The old school, traditional way of looking at corporate security involves physical assets such as market research, intellectual property, and other corporate secrets that can be locked away. Picture the secret formula for Coca-Cola is sitting in a safe somewhere in an undisclosed location in Atlanta.
Today, companies of every size and shape, in every industry, have a lot more information to protect, it’s more valuable, and it’s harder to secure.
The digital landscape means that customer lists, personal data of customers and employees, operational policies and procedures, financial records, incentive and compensation plans, along with a very diverse collection of intellectual property assets are no longer in a vault with limited access.
And, it’s much more vulnerable. Anyone with the right tools and expertise can exploit a lack of security, gain access and send that data around the world in an instant. As you’ll see in just a moment, due to large potential losses, companies should be exploring their options in a specialized type of insurance created especially for this type of damages.
First, let’s explore the scope of the problem.
Major retailers, hotel chains, and credit reporting bureaus that have breaches of credit card numbers and identifying information of their customers grab the headlines. But there is some fatigue there from customers. In most cases, a simple call to your bank or credit card company can reverse your charges.
But it’s not so simple for business owners and executives where the impact of a breach of their systems can’t be “written-off.” And, there is no industry where data breaches aren’t serious business. You don’t even need to have customer records to be affected.
Think of the Sony data breach in 2014. Published emails from top executives and filmmakers were certainly embarrassing. But what’s not talked about much, is how many film projects were cancelled because the details were leaked.
Take an energy company. They have reports in their system that detail where they’re going to drill for oil and gas. If those trade secrets got out and into the hands of competitors, it would mean tens of millions of wasted dollars.
Even B2C companies that lose the personal data of customers can face significant consequences. Not only can these companies lose market share, but also state and federal investigations kick in, which could result in costly regulatory penalties and fines. By law, you must also notify all affected customers of the breach; that’s expensive.
The only thing stopping hackers from getting their hands on all this information is cyber security.
It’s no exaggeration to say that today every company is an IT company. And that means every business owner from a mom-and-pop shop to a Fortune 100 corporation needs to take steps to protect their network to keep their data safe.
You have the software, you have the security systems, and you have your IT folks “on top of it.” It’s not enough. You have to think like a hacker.
Larger firms go as far as hiring a “white hat” hacker to conduct a penetration test (or “pen-test”) to see if they can spot vulnerabilities in clients’ systems. Once identified, the vulnerabilities can be addressed. Problem is, not every firm can afford a pen-test.
The good news, is that with all this huge exposure out there, there is an insurance product tailored specifically to deal with all of these exposures that will compensate you should a breach happen.
Cyber Security and Privacy insurance (Cyber), which covers a business’s liability in case of a data breach, is widely available, with nearly 100 insurers offering policies. As the risk of cyber-attacks have grown for companies in every sector, this specialized insurance product has expanded accordingly.
Today’s Cyber policies protect businesses and their owners against civil suits as well as regulatory actions from the state and federal government. Out-of-pocket expenses to notify customers and employees in the event of a breach (which can be significant) are standard coverages under current Cyber programs.
For larger companies, it’s not cheap. But if you get a good broker, you can secure fair, market-driven pricing.
For any business contemplating a merger or acquisition, whether Buyer or Seller, cyber security should be top of mind. During the M&A Buyer’s due diligence process, this factor will be a major component.
Because cyber breaches are an already-widespread issue that is still growing, Buyers are beginning to take a deep dive into a target company’s cyber security.
They’ll do their own penetration test, as well as hire experts to look for evidence of past, unknown breaches. (Hackers often don’t publicize their big scores.)
Buyers will also investigate “soft” IT assets like financial records and personally identifiable information (PII) to determine where it is stored, who can access it, where the data is hosted, how long the information is maintained, and what the asset value is if it is compromised.
“Hard” IT assets, like software code and intellectual property, are also examined to ensure that, for example, lines of code haven’t been “borrowed” from another source or IP that is of major value to the Buyer, is vulnerable to theft.
The reason for this in-depth investigation: data breaches can drastically affect the valuation of a company. Even more concerning is that companies often don’t discover a breach until months after the event, which, in the M&A world, could result in an adverse discovery post-closing.
Think back to when Verizon was set to acquire Yahoo! for nearly $5 billion. When it was revealed while the deal was being negotiated that two breaches the year before had affected more than 500 million of Yahoo!’s customers, Verizon dropped their offer price by $350 million.
Surprisingly, cyber security due diligence doesn’t yet officially request or require information on whether or not Cyber insurance is in place. The absence of such a policy is not yet at the stage of being a deal-breaker for an M&A transaction, but this is changing.
If you’re looking at using Representations and Warranty (R&W) insurance on a deal, having an existing Cyber policy in place can also be a huge advantage. Due to the large loss potential from a cyber breach, Cyber exposure is getting more attention in M&A due diligence and from M&A insurers.
R&W Underwriters in particular are looking at cyber security issues now. If Cyber insurance is in place, reps involving cyber security and privacy are more likely to be insured rather than excluded.
For smaller transactions that are not eligible for R&W (under $25M transaction value), Cyber insurance is particularly helpful as it can be amended to protect the Seller in the event a breach is discovered years after closing. It’s evident that in these cases, Cyber insurance is an even greater need. So whether you’re planning a sale soon or down the road, you should run, not walk, to get Cyber coverage.
But if you plan to get Cyber insurance in place, you need to do so early. Cyber insurance Underwriters generally won’t write a policy if you have an M&A deal in the works within a year. And if you are able to get a last-minute policy, it will be more expensive.
Cyber insurance came out as a product more than 10 years ago and is still only carried by less than half of all businesses. The value of a Cyber policy is justified simply by the many potential problems in an M&A transaction that can be solved by its very presence.
At this point, I do see these policies becoming more standard practice for companies of every size, in every industry. Whether you’re considering selling your company in the next 18 to 24 months, or simply if your business is connected to the Internet, you should invest in Cyber insurance. It’ll pay dividends at closing!
For more information on this insurance, check out my Cyber and Privacy Liability Insurance Cheat Sheet to find what’s covered and typical costs.