Cyber's Surprising Importance for M&A

Many corporate deals can unwittingly void important cyber coverage. So, it needs to be considered early in any possible deals.

Although many people think of cyber insurance when confronted with a data breach, cyber insurance may not be quite so top of mind in the context of corporate mergers and acquisitions. Cyber insurance should be, because policies typically contain provisions that are directly affected by such transactions. Enterprises should take a close look at their cyber insurance policy provisions early on in the deal-making process so that coverage for the affected enterprises can be maximized. The focus on cyber should be especially acute now, both because M&A activity continues to rise and because the importance of cyber coverage is surging on the heels of recent, headline-making data breaches. Cyber insurance policies, like most other policies, typically provide coverage to the named insured identified in the policy, as well as to any subsidiary of the named insured that was created by the date the policy took effect. Carriers generally ask enterprises to identify all such subsidiaries during the application process. Although disclosed subsidiaries may generally be considered "insureds" at the time cyber policies are issued, cyber policies may contain provisions that specify the steps the insured must take to obtain coverage for subsidiaries acquired or created, or for entities involved in mergers or consolidations. Insureds that are considering mergers or acquisitions should ensure compliance by carefully reviewing their cyber insurance policies early in the transaction process. Relevant provisions might be found in various places in cyber policies, including within the policy's conditions, definitions and exclusions. Mergers and newly acquired or created subsidiaries The steps an insured must take to secure coverage for a newly acquired subsidiary vary from policy to policy and may depend on the financials of the subsidiary. For example, under one cyber policy, if the acquired entity has revenue greater than 10% of the named insured's total annual revenue, the named insured must: provide written notice before the acquisition, obtain the insurer's written consent and agree to pay any additional premium required by the insurer. Another insurer requires an Insured that merges with, acquires or creates an entity with assets exceeding 10% of the total assets of the insured to provide full details of the transaction as soon as practicable The insurer is entitled to impose additional terms, conditions and premiums, at its sole discretion. Under the terms of a different policy, if the named insured acquires or creates another organization in which the named insured has an ownership interest of greater than 50%, the organization is covered for insured events that take place after the date of acquisition or creation, but only if the named insured provided notice to the insurer no later than 60 days after the effective date of the acquisition of creation, along with any information the insurer should require. The insured may be exempted from that process if, among other things, the new subsidiary's gross revenues are 10% or less than those of the named insured. Relevant terms are implicated under another cyber policy if the insured acquires or creates an entity that becomes a subsidiary, acquires an entity by merger or purchases assets or assumes liabilities of an entity without acquiring the entity. If the total assets of the acquired or created entity, or the combined total amount of the purchased assets or assumed liabilities, are less than 30% of the consolidated assets of the insured, the new entity may be entitled to certain coverages under the policy if the named insured provides written notice as soon as practicable, but in no event later than 60 days after the effective date of the transaction. The named insured will have to provide any requested information and may be subject to an increased premium. A different insurer requires the named insured to provide notice of a newly formed or acquired subsidiary within 60 days of the transaction if the named insured has more than 50% of the legal or beneficial interest of the entity. If, however, the total assets or total revenues of the new entity exceed 15% of the total assets or revenues of the named insured, the named insured must provide the “full particulars” of the new entity, and the insurer must agree in writing to provide coverage. The insurer may charge an increased premium and amend policy terms. Divested entities and changes in ownership Provisions of cyber policies also may be affected by changes affecting entities that initially are covered under the policy. For example, policies may provide that if the named insured’s legal or beneficial interest in a subsidiary becomes less than 50%, the entity will no longer qualify as a subsidiary under the policy and will lose coverage. Cyber policies also may contain provisions that will be triggered in the event of a takeover of the named insured. Conclusion Corporate transactions may have important effects on the coverage provided under a cyber insurance policy. Because there are no standard-form cyber policies, the provisions that might be implicated by any such transaction, including important notice requirements, will vary from policy to policy.  Entities should carefully review their coverage at the very outset of the deal-making process to ensure that they full understand their rights and obligations and comply with all policy provisions so that coverage can be maximized.

Judy Selby

Profile picture for user JudySelby

Judy Selby

Judy Selby is a principal with Judy Selby Consulting LLC and a senior advisor with Hanover Stone Partners LLC. She provides strategic advice to companies and corporate boards concerning insurance, cyber risk mitigation and compliance, with a particular focus on cyber insurance.


Read More