Insights

  • Cyber Security & Privacy Liability
    POSTED 3.8.22 M&A

    Cyber crime is a major problem in the United States and around the world.

    It seems every day there is another news story about hackers and other criminals who have been able to breach company networks and get their hands on confidential data…or take companies hostage by locking them out of their networks or even shutting down a business’s operations until a ransom is paid.

    Remember, the Colonial Pipeline ransomware attack in May 2021? Cyber criminals managed to access computerized equipment that operates the pipeline, which runs from Texas and New York and delivers about 36 billion gallons per year to the eastern seaboard.

    The incident cost the company $25 million. And all the hackers had to get in was use one compromised password that was leaked on the dark web.

    Also in May 2021, the data of more than 100 million Android users was compromised. Personal info from over 700 million LinkedIn users was found for sale online. Facebook users were hit too – 553 million of them.

    It’s clear this is a serious problem. And it extends to all industries.

    Every company these days, from retailers (online and brick-and-mortar) to restaurants to healthcare providers, collects confidential information, also known as personally identifiable information, or PII. This can include customer names, birth dates, Social Security numbers, driver’s license numbers, credit card numbers, bank information, medical records, and more. Everything a hacker would need to steal an identity.

    It can be collected by the company directly or through a third-party, like a payment processor like PayPal.

    But in any case, if there is a fault of security and that data goes out into the world, customers are going to blame the business they patronize. They’ve shared their information with the company, and the company breached their trust. That certainly doesn’t encourage repeat business. Plus, there are costs related to notifying all the people affected. There can be legal penalties and fines as well, particularly when healthcare information is involved.

    Not to mention, in some cases, the affected customers have a right to claim compensation if they suffered material or non-material damage.

    Enter cyber liability insurance to make these payouts on behalf of the company.

    But there is another wrinkle in this issue you may not have considered, where again cyber insurance comes to the rescue.

    Say you acquire a restaurant or hotel chain or a group of healthcare companies and, six months or a year post-closing, one of these breaches of confidential data is discovered. (It is very common these incidents are not discovered until six months or more after they occurred.)

    As the Buyer, you are on the hook. When the deal is done that exposure has been transferred to you from the target company. That’s even if the incident occurred before the sale.

    It doesn’t matter if, during the diligence process, you asked the Seller about any data breaches. To their knowledge, they had none.

    Again, enter Cyber Security & Privacy Liability insurance. And here’s the best way to protect yourself as a Buyer:

    1.   Make sure the Seller has a robust cyber liability policy in place that will respond to these claims. There should be at least a $5M limit. That will cover the expenses associated with notifying all the customers whose data was stolen. This should be the first batch of money that is used for any expenses from a data breach.

    2.  Make sure you, as the Buyer, also have a cyber liability policy. This may cover what the Seller’s policy does not.

    Keep in mind that a stolen personal information incident is also a breach of the Representation and Warranty policy covering the deal. So the R&W insurance will effectively sit right on top of the cyber policies.

    This will help not only cover expenses but also potential loss of value of the target company. And this kind of fallout can happen.

    Say there is major data breach of a hotel or retail chain. Those customers are probably going to have second thoughts about ever doing business there again.

    Cyber liability can also cover the impact from ransomware that cause outages and a loss of business. For example, the computer network and payment system for a chain of sports bars is held hostage during the Super Bowl…reducing the bars to only accepting cash! A big loss.

    Cyber liability insurance means extra diligence in the run up to the sale.

    I’ve put together some common diligence questions asked during that process. I would recommend viewing them and keeping them handy during your next acquisition.

    You can get this free download here: Sample Cyber Liability/Privacy Questions in Diligence

    You can also discuss this issue with me, Patrick Stroth. You can contact me here at pstroth@rubiconins.com.