The American Bar Association (ABA) Mergers and Acquisitions Committee recently published its latest Private Target Mergers Deal Point Study. For the market metrics of major negotiated legal issues in U.S. private company acquisitions, this publication is widely considered the gold standard.
As is often the case, the ABA Deal Points Study began tracking some newly appearing representations and warranties in the sale purchase agreements they reviewed. Two of the newly tracked representations (reps) were related to privacy and cyber security. The ABA Deal Points Study looked for reps that went beyond compliance with the law or were limited to a specific area, such as medical records.
Privacy reps were included in 68 percent of the reviewed agreements. The ABA Deal Points Study provides sample language below to demonstrate the kind of language it is seeing:
Target has complied with all Laws and contractual and fiduciary obligations as to protection and security of Personal Data to which it is subject. Target has not received any inquiries from or been subject to any audit or Legal Proceeding by any Governmental Authority regarding Personal Data. Target has complied with its policies and procedures as to collection, use, processing, storage and transfer of Personal Data. No Legal Proceeding alleging (a) a material violation of any Person's privacy rights or (b) unauthorized access, use or disclosure of Personal Data has been asserted or threatened to Target. Since [date], there has not been a material violation by Target of any Person's privacy rights or any unauthorized access, use or disclosure by Target of Personal Data.
Cyber security reps were included in 70 percent of the reviewed agreements. As in the above, the ABA Deal Points Study provides sample language to demonstrate what the study was looking at here:
The information technology equipment and related systems owned, used or held for use by Target (“Systems”) are reasonably sufficient for the Business's immediate needs. Since [date], there has been no unauthorized access, use, intrusion, or breach of security, or material failure, breakdown, performance reduction or other adverse event affecting any Systems that has caused or would reasonably be expected to cause any substantial disruption to the use of such Systems or the Business or any material loss or harm to Target or its personnel, property, or other assets.
So how would both representations and warranties insurance, and cyber insurance, respond to some of these new reps?
When looking at the ability to obtain coverage for particular reps, from a representations and warranties perspective, we focus on two aspects: diligence (the work undertaken by the buyer or their third-party providers to verify the truth of the representation for themselves) and underlying insurance coverage (meaning the coverage already in place for the target that is being acquired).
If the buyer of the target is a private equity entity, then this diligence is most often handled by a third-party provider. On the other hand, a strategic buyer might handle this type of diligence internally, depending on the buyer's size and sophistication in this field.
When an underwriter feels that a representation is too broad, by which we mean that it would be unreasonable for someone to make such a representation because they could not know whether it was true, they might seek to limit that statement to “knowledge.”
For example, a representation like, “We have not infringed anyone's intellectual property (IP) anywhere in the world,” for the purposes of the policy might instead read, “To the best of our knowledge we have not infringed anyone's IP anywhere in the world.”
Despite the above, these are not inherently difficult representations on which to conduct diligence. Providing access to a seller’s policy and procedures, their IT staff, any third-party penetration testing they have had done, and their claims history can all add comfort for the underwriter.
If diligence can be done, then the second issue becomes the quality of the underlying coverage. The underwriter will wish to review the target’s cyber insurance policy to see if a breach of the representations would be covered adequately by the existing policy if a claim is reported post-sign/close for an incident that occurred prior to signing.
Underwriters will want to have said coverage as a first port of call before they respond. In the event that the target’s coverage is inadequate, they will seek an exclusion or particularly high deductible for a claim against those breaches.
Both scenarios under the contractual provisions highlighted in the ABA Deal Points Study would be covered by a well-brokered cyber insurance policy. Cyber insurance policies have been expanding coverage over the past few years, and affirmatively respond to both a failure of security, such as unauthorized access, as well as violations of consumer privacy rights.
Damages are a bit different in each case, but the coverage would respond to cover costs the “target” itself incurred to respond to the breach of security (first-party loss), as well as to cover any liability owed to a consumer or regulator (third-party liability).
One of the key aspects to these agreements is the date included in the cyber security representation because the farther back the time frame of the representation goes, the more risk that would be involved. Cyber security issues are notorious for taking a long time to surface in that attackers have become adept at infiltrating networks and moving laterally to avoid detection for long periods of time.
So, for a company that is looking to warrant no such security incidents for an extended period of time, they should consider an external assessment of their system to validate the warranty statement they are making.
There are many companies that provide IT expertise willing to do a security assessment and certify no security failures or unauthorized access for a company during an M&A transaction.
We must also consider how the “target’s” cyber policy is going to be handled moving forward. Cyber insurance policies are typically written on a claims-made and reported basis, meaning the loss is attributed to the policy year that it is first discovered and reported to the insurance carrier.
Most include a “prior acts date” that provides coverage for events that occurred back to a specific date, but were not discovered and reported until the current date.
For example, say the “target” first experienced a breach in 2018 but did not discover it until 2019. Provided that the policy included a prior acts date that precedes the initial intrusion, i.e., the prior acts date lists some date before 2018, the claim would go against the 2019 policy because that is when the breach was discovered and reported, despite the initial intrusion occurring in 2018.
As a result, underwriters will want to see that the cyber policy in force at the time of the acquisition goes into run-off. A run-off is a mechanism that allows the policyholder to make a claim for breaches discovered for a set period of time, often up to six years, but which occurred prior to the transaction.
This would allow the new owners to mitigate the risk of an unknown cyber intrusion by allowing them to report a claim to the old policy and prevent a dilution of the limits on the new owner’s policy.
It is worth being aware that not all cyber policies are created equal. Our team at Woodruff Sawyer has seen more than a few situations where a target either has no cyber policy in place or one that only provided partial coverage. In these situations, a couple of alternative options exist:
In conclusion, we expect to see these clauses and representations flagged by the ABA Deal Points Study to continue to appear at an even higher rate as cyber security is front and center in the minds of strategic acquirers and private equity buyers.
Making sure diligence is done on the target's existing insurance policy, along with good practices and procedures, will ensure coverage is available for these types of representations in your transaction.
