In a previous blog post, we discussed how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction. In this post we discuss cyber security insurance as a tool for managing this unwelcome risk.
The cyber security risk
Although businesses have been ramping up their information security systems, the pace of cyber security breaches is not slowing down. One study estimates that cybercrime will cost businesses $2.1 trillion globally by 2019. And, as recent security breaches have taught us, a security breach can have reputational, moral, and deeply political complications. The 2014 hack of Sony Pictures cost the company $100 million, derailed plans for the distribution of a movie concerning North Korea, and raised ethical questions about the appropriate response to cyber terrorism.
On top of this, businesses will soon face stricter legal requirements around the disclosure of security breaches in Canada. New rules regarding the mandatory disclosure of security breaches were approved by Parliament in June 2015 and may come into force at any point. The Digital Privacy Act amends the Personal Information Protection and Electronic Documents Act and requires that an organization report any breach of security safeguards that reasonably creates a real risk of significant harm to an individual. Notification must be made to the Privacy Commissioner and to the individual involved. Significant harm under the statute includes financial loss, bodily harm, damage to reputation or relationships, and loss of employment, business or professional opportunities.
Cyber security breaches and their associated financial, reputational, and regulatory risks are here to stay.
Insurance as part of the solution
While the key to managing cyber security breaches will always be to implement strong data protection systems, cyber security insurance is becoming a popular way to address the financial consequences of cyber security breaches. A cyber security policy insures against risks to a company’s information technology and data assets, and leaves the insurance company with the uncertainty of actual damages in the case of a breach.
In the context of M&A, the problem with cyber security risk is valuing and allocating risk among parties. Similar to reps and warranty insurance (which we discuss here), cyber security insurance allows a company to allocate risk by transferring some to the insurance company and leaving the buyer and seller to allocate any remaining risk that falls outside the policy. Cyber security insurance is also valuable before M&A. Having a policy in place may help ease concerns of acquirers as the insurance would cover security breaches that may have already occurred prior closing but have yet to materialize. This has been found to hold true in jurisdictions that have data breach notification laws like the ones currently pending in Canada. Coverage can be a standalone product or can be built into existing policies such as business continuity insurance or supplier chain insurance.
Cyber security risk represents a new and significant risk to businesses. Simply being aware of this risk is critical in an M&A deal. Once recognized, however, placing appropriate security measures, conducting IT due diligence, and allocating risk by way of negotiation or insurance will help all parties cut through data breach uncertainty and settle material issues efficiently.
Stay informed on M&A developments and subscribe to our blog today.