Author: Richard Hornby
Buyers inherit all kinds of risks when they acquire a company, including undetected or undisclosed cyber breaches that can lead to damaging ransomware attacks or costly data breaches. Ensuring proper coverage is available before the deal closes should be the priority. And with multiple options out there, buyers should move cautiously, to avoid any last-minute problems.
The risk of latent data breaches
There's a growing risk that a company might have compromised IT infrastructure before it's acquired. This compromise could be malware already downloaded onto a computer system or, more commonly, a hacker who gained access through stolen or compromised credentials. A 2023 report from Crowdstrike noted that malware-free activity accounted for 71% of all detections in 2022, up from 40% in 2019.1
Hackers often wait several months after gaining access to a company's systems before activating their attacks. According to IBM's 2022 Cost of a Data Breach report, the average dwell time (the time between an initial breach of a computer system and it being discovered and remedied) is 210 days.2 Other estimates range from three to seven months.3
Dwell time becomes a serious problem for buyers if it leads to a data breach affecting the company they've just acquired. The average cost of a data breach for American businesses was $9.44 million in 2022. Healthcare companies were at the top of that range, with a $10.10 million average.2
Allocating risk for latent data breaches
There are four main avenues for allocating the risk of a preexisting cyber breach:
- Cyber insurance
- Seller representations or indemnities
- Representations and Warranties insurance (RWI)
The first port of call when there's a cyber breach should be the buyer's insurance broker and Cyber insurer.
Even though the seller or RWI might provide an indemnity for cyber-related losses, the terms of the acquisition agreement and the RWI policy normally state that the buyer is under a duty to mitigate such losses and pursue existing insurance. Having the correct Cyber insurance in place and the support of the right broker should be the priority.
Even if the buyer can pursue the seller for breach of a representation and warranty, it's probably much easier for the buyer to seek indemnification from the target's Cyber insurance. Allocating risk to the seller or the RWI insurer is inherently difficult and shouldn't be the sole strategy.
In practice, it's unlikely the seller will give an unqualified representation that there are no existing cyber breaches on the acquisition date. Often, such representations are qualified by the seller's actual knowledge, given how hard it can be to detect breaches, severely limiting the scope of the representation.
If a seller does agree to a broad, unqualified "no breaches" representation, the seller would likely limit its liability (to nil, or 50% of the RWI deductible) and ask the buyer to rely on RWI. (The majority of RWI policies placed by Gallagher in 2022 involved a nil seller indemnity structure. Nearly all of the remaining limited seller indemnity deals were capped at 50% of the RWI deductible, which offers, at best, a cap of 0.5% of the deal value.)
While this limitation leaves little room for seller recourse, RWI provides a useful alternative.
If the target doesn't have a preexisting Cyber policy at all, and it's not possible to put one in place before closing, the buyer could request an indemnity from the seller, before self-insuring (i.e., assuming the risk) as a last resort.
Problems with prior acts
Cyber policies provide coverage on a "claims-made" basis, meaning the policy can cover losses that are discovered and notified during the policy period.
When a company is acquired, the claims-made policies typically stop providing coverage for acts and events that occur after the acquisition date, by virtue of the policy's change in control provisions. The policy then converts to "runoff" for the remainder of the policy period, covering only claims that relate to acts or events that occurred before the acquisition date — known as prior acts.
There are a few options to make sure coverage continues for prior acts, but buyers should move cautiously to avoid any last-minute problems before the deal closes.
Firstly, some brokers mistakenly believe that a buyer's Cyber insurance program can automatically cover an acquired company, including its prior acts. Most Cyber policies provide some form of automatic coverage for acquired companies that fall within the policy's acquisition threshold, but this provision is with respect to acts or events after the acquisition date, not prior acts. Even if the policy form doesn't explicitly exclude prior acts coverage for acquired businesses, we wouldn't interpret that lack as providing prior acts coverage.
Secondly, more often, we see brokers advising the buyer to add the acquired company to their existing Cyber program, with prior acts coverage, subject to underwriting and an additional premium. This move is risky. In the current market, buyers' Cyber insurance carriers are very hesitant to provide prior acts coverage to acquired companies. It would require a new application and underwriting process, which isn't likely to deliver certainty before closing.
Thirdly, there's the possibility of requesting a waiver of the change in control provisions for the target's cyber policy. While this approach makes sense if the target's systems remain separate from the buyer, in the current market environment we caution this advice and, at least, recommend agreeing to this course of action with the target's cyber insurer before closing.
Things could get very tricky if the buyer fails to secure coverage and the deal is already signed. The buyer could be left without coverage and no opportunity to negotiate risk or cost allocation with the seller.
Impact on RWI
RWI insurers often expect the target to have appropriate cyber coverage in place for prior acts before offering to cover cyber-related losses. Getting it wrong can leave buyers without coverage under RWI; and, in cases where the seller limits its liability, there won't be meaningful recourse for breaches of representations.
In most cases, RWI underwriters rely in good faith on the buyer being able to put in place coverage once the deal has closed. Some RWI underwriters, however, impose a conditional exclusion (or an increased deductible) for cyber losses, until they see evidence of coverage.
For deals with a heightened exposure to cyber risk, some RWI carriers limit coverage for cyber-related losses only to the extent such losses are covered by the underlying cyber program (referred to as "excess and no broader than" Cyber coverage). This limitation could potentially result in an unintended gap in coverage, especially if the buyer is relying on automatic coverage for acquired entities, with full prior acts. Then neither the Cyber nor the RWI policies might respond at all.
A simple solution: a Cyber tail policy
Sometimes keeping it simple is the best option. We typically recommend arranging a Cyber tail policy, by closing, to provide coverage for prior acts. This tail policy is achieved by asking the target's cyber insurer to extend their run-off period for at least 12 months for an additional premium.
Given the time pressure of an acquisition, the parties should be certain that prior acts coverage is available at signing. Arranging a tail policy can achieve this goal quickly and efficiently. If the target's systems are going to be impacted by the deal (such as being integrated with the buyer's IT infrastructure) then the target's Cyber insurer is more likely to agree to runoff compared to waiving a change in control. They don't have to underwrite the risk to the same degree either, compared to the buyer's insurer.
Given that it's in both the buyer's and seller's interests to have prior acts coverage in place at closing, responsibility for arranging and paying for prior acts coverage should be agreed to before signing the deal. These obligations can be captured and enforced under the acquisition agreement. While this approach is common for some claims-made policies (such as Directors and Officers), we recommend a broader approach to maintain all claims-made policies, including cyber.
Costs are a commercial discussion, but if the seller covers the cost, there's no additional price for the tail policy compared to agreeing a change in control waiver with the incumbent insurer, or using prior acts coverage under the buyer's cyber program.
Get the right support
Gallagher Private Equity and M&A Insurance and Consulting offers best-in-class cyber diligence and risk management services, coupled with transactional advice, to allocate and mitigate cyber risks during mergers and acquisitions (M&A).
Mitigation through detection and prevention is key to avoiding cyber breaches. We help buyers and sellers evaluate the systems and controls of a target company, in addition to its existing cyber insurance, through our combined due diligence service. This evaluation allows the deal parties to rectify security and insurance deficiencies before they close the deal. It also puts buyers on the front foot when it comes to integrating a new partner onto their IT systems and within their cyber program.
Gallagher also offers incident response (IR) and claims advocacy services to effectively mitigate losses and reach an appropriate claim outcome with the cyber insurer. Organizations that have an IR team and regularly test their IR plan saved on average $2.66 million.2