When an underwriter feels that a representation is too broad, by which we mean that it would be unreasonable for someone to make such a representation because they could not know whether it was true, they might seek to limit that statement to “knowledge.”
For example, a representation like, “We have not infringed anyone's intellectual property (IP) anywhere in the world,” for the purposes of the policy might instead read, “To the best of our knowledge we have not infringed anyone's IP anywhere in the world.”
Despite the above, these are not inherently difficult representations on which to conduct diligence. Providing access to a seller’s policy and procedures, their IT staff, any third-party penetration testing they have had done, and their claims history can all add comfort for the underwriter.
If diligence can be done, then the second issue becomes the quality of the underlying coverage. The underwriter will wish to review the target’s cyber insurance policy to see if a breach of the representations would be covered adequately by the existing policy if a claim is reported post-sign/close for an incident that occurred prior to signing.
Underwriters will want to have said coverage as a first port of call before they respond. In the event that the target’s coverage is inadequate, they will seek an exclusion or particularly high deductible for a claim against those breaches.
How Cyber Insurance Would Respond
Both scenarios under the contractual provisions highlighted in the ABA Deal Points Study would be covered by a well-brokered cyber insurance policy. Cyber insurance policies have been expanding coverage over the past few years, and affirmatively respond to both a failure of security, such as unauthorized access, as well as violations of consumer privacy rights.
Damages are a bit different in each case, but the coverage would respond to cover costs the “target” itself incurred to respond to the breach of security (first-party loss), as well as to cover any liability owed to a consumer or regulator (third-party liability).
Timeframes Are Key
One of the key aspects to these agreements is the date included in the cyber security representation because the farther back the time frame of the representation goes, the more risk that would be involved. Cyber security issues are notorious for taking a long time to surface in that attackers have become adept at infiltrating networks and moving laterally to avoid detection for long periods of time.
So, for a company that is looking to warrant no such security incidents for an extended period of time, they should consider an external assessment of their system to validate the warranty statement they are making.
There are many companies that provide IT expertise willing to do a security assessment and certify no security failures or unauthorized access for a company during an M&A transaction.
Consider Future Policy Protocols
We must also consider how the “target’s” cyber policy is going to be handled moving forward. Cyber insurance policies are typically written on a claims-made and reported basis, meaning the loss is attributed to the policy year that it is first discovered and reported to the insurance carrier.
Most include a “prior acts date” that provides coverage for events that occurred back to a specific date, but were not discovered and reported until the current date.
For example, say the “target” first experienced a breach in 2018 but did not discover it until 2019. Provided that the policy included a prior acts date that precedes the initial intrusion, i.e., the prior acts date lists some date before 2018, the claim would go against the 2019 policy because that is when the breach was discovered and reported, despite the initial intrusion occurring in 2018.
As a result, underwriters will want to see that the cyber policy in force at the time of the acquisition goes into run-off. A run-off is a mechanism that allows the policyholder to make a claim for breaches discovered for a set period of time, often up to six years, but which occurred prior to the transaction.
This would allow the new owners to mitigate the risk of an unknown cyber intrusion by allowing them to report a claim to the old policy and prevent a dilution of the limits on the new owner’s policy.
Not All Policies Are Created Equal
It is worth being aware that not all cyber policies are created equal. Our team at Woodruff Sawyer has seen more than a few situations where a target either has no cyber policy in place or one that only provided partial coverage. In these situations, a couple of alternative options exist:
- Purchase a stand-alone run-off policy, which would act as if a cyber policy had been in place and provide coverage for incidents that occurred during a specific time frame (i.e., from the set prior acts date to the deal closing date) but were not discovered until a later date.
- Have the target rolled into the buyer’s existing policy, but purchase backdated coverage of two or three years in order to avoid an exclusion or carve out of coverage under the reps and warranties policy.
In conclusion, we expect to see these clauses and representations flagged by the ABA Deal Points Study to continue to appear at an even higher rate as cyber security is front and center in the minds of strategic acquirers and private equity buyers.
Making sure diligence is done on the target's existing insurance policy, along with good practices and procedures, will ensure coverage is available for these types of representations in your transaction.