Insights

  • New Targets for Ransomware Attacks – and How to Protect Yourself
    POSTED 3.29.22 M&A

    The dream of every startup is to one day be acquired by a PE or VC firm or a Strategic Buyer.

    All the hard work and dedication finally pays off. And it’s only natural that these firms will announce the happy news to the world with a press release whether it’s a merger or announcement of a successful round of fundraising.

    Unfortunately, these days such announcements have put a target squarely on the backs of soon-to-be or newly acquired companies in all sorts of industries, from manufacturing to tech to healthcare to consumer-oriented businesses. These days, of course, every company has a database full of sensitive data about its customers, clients, and/or own operations and systems. Just as importantly, most companies today rely on their IT systems for day to day operations.  Being locked out can cause operations to grind to a halt. Who can go for a day without access to their system?

    As noted in a recent article in the Wall Street Journal, hackers involved in ransomware attacks are shifting their focus away from big corporations to smaller targets, including midmarket acquisition targets. Government authorities and law enforcement have noted this trend has been heating up in the last year or so, even as bigger targets like the Colonial Pipeline grabbed the headlines last year.

    These cyber criminals know that:

    • The PE firms and other deal-makers have deep pockets or the newly acquired company has quick access to cash thanks to their recent payday.
    • These startups, which have been focused on growth, may not have very robust cybersecurity measures in place, which makes them easier to hack.
    • This lack of cybersecurity could allow the hackers to also sneak into the Acquirer’s systems, as well as other firms in its portfolio, through an unsecured backdoor.
    • By attacking smaller, midsize companies they won’t get as much attention from authorities and law enforcement. Even if they ransoms are smaller, they bring that “income” in steadily

    In one such case cited in the Journal article, a midsize manufacturer was bought the 4th quarter of 2021 by a PE firm. Two months later, a Russian ransomware group locked up its hardware systems and demanded $1.2 million to release them. The company paid.

    This is typical of these attacks. And deal-makers have taken note and are seeking measures to protect themselves and their acquisitions from financial losses and loss of reputation.

    Fortunately, there are some best practices that can help prevent such attacks, as well as protections that can provide financial compensation if a ransom is paid.

    As noted in my previous article on cyber liability insurance, this specialized type of coverage is fast becoming a must-have in deals. Buyers are basically requiring Sellers to have a policy that will respond to any cyber claims. And Buyers are taking out their own policies as well to cover what the Seller’s policy does not.

    When writing these policies, Underwriters have a common set of questions they ask to verify the cyber security and privacy measures in place. If they’re not satisfied, no policy. Or, at the very least, they will load down the policy with broad exclusions and narrow limits.

    On the plus side, this has forced companies to bolster their security measures and given them clear direction on how to do so.

    One of my contacts, an Underwriting Manager for Toko Marine HCC – Cyber & Professional Lines Group, provided a list of security controls they look for when writing a policy (otherwise they will not write the policy or adjust terms accordingly):

    1.  Multi-factor authentication (MFA) is required for all remote access to the Insured’s network.

    2.  MFA is required for all local and remote access to privileged user accounts.

    3.  A preferred Endpoint Detection and Response tool is required.

    As the Underwriter noted:

    If the Insured is missing any of these three important controls the premium and deductible will increase and we will sublimit Breach Event Costs, System Failure, Dependent System Failure, and Cyber Extortion to $250k. Additionally, we will include an endorsement with a $250k ransomware sublimit/50% coinsurance for all losses/expenses related to a ransomware attack.

     “If the Insured does not use MFA for all access to emails through a web browser or non-corporate device, cyber crime will be reduced to $25k. If they use MFA for email access, the maximum cyber crime limit available is $100k.”

    The implementation of cyber liability insurance is more important than ever, as cyber security has become one of the most costly and largest exposures out there. As a result, Insurers are looking to exclude cyber claims from other M&A insurance products, such as Representations and Warranty coverage.

    You should also note for board members of a startup that suffers from cyber security issues, that Directors and Officers insurance may not protect you from investor lawsuits if you did not take proper cyber security measures to protect the company. Failure to Affect and Maintain proper insurance is a standard exclusion clause in D&O policies.

    Insurers want deal-makers to take out stand-alone cyber liability policies which are more appropriately underwritten and broader in scope to best handle these exposures. They don’t want D&O or R&W insurance to become “umbrella policies.”

    When seeking out help in securing cyber liability coverage, it’s best to reach out to an IT specialist or an insurance broker who is connected with such experts.

    I’m happy to help you secure cyber insurance. You can contact me here at pstroth@rubiconins.com.

  • Cyber Security & Privacy Liability
    POSTED 3.8.22 M&A

    Cyber crime is a major problem in the United States and around the world.

    It seems every day there is another news story about hackers and other criminals who have been able to breach company networks and get their hands on confidential data…or take companies hostage by locking them out of their networks or even shutting down a business’s operations until a ransom is paid.

    Remember, the Colonial Pipeline ransomware attack in May 2021? Cyber criminals managed to access computerized equipment that operates the pipeline, which runs from Texas and New York and delivers about 36 billion gallons per year to the eastern seaboard.

    The incident cost the company $25 million. And all the hackers had to get in was use one compromised password that was leaked on the dark web.

    Also in May 2021, the data of more than 100 million Android users was compromised. Personal info from over 700 million LinkedIn users was found for sale online. Facebook users were hit too – 553 million of them.

    It’s clear this is a serious problem. And it extends to all industries.

    Every company these days, from retailers (online and brick-and-mortar) to restaurants to healthcare providers, collects confidential information, also known as personally identifiable information, or PII. This can include customer names, birth dates, Social Security numbers, driver’s license numbers, credit card numbers, bank information, medical records, and more. Everything a hacker would need to steal an identity.

    It can be collected by the company directly or through a third-party, like a payment processor like PayPal.

    But in any case, if there is a fault of security and that data goes out into the world, customers are going to blame the business they patronize. They’ve shared their information with the company, and the company breached their trust. That certainly doesn’t encourage repeat business. Plus, there are costs related to notifying all the people affected. There can be legal penalties and fines as well, particularly when healthcare information is involved.

    Not to mention, in some cases, the affected customers have a right to claim compensation if they suffered material or non-material damage.

    Enter cyber liability insurance to make these payouts on behalf of the company.

    But there is another wrinkle in this issue you may not have considered, where again cyber insurance comes to the rescue.

    Say you acquire a restaurant or hotel chain or a group of healthcare companies and, six months or a year post-closing, one of these breaches of confidential data is discovered. (It is very common these incidents are not discovered until six months or more after they occurred.)

    As the Buyer, you are on the hook. When the deal is done that exposure has been transferred to you from the target company. That’s even if the incident occurred before the sale.

    It doesn’t matter if, during the diligence process, you asked the Seller about any data breaches. To their knowledge, they had none.

    Again, enter Cyber Security & Privacy Liability insurance. And here’s the best way to protect yourself as a Buyer:

    1.   Make sure the Seller has a robust cyber liability policy in place that will respond to these claims. There should be at least a $5M limit. That will cover the expenses associated with notifying all the customers whose data was stolen. This should be the first batch of money that is used for any expenses from a data breach.

    2.  Make sure you, as the Buyer, also have a cyber liability policy. This may cover what the Seller’s policy does not.

    Keep in mind that a stolen personal information incident is also a breach of the Representation and Warranty policy covering the deal. So the R&W insurance will effectively sit right on top of the cyber policies.

    This will help not only cover expenses but also potential loss of value of the target company. And this kind of fallout can happen.

    Say there is major data breach of a hotel or retail chain. Those customers are probably going to have second thoughts about ever doing business there again.

    Cyber liability can also cover the impact from ransomware that cause outages and a loss of business. For example, the computer network and payment system for a chain of sports bars is held hostage during the Super Bowl…reducing the bars to only accepting cash! A big loss.

    Cyber liability insurance means extra diligence in the run up to the sale.

    I’ve put together some common diligence questions asked during that process. I would recommend viewing them and keeping them handy during your next acquisition.

    You can get this free download here: Sample Cyber Liability/Privacy Questions in Diligence

    You can also discuss this issue with me, Patrick Stroth. You can contact me here at pstroth@rubiconins.com.