Cooley partners Mark Deem and Mark Everiss recently published the following article in Insurance Day. The original article can be found here (log in required).
Legal Focus: UK data regulator increases focus on cyber due diligence and insurance in M&A
The announcement at the start of the summer the UK’s Information Commissioner’s Office (ICO) was intending to impose a fine of almost £100m ($121.9m) pursuant to its new powers under the General Data Protection Regulation (GDPR) on the Marriott hotel group grabbed the headlines.
Coming within 24 hours of its notice of intention to fine British Airways almost £183m, the UK’s data regulator sent a shockwave through the City: the threats of colossal penalties predicted in the run-up to GDPR becoming law on May 25, 2018 could no longer be dismissed as Chicken Licken fantasies; they were a new reality.
To focus on the magnitude of the intended penalties, however, was to miss the wider significance of the ICO’s intended fine. Of particular interest, the ICO cited inadequate data protection due diligence performed by Marriott in its acquisition of the Starwood Group in 2016, which had enabled a 2014 breach to remain undetected until 2018.
Commercial insurers should be reminding clients accountability for personal data in the context of cyber security extends to carrying out proper due diligence in the context of mergers and acquisitions (M&A). In the words of the UK’s information commissioner, Elizabeth Denham, this meant the acquirer had a responsibility to understand “what personal data has been acquired” and “how it is protected”.
Poor cyber security hygiene has always created a number of potential exposures for a purchaser, including financial loss through fraud and business interruption arising from a cyber attack; third-party costs of managing and remedying any such attack; harm to the integrity of the acquiring organisation’s entire data asset; reputational damage from such compromise; potential damages in any follow-on civil action; and regulatory fines.
The ICO has now confirmed such regulatory fines can arise from a failure to carry out appropriate due diligence as to the cyber health of a target.
Following the approach taken in the US – where due diligence performed by cyber security experts and data protection lawyers has been an established feature of the M&A landscape for many years – effective cyber due diligence is becoming more routine in the UK. This is likely to be only part of the solution, though, and more sophisticated organisations should be looking to insurance to mitigate their wider cyber risks.
An early cyber risk assessment will generally enable the acquirer to understand the threats and vulnerabilities of a target and to form a profile of its vulnerability to cyber risk, the integrity of its network and its compliance with data protection legislation. The precise form of due diligence will depend on the specific nature of the transaction, ranging from an internal high-level questionnaire, through to a bespoke investigation carried out by professionals.
As part of this due diligence process, an acquirer may identify a number of issues: a previously undiscovered breach; an attack that is in progress; a persistent vulnerability in the target’s network; inadequate security measures or corporate governance processes. These issues and risks could kill the entire deal.
More likely, however, any issues or gaps in compliance will provide the basis for the negotiation of additional legal protections – in particular, warranties (as to security incidents, outages and downtime with a defined period; or simply as to compliance with existing data protection/security laws) or, if a specific risk has been identified, an indemnity in respect of the consequences of that risk.
In circumstances where agreement cannot be reached as to the appropriate contractual remedies or protections required, insurers should be encouraging organisations to consider the robustness of their overall cyber insurance profile and whether appropriate cover has been obtained.
The recent notice from the ICO is a reminder to both insurers and insureds that relying solely on standalone cover may not necessarily provide the most comprehensive mitigation of risks in respect of cyber threats. There is a need for those engaging in corporate M&A transactions to consider whether warranty and indemnity insurance (W&I insurance) should be extended to ensure it specifically covers cyber warranties and disclosures made in the context of a corporate transaction.
While W&I insurance (or representations and warranties insurance in the US) historically may have been silent as to cyber and more recently expressly excluded, in our experience the position is shifting. Express cover for cyber in the M&A context through endorsements – or a standalone policy dealing with cyber warranties and disclosures – is being increasingly used to achieve certainty in overall coverage.
For buyers and sellers alike, such protection has inevitable benefits. For the seller it permits a clean exit strategy from the business, reduces any retention amount on completion and enhances the transactional value, providing warranty protection against matters where the sellers might be unable or unwilling to provide sufficient comfort.
For the buyer, it can facilitate debt-financed acquisitions, remove the risk of impecunious warrantors and “levels the playing field” in circumstances where a target’s cyber resilience can only be assessed against a tight timeframe.
Crucially, W&I insurance guards against the worst-case scenario and ensures the target can be acquired, with some protection over the value warranted. In the cyber context, this could mean the matters giving rise to regulatory fines (which are generally not recoverable under a cyber policy) that might be recoverable in part as losses suffered by way of the diminution in value of the target.
At the very least – given W&I insurance will require an independent underwriting valuation based on an assessment of the cyber due diligence carried out – seeking insurance itself will promote investigation as to the cyber resilience of any target.
Cyber security remains an essential item on the agenda of any board. It is critical to those in acquisition mode. Effective due diligence following GDPR implementation is essential to gain a more sophisticated understanding of the cyber resilience of any target. Combining this with insurance coverage both as to cyber risk and in support of the contractual protections provided should increasingly be viewed as the appropriate way, in which to confront the new reality following the events of early summer.