Preparing for an M&A? Better Check Your Cyber Coverage
Quantifying specific risks and best practices in managing cyber risk during mergers and acquisitions (M&A) is a bit like determining how many pages there are in a contract.
Exposures vary widely by the type of transaction and the nature of the parties. It is also a bit like three-dimensional chess, because the steps in any deal create exposures for both parties by their very nature. Due diligence is the mandate, but so are collaboration and disclosure.
“In the case of a corporate change-in-control transaction where the buyer is acting for strategic reasons — intellectual property [IP], technology, distribution — and acquiring the seller in whole rather than in part, then we typically see the seller’s cyber coverage put into run off,” said John Marchisi, area vice president for the southeast region for Gallagher’s U.S. retail property and casualty brokerage.
“The buyer then negotiates the purchasing of tail coverage for the reporting of claims arising after the transaction date.”
He stressed that ‘run off’ and ‘tail’ are often used interchangeably, but they shouldn’t be.
“Run off is the condition,” Marchisi explained, “and the tail is the cure. Like directors and officer’s coverage, a change-in-control ceases coverage for events occurring after the effective date. That is what triggers the policy in force to run off. The tail is purchased for as much as six years after the change-in-control date for the expected statute of limitations.”
One of the challenges with cyber due diligence, as with the related representations and warranties (R&W), is that they are to some degree intangible. So is goodwill, which is readily quantifiable.
But a big part of cyber risk involves what might have to be done in the future to resolve something that might have happened in the past.
“No company, in this day and age, can afford not to have either some small limit for cyber or at least have it as part of their risk management plan.” — Marcin Weryk, head of cyber risk for western and southern U.S., AXA XL
“With cyber, we are moving beyond moats and walls,” said Marchisi, “and into a state of resiliency. Previously, cyber concentrated on known breaches. The seller would warrantee that there had been none, but often those can go undiscovered for years.”
The way to prepare for change in control, many sources agreed, is for due diligence specifically on insurance with a focus on current coverage and loss history. “From there,” said Marchisi, “we can negotiate the tail for some assurance that liability for prior events is contained inside that tail. Then the buyer can feel comfortable in absorbing the seller.”
Insurance should be a consideration much earlier in the process, from the beginning if possible, but it often is not considered.
“There have been acquisitions where the insurability, or near-uninsurability, of the seller have come as a shock to the buyer,” said Marchisi.
As a positive example of cyber due diligence being considered early in the process, Marchisi related a case where the buyer was specifically making an acquisition to gain intellectual property.
“A search of the dark web revealed that the desired IP had already been compromised. The buyers were able to renegotiate the deal in a material way.”
Of all the kinds of IP — patents, trademarks, copyrights and trade secrets — Marchisi noted trade secrets are the most valuable and therefore most attractive to bad actors. They are also the most vulnerable in the cyber space during M&A.
As a staunch advocate of cyber security due diligence, Marchisi also urged buyers to examine the seller’s internal communications protocols.
“If there are established procedures and record keeping for communicating incidents up through business heads to senior management and the board, those should be demonstrable.”
The existing cyber security coverage of a target company can be extended forward from the date of a planned acquisition or purchased retroactively, said Michael McGowan, head of M&A for North America at AXA XL.
“In cases where the acquirer is a private equity [PE] fund or financial sponsor, they usually just try to purchase tail insurance.”
If the deal is a strategic combination or tuck-in acquisition into an existing PE portfolio company, there may be a tail component, he explained. Or, the target company could be rolled into the buyer’s own existing program.
“We don’t see underlying cyber coverage in every deal,” McGowan added. “Cyber insurance may only be necessary if cyber security or potential data breaches are of material concern to the target company’s existing business.”
He elaborated that, “in many cases where there is existing cyber insurance, a R&W policy may provide additional coverage that sits excess of, and no broader than, the underlying cyber policy. The R&W policy would then provide additional protection for an insured, since there would likely be some overlap.”
Furthermore, issues that are important to cyber underwriters may also be underwritten again by a carrier placing an R&W policy.
“Typically, we review various diligence reports prepared by a buyer’s advisors in a transaction, and then look for diligence gaps or material issues,” McGowan said.
“From there, we can give guidance on whether a buyer should be purchasing some or more cyber coverage or place necessary exclusions into the R&W policy.
“The process for areas where complimentary but necessary underlying coverage is applicable is similar to how we approach underwriting environmental or product liability risks within an R&W policy,” he added.
Take Up Is Still an Issue
The reality is that there is not necessarily cyber coverage in every deal, said Marcin Weryk, head of cyber risk for western and southern U.S. for AXA XL.
“No company in this day and age can afford not to have either some small limit for cyber or at least have it as part of their risk management plan. Cyber coverage has come a long way in just a few years, but still the purchase rate is not anywhere near where anyone would like it to be.”
In some sectors, such as finance, retail and health care, cyber coverage is mandated.
“Typical books of business have been built on those three verticals,” said Weryk. Uptake in professional services, construction and manufacturing has been slower but is starting to accelerate.
One approach that Weryk takes is through group purchasing by large- and mid-market companies.
“As soon as they make an acquisition, they require the new portfolio company to ‘mature their cyber process.’ The new acquisition has the option to buy standard coverage, and it’s rare that they do not.”
The buying rate for cyber coverage is lower for small businesses, even though they may have a need, said Robert Pizarro, vice president of commercial specialty at AmTrust Financial. Smaller firms by nature likely have less resilience to deal with a data breach.
“It is important for insureds to understand the risk and the minimum levels of protection available in the market,” he said. “For example, every state now has privacy notification requirements.”
One factor favoring wider uses is that cyber coverage is becoming more standardized, said Pizarro. Differences remain because of carriers’ underwriting practices and coverage offerings.
“There is a tendency for companies being purchased to keep the kimono closed to some degree, even to the acquiring entity,” said Christopher Keegan, cyber practice leader at Beecher Carlson.
He also noted that “the M&A systems integration process itself can be a risk. Still, there are external methods of evaluating cyber security. They are not exact, but they can provide a good sense of cyber good practices.”
From the transactional side, Joe Ehrlich, co-practice leader for private equity, family offices and M&A at Beecher said that he “is not seeing much due diligence done on cyber security even where insurers are issuing a reps and warranties policy.”
He added: “I’m not suggesting due diligence in lieu of insurance, but rather we are seeing R&W insurance sitting excess over insurance in place even without diligence. Cyber exposures can have a deleterious effect on value.”
Ehrlich observed that “for financial due diligence in a deal, companies hire an accounting firm; for compliance due diligence, they hire a law firm. But we are not seeing that much in cyber, where professionals are regularly being retained.”
For the most part the key question is “sufficiency of policies in place.”
One mitigating factor is that cyber coverage has improved in recent years.
“Cyber insurance is broader than ever,” said Keegan.
“The gaps in coverage have been identified over the years and filled. There is still no such thing as a ‘standard form,’ but there is not much that would get through a broad cyber form any more.”
Which also means underwriting standards have risen. Keegan is familiar with a transaction where the business being acquired had such a bad reputation that it could not get cyber coverage as a standalone company.
“That sort of thing is unusual,” he said.
“As long as a company can tell a good story about what happened, why it happened, how it was addressed, and steps taken to prevent reoccurrence of a cyber event, then in most cases the seller will be allowed to roll into the buyer’s coverage.”
“It all depends on what the buyer [and the buyer’s underwriters] can live with,” Ehrlich said.
“For anything they can’t, the insurer will seek an exclusion to the policy and the buyer would be left to seek indemnity directly from the seller, or adjust the price of the deal.” &