Insights

The Importance of Data Security in M&A – and How Insurance Fits In
POSTED 7.28.20 M&A

The nature of risk in M&A deals has changed, and it’s made specialized insurance coverage more important than ever.

Data security is now, more than ever, one of the biggest concerns for those involved in M&A. And for good reason. It’s creating more risk in deals, especially those involving tech companies.

These days, businesses need to be aware of how the businesses they acquire collect data, secure data, and use data. There are several factors at play here.

Increased data privacy regulations in the European Union, known as GDPR, as well as the California Privacy Act (with similar policies sure to be put in place in other jurisdictions across the country), can put Buyers at severe risk, particularly when they acquire companies with less than effective data security.

And Buyers are taking notice.

In fact, according to Deloitte’s annual The State of the Deal: M&A Trends 2020, 70% of respondents (from Strategic Buyers and PE firms) stated that protection of data in a company they were acquiring was more of a concern than it was a year ago.

Andy Wilson, a partner in the M&A Services division of Deloitte & Touche, put it nicely:

“Data privacy can be a diligence issue. A target company may bring a cybersecurity weakness into the organization, or a transaction that involves layoffs or other workforce changes may create data security risks.

At the same time, data protection and management can be an integration issue, with a newly combined organization perhaps reaching into new geographies where regulations differ for the handling of data.”

Regulations Today Call for Strong Penalties

GDPR (General Data Protection Regulation) was instituted in 2018 in the European Union and outlines strict guidelines for the collection, organization, storage, use, and destruction of personal data. Fines for violations, based on annual revenue, can run into the millions. For example, Marriott International in the U.K. was fined £99 million in July 2019 for a data breach of 339 million guest records.

Investigators believe the incident goes back to 2016, when Marriott acquired Starwood hotels group. The group had its systems compromised in 2014, but it was only discovered in 2018. Regulators faulted Marriott for not conducting proper due diligence prior to the acquisition or doing enough to secure its systems.

Elizabeth Denham, with the Information Commissioner’s Office, which administers these regulations, said this about the case:

“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

As you can see, they’re taking it seriously, targeting businesses of every size in every industry. These days, every company has sensitive customer data. It’s not just tech or financial industries like banks or credit card companies that have to worry. Any business that touches the internet is vulnerable.

Plus, not only can you run afoul of regulators due to a privacy breach or data leak, but you can also introduce vulnerabilities to your own secure system by blending it with the newly acquired company’s system.

How to Protect Yourself

  1. There are solutions, or at least things you can do to mitigate potential problems.
  2. Enhanced due diligence.
  3. A laser focus on post-acquisition integration of systems to make sure they and each company’s security practices line up. This goes from the IT side all the way down to prohibiting employees from putting their password on a Post-it on their computer monitor.

Purchase the right Cyber insurance.

Cyber Liability coverage is a must-have for virtually every M&A deal in today’s climate, due not only to regulatory penalties but also the financial damages from a data security breach. There are measures to take to protect data, of course, on the tech systems side. But hackers are ever more sophisticated and can get around even the most sophisticated protections.

The need for Cyber Liability coverage may sound obvious, but be aware that not all Cyber policies are alike. Avoid the cheaper versions that only cover data breaches. The top policies now offer coverage for malware attacks (which happen 5x more often than loss of data), electronic theft and ransomware attacks – all of which can seriously damage a company’s value if left unprotected. The difference in cost for a more comprehensive Cyber policy is negligible.

Due to the heightened exposures businesses face from cyber-related losses, most R&W policies will require a Cyber Liability policy be in place for the target company, and will impose exclusions for Cyber-related losses if no such coverage is in place.

In the case of both Cyber Liability and R&W coverage being in place, here’s how it works:

In the event of a breach, the insurance companies will let the Cyber Liability claim be paid first and then the R&W policy will cover any damages not covered. Keep in mind, the deductible on a Cyber policy is a fraction of a R&W policy retention, so Cyber provides a cost-effective first line of defense.

It’s comprehensive protection that’s very necessary today.

As a broker with extensive experience with both Cyber Liability and R&W insurance, I’d be happy to discuss coverage for your next M&A deal.

Please contact me, Patrick Stroth, at pstroth@rubiconins.com.