PART ONE: SHAKE, RATTLE AND ROLL

The world of beverage sales and consumption can appear at once blindingly simple and maddeningly complex. What determines who wins and who loses can sometimes seem to balance on the head of a pin.

Take the case of Planet Pleasure, a protein shake manufacturer with surf culture roots that achieved astonishing sales results based on a straightforward theory. The theory was that athletes, be they weightlifters or runners, or perhaps just weekend pickleball wizards, would pay real money for a protein drink that in addition to helping them build muscle, would also taste, not just palatable, but delicious.

Planet Pleasure launched in Escondido, Calif. in 2018 with $2 million in seed money and, headed by its surfing pro founders, reached $100 million in sales by 2023. The product’s taste palette was almost exclusively Pacific Rim. Pineapple, kiwi, guava and mango were the leading tastes in Planet Pleasure’s see-though bottles, (what you see is what you get) which were made from recycled plastics.

Another key to the company’s success, what you might call its secret sauce, was an end-to-end production process that was entirely refrigerated. What the founders hit on, and enforced with an almost maniacal drive, was a product with the consistency and mouthfeel of something that just came out of the blender. They delivered that by getting the product on retail refrigerator shelves as fast as humanly possible.

Working at Planet Pleasure was fun and it was meant to be fun. The team was winning and there was a “feel good” piece to the company, as it produced healthy products and its management team seemed to steer clear of a cut-throat business vibe.

Things went so well that the company’s success started to attract attention from some very deep pockets. From a return-on-investment perspective, the news that some very large food conglomerates had their eye on Planet Pleasure was stimulating. The news, however, was almost immediately divisive to the company’s culture. From IT to operations, there were many in the company who were disgusted that the management team would even consider selling out to “the suits”.

“This is not what we signed up for,” said one disgruntled IT employee to another over stout microbrews and hefty yellowtail tacos at their favorite beachside bar in Del Mar after work one day.

Nonetheless, the bidding on Planet Pleasure is fast and furious. Awed by the company, potential buyers are blinded to what may be latent risk management weaknesses. The buyers want this company and they want it right now.

PART TWO: MONEY IS MONEY

As 2025 dawns, Planet Pleasure, at least from a sales perspective, is rolling like a sweet four-foot wave shaped by an offshore breeze. In addition, the offers being proposed by three different buyers, rumored to be in the $500 million range, are staggering. As management mulls its next move, however, the rank and file are in a state of agitation. In surfer terms, whether the founders admit it to themselves or not, the company is headed for “gnarl,” i.e. choppy waters.

Rumors of upcoming layoffs should the company be sold are rampant, which is leading to high levels of anxiety in some corners. Not to mention the fact that selling to a big corporation, a pillar of the despised establishment, is viewed by many at the company as nothing less than a moral crime.

Our beer-drinking member of IT, already sure he is going be made redundant, and convinced he stands on the moral high ground, hatches his own little plan. On the evening of the day Planet Pleasure’s sale to winning bidder AMG Foods closes, in the guise of sharing some important documents, he e-mails a zip file, infected with malware, to a co-worker.

When the co-worker comes to work the next day, he opens the zip file and the malware goes to work

Devastation follows. The self-replicating malware races through Planet Pleasure’s systems, taking its production line offline indefinitely.

Not only is the production line down, but there are no guardrails in place to prevent the malware from infecting additional elements of Planet Pleasure’s technology infrastructure.

Everything from IT to accounting is impacted by the attack.

Risk Scenario Partner

AMG Foods had conducted its due diligence of Planet Pleasure’s cyber defenses and determined them to be solid. Where its due diligence, failed, however was in how well-aligned its business continuity approach and resilience capabilities were with the acquired company.

Planet Pleasure had a cyber insurance policy that was accompanied by a business recovery plan.

“The problem is, they didn’t practice it,” said AMG Food’s insurance broker, in explaining to company leadership why Planet Pleasure was knocked offline for such an extended period of time.

“In fact, I don’t think they even looked at it, except maybe glancing at it around renewals,” he went on to say.

As the shutdown unfolds, confusion reigns. There was almost a complete lack of coordination among Planet Pleasure team members in getting the company’s production line back up and running.

In addition, had the company practiced its business recovery procedures with its information retrieval vendor, it could have saved precious time, not to mention precious financial resources.

“I had no idea,” one of the company’s co-founders said to the other.

“We blew it,” the other replied. “We just plain blew it.”

PART THREE: PLANET PAIN

As stated above, the true distinguishing feature, the winning element in the Planet Pleasure formula was its rapid, refrigerated manufacturing process. In taking dead aim at it the disgruntled IT worker knew exactly what he was doing and where it would hurt the most. Without that process, Planet Pleasure’s product lost the characteristics that distinguished it in the marketplace.

The malware attack took that capability down, locked it essentially, and there was no telling when it could get kickstarted again.

As the merger with Planet Pleasure approached, AMG Foods had augmented its cyber insurance coverage with an additional $10 million primary layer topped by a $10 million excess layer, expressly written to cover the operations of the acquired company.

Three weeks into the aftermath of the malware attack, as AMG Foods and Planet Pleasure worked furiously to try and resurrect the Planet Pleasure manufacturing processes, business interruption losses in the form of lost sales alone stand at $30 million.

“This is a complete train wreck!” thunders AMG’s CEO at his mergers and acquisitions team.

Rebuilding or replicating the Planet Pleasure manufacturing process is out of the question. It will take another two weeks before cyber security experts can get Planet Pleasure up and running again.

Wowed by the uniqueness and shooting star success of Planet Pleasure’s product, AMG Foods management failed to realize how vulnerable the company really was to a cyber attack.

Key among those vulnerabilities is that although it had a business recovery plan, it amounted to nothing more than so many pages on a shelf as it hadn’t been reviewed or practiced in any meaningful way.

“Man were they a paper tiger in the end,” AMG’s insurance broker said to no one in particular after hanging up the phone one day, having heard the latest bad news stemming from the malware incident. &

Risk & Insurance® partnered with MSIG USA to produce this scenario. Below are MSIG USA’s recommendations on how to help mitigate the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

The Planet Pleasure breach, while fictional, reveals how cyber risk can quickly derail even the most promising acquisition. AMG Foods failed to fully align its business continuity expectations with the reality of Planet Pleasure’s preparedness, leading to significant operational disruption and financial loss. When systems fail and production halts, reputational damage and lost revenue can escalate fast, especially in high-velocity deals where cultural tensions and insider threats are overlooked.

MSIG USA’s 350+ years of experience, A+ Class 15 financial strength, global scale, and a full-stack view of risk provides a rounded view of risk and exposures. With multinational expertise and tech-enabled cyber underwriting, the team is well-equipped to assess complex exposures—like those seen in the Planet Pleasure scenario—and help clients build lasting cyber resilience.

To better manage cyber risk in M&A, companies should take these key steps:

Implement Buy-Side Cyber Due Diligence with Real Testing
Traditional cyber reviews often miss critical gaps. Effective diligence should include testing, breach history, and a review of key controls like encryption and access management. Partner closely with a carrier like MSIG USA to connect these findings to coverage needs with protections like eCrime, extortion, and regulatory liability.

Treat Business Continuity Plans as Live Tools
Planet Pleasure had a recovery plan, but never tested it. In business, the ability to execute a plan is just as critical as having one. MSIG USA’s recommended approach is for businesses to work with a carrier that can help businesses move beyond paper plans by facilitating tabletop exercises and stress testing to identify gaps and improve coordination across teams. Practicing response in advance is essential to building true operational resilience when systems fail.

Align Cyber Insurance with M&A Strategy from the Start
Insurance must be part of the pre-close strategy. Waiting until after a deal closes can leave gaps in coverage or misaligned limits. MSIG USA recommends working closely with your carrier before close to structure appropriate limits and terms, helping to ensure protection for first-party and third-party exposures including cyber liability, technology errors, and media liability, at the pace of the deal.

Use Insurance to Strengthen Long-Term Resilience
Cyber client risk assessment should extend beyond insurance to include vendor risk oversight, business impact analysis, and incident response planning. Working with an insurance group like MSIG USA can help to strengthen these areas through the underwriting process – helping clients identify critical dependencies, evaluate response capabilities, and understand both technical and cultural vulnerabilities.

“A strong cybersecurity assessment during due diligence is key to preserving deal value and ensuring operational continuity,” says Siobhan O’Brien, Global Head of Cyber at MSIG USA. “MSIG USA stands apart by combining technical underwriting with a collaborative, tailored approach. We align coverage to each client’s unique risk and integrate it into a broader strategy that supports long-term resilience.”