Why cyber risk and insurance due diligence should be part of your M&A process

Bird's eye view of Manhattan, looking down at people and yellow taxi cabs going down 5th Avenue. Toned, Instagram photography with slight vignette.

Conducting a thorough due diligence investigation is a key part of any successful merger or acquisition (M&A). Most deal teams recognize the importance of robust due diligence to uncover any issues as early as possible. But they may be unaware that cyber vulnerabilities can be inherited through transactions, potentially putting their new venture at risk.

Traditional due diligence may not uncover or adequately quantify these risks. And this may increase the likelihood of cyberattacks or cyber-related incidents causing significant losses that could destroy deal value post-acquisition. It is therefore crucial for deal teams to carefully consider cyber threats during deals and factor them into their deal theses (for more details see episode 3, which will cover cyber risk financial quantification).

Cyber insurance due diligence helps de-risk transactions and protect value

Cyber risks and exposures are pervasive across all sectors, with nearly 75% of organisations experiencing cyberattacks in 2022. Since this risk is a constant and evolving threat, organisations need a thorough cyber risk management plan. And, buyers should ensure that their pre-acquisition due diligence investigates the target’s potential cyber deficiencies.

Insurance is an important part of cyber risk management strategy, and influences the adoption of best practices and controls. In addition to understanding a target company’s existing cybersecurity strategies, a comprehensive review of its insurance policies is critical for assessing the quality and extent of protection against cyber risks.

When reviewing a target company’s cyber insurance policies, there are several areas to address:

Coverage depth and breadth

Buyers should evaluate any existing cyber insurance coverage in order to assess whether it aligns with the level of risk exposure.

Cyber insurance policy procurement does not necessarily ensure risks have been adequately transferred. Enlist specialists to review these policies. Supported by cyber risk quantification and an understanding of the target company’s business, they can best establish the potential for uninsured or underinsured losses post-transaction.

For sellers, identifying potential issues and solutions can help inform prospective buyers. Sellers should consider if existing policies provide sufficient coverage for buyers to reduce the risk of unexpected financial losses or reputational damage post-close.

Costs accuracy

When reviewing the extent and quality of coverage of a target company’s policies, it is also critical to be mindful of associated costs. Identifying recurring cyber insurance costs — including understanding how these may change post-close — is essential for accurate financial modelling. Additionally, it is important to consider any insurance-related one-off costs that could impact value ̶ such as improvements to a cyber insurance programme, including coverage enhancements or increased limits ̶ as well as cyber insurance cost estimates.

Confirm how the target company’s cyber policies will respond to a transaction, as this may have future cost implications. Policies may have a change in control provision that would be triggered by an acquisition.

Buyers must also weigh the potential cost of procuring a new cyber insurance policy — either as a first-time purchase or in line with a changing IT environment. And if a target does not have a cyber insurance policy, investigate whether this is due to inadequate cyber controls that made acquiring coverage difficult or prohibitively expensive.

Continuity and replacement of coverage

Every M&A transaction is unique, and many possess the potential for separating and/or combining IT systems, networks, and data. This can expose unaccounted for or unknown vulnerabilities and increase cyber risk. Subsequently, there will be implications for how existing cyber insurance policies will respond.

Often, a target company will benefit from continuing to operate under its seller’s group insurance and IT environment for a transitional period. This arrangement requires a distinct approach and additional considerations dependent on the nature of the transaction (which will be addressed in episode 6). The same considerations should also apply when assessing possible integration into a buyer’s existing cyber insurance programme.

It is vital to understand the potential impacts on coverage continuity and take action to ensure that the cyber insurance programme remains uninterrupted where possible.

Claims considerations

Examining a target company’s claims history is an essential aspect of the cyber insurance due diligence process. Reviewing recent claims experience can help buyers assess the quality of the target company’s cyber protocols and future insurability.

Recognising the extent to which ongoing claim circumstances are expected to be covered by the target company’s current policy is also key. Cyber policies are typically written on a claims-made basis and will cover claims made and reported during the policy period.

Therefore, it is critical to have a clear understanding of how far back coverage goes based on the retroactive date, in order to prevent incurring any liabilities arising from the target company’s prior cyber events or litigation.

Sale and purchase agreement (SPA) warranties

Where applicable, buyers should review their SPA warranties to ensure they provide them with adequate cyber risk protection. Additionally, within a carve-out scenario, buyers should give consideration to the practicalities regarding continuity and replacement of cyber coverage.

Insurance due diligence providers should collaborate with the buyer’s legal advisors to ensure a clear position regarding pre-close insurable liabilities is established.

Action planning your cyber insurance programme

Cyber insurance due diligence exercises should aim to maximise deal value, while developing a target company’s strategic and technical responses to cyber risk management throughout the investment lifecycle.

A phased cyber insurance programme action plan that considers both completion requirements and longer-term strategies must be in place to provide protection and help create value.

With a more complete understanding of the cyber risks you may be taking on, as well as an appreciation of the strategies available to mitigate them – whether a principal or a dealmaker, a buyer or a seller –you may be better able to manage your investments both pre- and post-acquisition.

For more information on how we can help you manage cyber risk in M&A transactions, please contact your Marsh representative.

To access the other content in our cyber in M&A series please click here.

Report

Why cyber risk and insurance due diligence should be part of your M&A process