How to stop cyber risks derailing M&A deals

Unknown or undisclosed cyber security issues can lurk like icebergs under M&A transactions, potentially reducing their value or even exposing the buyer to large fines. Legal and insurance experts from Tokio Marine HCC and Dentons came together to examine the risks and what clients can do to keep their deals afloat. *

The current Covid-19 situation is having a significant impact on the global economy, but it is increasingly clear that many are underestimating its impact on companies’ cyber exposure.

With more people working remotely (with a corresponding reduction in the use of secured devices), carrying out IT “hygiene” tasks (patch management, traffic monitoring) have become more difficult due to increased external traffic entering IT systems.

These factors mean that companies are more exposed than ever before and malicious actors, fully aware of these new vulnerabilities, have become extremely active. Since the beginning of the pandemic, phishing campaigns have increased by 600%.

All of these factors feed into our discussion of cyber risks within M&A deals.

“When buying a company in this digital age, you’re also buying its data, its critical systems, and potentially, its security problems,” explains Xavier Marguinaud, Head of Cyber at Tokio Marine HCC. “With ever-expanding supply chains, linked through connected systems and devices, there are more entry points for criminals to attack company systems.”

Data breaches can wipe millions off value

In an M&A deal, this can be a problem for both parties. A breach discovered on the seller’s side can reduce the price they can ask for their business. Equally, a buyer can be left counting the cost should a cyber issue come to light after the deal completes.

For example, an undisclosed cyber-attack in Yahoo’s systems was discovered mid-acquisition. As a result, Verizon (the buyer), was able to shave $350 million off the final price – that is, 7% of the total deal value.

Another case was when Marriott Hotels bought Starwood and subsequently discovered a data breach that had actually started several years before the deal. Millions of customer records were exposed, and Marriott was fined almost £100 million under GDPR. The reason for the fine issued by UK’s Information Commissioner? Marriott’s failure to undertake due diligence sufficiently during the acquisition.

Buyers demanding broader warranties

“All of this is leading to tighter terms in sale and purchase agreements,” explained Tristan Jonckheer, Technology and Cyber Partner at law firm Dentons. “Since the Marriott case, buyers have been demanding extra warranties; as well as the usual warranties confirming compliance with data protection laws and that there have been ‘no data complaints from individuals or regulators’, buyers are increasingly demanding assurances such as ‘no circumstances that could have given rise to such a complaint’. That’s a very difficult statement for a seller to make as it may not be aware of all security vulnerabilities.

“Remember, most businesses will have had some cyber security issues. Buyers should beware of a company that has no disclosures against cyber warranty statements, it may be a sign they’re hiding something, or more likely, that they do not have a good level of understanding of this key area of their business.”

Three steps to effective cyber security due diligence

Xavier Marguinaud advised that the following were key areas to consider in any due diligence process:

1. Cyber footprint

Look at how the target company operates. What systems are they running? How do they share information? What risks does this expose them to?

2. People, process, and technology

Does the target company have a centralised team to manage cyber incidents? Is there enough training internally? How good are their data management processes? How secure is their technology?

3. Readiness

Look at their disaster recovery plans – is there built-in redundancy so their systems can absorb some of the impact of an attack and still bounce back?

How Tokio Marine HCC and Cyber Insurance can help

It is worth highlighting that cyber policies are not able to cover fines arising out of non-compliance with GDPR in many circumstances. In general, it is against ‘public policy’ for insurance companies to cover fines and penalties to be insured and, in many jurisdictions, are therefore considered uninsurable.

However, cyber insurance can provide protection for companies against the increasing costs of data protection claims and crisis response, as well as losses such as business interruption and extortion.

From offices in Barcelona, London and Singapore, Tokio Marine HCC offers flexible cyber insurance cover, tailored to businesses by our in-house cyber experts, who are among the most experienced in today’s international cyber insurance market.

Cyber & Transaction Risk Insurance

The Tokio Marine HCC Cyber team works closely with the Transaction Risk Insurance (TRI) team to offer bespoke cyber solutions for M&A transactions.

We are able to tailor cyber cover for each deal in a way that is truly unique in the current W&I market, combining W&I and Cyber expertise to offer the best possible level of cover for the client. Depending on the risk profile, cyber cover can be embedded within W&I or purchased as a standalone policy with both options available on a primary or excess basis.

“We look beyond the obvious,” says Marcin Stoń, Senior Underwriter – Transaction Risk Insurance at Tokio Marine HCC. “For example, an airport that processes a lot of sensitive data might initially appear to pose a huge cyber risk, but when our W&I and Cyber teams studied the business model, they could see that only anonymised data was handled and key risk areas were outsourced. So, the actual cyber risk was much more manageable, and we were able to offer insurance cover for the client.”

This blend of expertise has allowed Tokio Marine HCC to go beyond the usual underwriting parameters and offer cyber cover even when deal parties have not carried out specific cyber due diligence. This is achieved by asking targeted cyber questions, which help paint a fuller risk profile and also improve the client’s understanding of the cyber risk in the deal.

As awareness of cyber risks in M&A deals increases and demand for cyber insurance protection grows, Tokio Marine HCC is confident that a collaborative Cyber-M&A cover approach will help our clients get their deals done effectively.

Cyber risk facts:

• $600 billion annual cost of cybercrime to the global economy, up 35% since 2016¹
• $3.9 million average business cost of a data breach²
• 46% of UK businesses have reported at least one cyber-attack in the last 12 months³
• 74% of buyers in M&A deals said they were concerned about cyber security issues derailing their deal⁴
• 80% of dealmakers said they have uncovered data security issues in at least 25% of their M&A targets in the previous two years⁵
• 52% believe they need cyber risk training for M&A teams⁶

* This article was written based on a seminar held by Tokio Marine HCC on 14th November 2019 in London, UK and has been edited since the outbreak of the Covid-19 pandemic. The speakers at the seminar were Xavier Marguinaud, Underwriting Manager – Cyber, Tokio Marine HCC; Tristan Jonckheer, Partner – Technology & Cybersecurity, Dentons; Marcin Stoń, Senior Underwriter – TRI, Tokio Marine HCC; and the session was moderated by Nuala Read, Senior Underwriter –TRI, Tokio Marine HCC.

[1] McAfee & Center for Strategic and International Studies. The Economic Impact of Cybercrime— No Slowing Down. (2018). Retrieved 29 July 2020, from https://www.mcafee.com/enterprise/en-gb/solutions/lp/economics-cybercrime.html

[2] IBM. Cost of a Data Breach Report 2020. (2020). Retrieved 29 July 2020, from https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/

[3] Gov.uk. Cyber Security Breaches Survey 2020. (2020) Retrieved 29 July 2020, from https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020#fn:1

[4] Freshfields Braukhaus Deringer LLP. Cyber Security in M&A. (2014) Retrieved 29 July 2020, from https://www.freshfields.com/49f6ef/globalassets/campaign-landing/cyber-security/ma-cyber-security-report.pdf

[5] PwC. When cyber threatens M&A. (2018). Retrieved 29 July 2020, from https://www.pwc.com/us/en/services/deals/cyber-threats-to-mergers-acquisitions.html

[6] Freshfields Braukhaus Deringer LLP. Cyber Security in M&A. (2014) Retrieved 29 July 2020, from https://www.freshfields.com/49f6ef/globalassets/campaign-landing/cyber-security/ma-cyber-security-report.pdf