance Co.

John Merchant, Head of Cyber Liability & Professional Liability Underwriting for Freedom Specialty Insurance Co.

Merchant places a higher value on data than on the hard assets involved in an M&A.

“During a deal, most people at the board of directors’ level look at the more traditional aspects such as the financials and pro-formas,” Merchant said. “I think that, however, is more of a generational issue and due to a general lack of understanding about company systems and data oversight.”

Security is the single biggest issue for companies transferring data, he said.

However, particularly in non-technology deals, the risk manager responsible for looking after the data is often brought in too late in the process, meaning that the data is never truly secure, he said.

From a buying perspective, he said, the buyer needs to assume all of the liabilities associated with the data.

“They have to look at exactly what the data is and what they are buying, who it belongs to and whether it is being handled properly,” Merchant said.

On the other side, he said, the seller is also responsible for the transfer of that data.

Advertisement




One of the biggest unknown risks, according to Merchant, is the security of cloud computing and the use of third-party providers such as Google or Amazon to handle any data involved in a deal, because it is still a relatively new area.

“On the carrier side,” he said, “we haven’t necessarily seen a lot of claims activity or lawsuits in that area. However that is not to say it isn’t happening, so it’s something we need to keep a very close eye on.”

In the worst-case scenario, said Merchant, there could be a loss of data or the deal could fall through because of the way the data was handled.

“If companies don’t start to look at their data as a hard asset such as property, then they could be in real trouble if something goes wrong further down the line,” he said.

Ryan Gibney, an underwriter at XL who specializes in technology, cyber liability and data protection, said that his clients realize the value of data and have taken the appropriate steps to protect it at source.

“It is particularly important for companies in the public eye and public companies with shareholders that whenever they transfer data as part of any deal that a nondisclosure agreement is signed and that all of the network security controls of the other party are properly audited,” Gibney said.

“On top of that, they need to ensure they have cyber insurance to protect themselves and their clients in the event of any loss of data shared as part of the deal.”

One of the biggest issues to be resolved, said Gibney, is the control of access to data, where it is stored and who uses it once it has been transferred.

“Companies want to make sure that any data transferred is fully protected so that if an improper disclosure of that data occurs, you can advise any inquiring parties that the proper controls were in place to safeguard that data.”

Most of the errors occur, he said, because companies don’t have the right basic encryption protocols in place.

Tim Crowley, director, management and professional risk group at Crystal & Company, said it is important to get the company’s IT team involved as early as possible in the process in order to evaluate all of the other company’s privacy and security protocols, and to align the two companies.

“I think the critical thing for the risk managers, particularly on the buying side, is to continually look at their policies as they add different entities from potentially different industry classes, because not one policy is the same.”

—  Tim Crowley, director, management and professional risk group, at Crystal & Company

Crowley said the market for risk transfer policies has broadened considerably over the last few years in terms of the coverage provided for both first- and third-party liabilities.

“I think the critical thing for the risk managers, particularly on the buying side, is to continually look at their policies as they add different entities from potentially different industry classes, because not one policy is the same.”

Advertisement




Kevin Maloy, senior managing director, M&A, special practices, at the same brokerage, added: “From a risk management perspective, we are seeing more companies from a good governance standpoint, adopting the concept of a privacy committee and establishing privacy procedures.

“There are a number of clearly defined and set guidelines that companies can follow in order to take the right enterprise risk management steps to protect their balance sheets from an unintentional breach.”

Alex Wright is a U.K.-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]