Due to the dramatic increase and changing nature of cyber risks, mergers and acquisitions due diligence should expand to address cyber risks, available risk mitigation practices, and available insurance. Acquiring companies should not assume that target companies outside of the financial and health sectors are safe from cyber risks.
To the contrary, the most rapidly developing area of cyber risk is not data breach risk, but nontargeted ransomware and malware resulting in rapidly growing business interruption losses across multiple sectors. Middle market and developing companies are not immune from these risks, and should be carefully vetted for risk mitigation and cyber insurance best practices as part of acquisition due diligence.
For most companies, the cost of mitigating cyber risk to zero is prohibitive, so a cyber insurance program, in combination with robust security measures and risk management, is critical to cybersecurity. Cyber risk mitigation requires implementation of risk management protocols as well as the purchase of cyber insurance.
Ensure that the target company has implemented key risk management protocols: Although smaller to mid-size companies have been slow to adopt cyber security measures, recent ransomware attacks such as Wannacry have brought cybersecurity to the forefront for this market sector. At a minimum, a cybersecurity program should include at least these three components (with many more recommended by insurers and cybersecurity experts): (1) training employees to recognize phishing attempts; (2) restricting access to key data and information; and (3) preparing an incident response plan and identifying key vendors before a cyber event.
Employees should be trained to recognize phishing attempts: Phishing (emails enticing recipients to open malicious links or attachments that allow attackers to install malware) poses a major threat to organizations. The 2017 Verizon Communications Inc. (NYSE: VZ) data breach investigations report found that 43 percent of breaches began with a phishing attempt, more than any other method. The median time to open a phishing email is 1 minute and 22 seconds. Only 7.3 percent of users open phishing emails and click on links or attachments, but a mistake by just one user can allow an attacker to gain a foothold onto a company’s electronic platform. At a minimum, target companies should have implemented training for employees to recognize phishing emails and to follow the company’s protocols for handling a suspected phishing email. Companies cannot eliminate this risk — even after being fooled once, 15 percent of users who opened a phishing email will open another phishing email — but repeat training and testing reduces risk.
Access to key data and assets should be restricted: Security relies on redundant systems to function effectively. No one barrier will stop a determined attacker, but multiple road blocks can slow an attacker’s access to sensitive data and allow additional time to recognize and respond to potential breaches. In addition to deploying technical security measures and investing in data backup, target companies should have procedures in place that restrict the number of people who can access key information. They should have identified and classified key data and assets, restricted access to the most important material so that only employees with a specific need have access, and created tiers for other data and assets and appropriately restrict access and control rights. Striking a balance between efficient workflow and secure access can be difficult, but establishing a coordinated process can reduce risk.
A written incident response plan that identifies key vendors should be in place: Properly responding to a cyber event can reduce the resulting cost and liability. While every cyber event is different, companies should have developed a response plan that assigns responsibilities before a cyber event to eliminate confusion and allow a quick response. Engaging vendors before an event occurs helps immediate management of issues after a cyber event. Key vendors include computer forensics, crisis managers, and legal counsel.
Assess the target’s cyber insurance program: Cyber insurance protects companies from some of the financial impact of a cyber event resulting from threats that slip past risk management protocols for substantially less investment than the cost of complete mitigation (which likely is not even possible in today’s cyber world). Determining whether a target company has purchased this insurance protection is a critical component of cyber risk due diligence.
Analyze the company’s non-cyber insurance policies for potential coverage:
When assessing a target company’s insurance program, recognize that traditional insurance programs typically do not cover cyber related losses without coverage extensions. Many policies now incorporate cyber exclusions that seemingly undermine the very scope of coverage allegedly offered by the policies. Even if not ultimately effective, cyber exclusions create a ripe environment for coverage litigation, which increases costs and delays recovery of cyber losses at best, or precludes recovery of those costs altogether.
Therefore, any cyber insurance analysis begins with a review of the target company’s insurance program (particularly property, crime, and kidnap and ransom) and comparison of that program with any cyber coverage. Smaller companies may rely on coverage extensions to their traditional policies, which must be carefully analyzed for coverage gaps and other insurance conflicts. In addition, these extensions may be more limited in scope and may impose sublimits. The market for this coverage is increasingly competitive, however, with competition for premium dollars fiercest amongst insurers at the mid-market level.
Look at the target’s cyber insurance policies: Some companies may have purchased specialized cyber insurance, and depending upon the policy, may be better protected for cyber risks. Today’s cyber insurance products are akin to package policies that offer several coverage types in one form, often with different sublimits.
As they have evolved in the last few years, most cyber policies provide both first-party and third-party insurance coverage. Most policies now offer more than just breach response services (although these services are an important component to a cyber response), and include coverage for the company’s own losses as well as its liabilities to third parties.
Coverage grants can include coverage for computer fraud and theft, cyber business interruptions, remediating the impact of a cyber event, liability (including defense costs) resulting from a cyber event, regulatory costs, and payment card industry (PCI) penalties.
- Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data. Beware of limitations of coverage to losses “directly resulting from” unauthorized access; this language severely limits the type of covered claims.
- Cyber business interruption coverage pays for losses resulting from a cyber event that prevents the business from operating, such as a distributed denial of service attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
- Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, credit monitoring), but sublimits may apply and some policies may designate specific vendors to access this coverage.
- Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement). Liability coverage typically excludes bodily injury and property damage (other than property damage to computer systems), but some insurers offer this coverage at an additional cost.
- Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event). Coverage for fines and penalties is also available, though availability may be restricted by law in some areas.
- PCI coverage for liability to credit card issuers arising out of unauthorized disclosure of credit information is available by endorsement for companies that routinely process credit card payments, but generally requires proof of compliance with PCI standards. This coverage can include forensic services, fraud charge reimbursement, PCI fines and penalties, and card reissuance costs.
When assessing cyber coverage, compare the coverage to the target company’s key risks – are they coextensive? Because the cyber insurance market has not promulgated standard forms, policies differ in structure and scope. Seemingly minor differences in language can impact available coverage.
Due to the increasing scope and complexity of cyber risk, an acquiring company should understand and evaluate a target company’s risk management practices and insurance program. Consulting with experienced cyber brokers and coverage counsel during due diligence can assist with this challenging due diligence component.
Katherine Henry is a partner at Bradley Arant Boult Cummings LLP and chair of the firm’s policyholder insurance coverage team. Brendan Hogan is an associate in Bradley Arant and focuses his practice in the areas of policyholder insurance coverage, emerging technologies, and construction.