By: Mike Richmond, Vice President – Business Insurance, The Horton Group; and Sagar Patil, Manager – Cybersecurity & Transaction Advisory Services, RSM US LLP
KEY takeaways
- As cybersecurity threats continue to evolve, organizations are taking time to pinpoint and evaluate their risks.
- Nearly all carriers now require that several fundamental cybersecurity controls are set in place before they will agree to provide coverage.
- During an acquisition, it is important for the cybersecurity firm and insurance broker to collaborate, ensuring protocols are addressed to obtain the appropriate go-forward cyber risk insurance coverage.
It wasn’t long ago when buyers could easily obtain go-forward cyber liability insurance for their target acquisition. Many insurance carriers would offer coverage with limited information regarding their cybersecurity controls, and some would even offer to include prior acts coverage to obtain their business. But unfortunately, those days are gone.
Given the tremendous losses in the cyber liability insurance market over the past few years, insurance carriers are taking a new position. As a result, some of the top cyber liability insurance carriers have left the market, and others have had their capacity reduced by their reinsurance carriers.
Several factors are driving the departure of insurance carriers from the market. One reason is that many organizations are not grasping the true magnitude of cybersecurity risk exposure they face and the fundamental cybersecurity controls that could help mitigate those risks. In most cases, the level of security protocols in place is superficial at best and grossly inadequate for today’s sophisticated attacks.
Fundamental Controls to Consider for Cyber Liability Insurance
As a result of needing to keep up with this ever-evolving space, carriers have developed a greater understanding of what minimum baseline security needs must be required to be better protected. But nearly all carriers now require that several fundamental cybersecurity controls be in place before providing coverage. These include:
- Multi-factor authentication (MFA) and remote access management
- Vulnerability scanning and patch management
- Endpoint detection and response (EDR) solutions
- Incident response and disaster recovery capabilities
- Data protection measures, such as encryption of all sensitive information
- Compliance with industry and privacy regulations, including but not limited to:
- PCI DSS
- HIPAA
- GDPR, CCPA, etc.
- Employee awareness and training initiatives
So, how do you ensure you can obtain cyber liability coverage for your newly-acquired portfolio company? It starts early in the diligence process.
Acquirers should be conducting cybersecurity due diligence that focuses on the target’s ability to manage cybersecurity risks that the organization could potentially face. Organizations dealing with significant transactional volume should have due diligence efforts targeted toward data security. Similarly, instances where system uptime availability is most important should have due diligence efforts that evaluate secure infrastructure and business continuity capabilities.
Breaking Down the Due Diligence Process
Cyber due diligence can be broken down into phases depending on the timing and status of the transaction. If the transaction is still in the pre-LOI or exclusivity phase, consider conducting a higher-level review of the target’s cybersecurity posture to build a preliminary understanding of remediation efforts and ease of obtaining cyber insurance coverage. This lighter approach in the initial stages helps lighten the financial burden while there may still be a lower certainty of the deal actually closing.
Once the transaction is getting closer to actually closing and there is greater access to management and artifacts, a deeper dive phase of cyber due diligence can allow advisors to dig into key issues and risks within the organization. This phase typically consists of more detailed conversations with key management personnel at the target company, an analytical review of more detailed evidence and artifacts, and potentially multiple complementary workstreams such as network or application penetration testing and searches of the dark web.
Prior claims will be a key issue to address at this stage, especially if go-forward cyber risk coverage is needed. Underwriters will want to know what incidents occurred, how they occurred and what was done to mitigate and prevent future incidents.
Efforts at this stage in the transaction are an important investment. They will help identify the remediation efforts necessary for the target to scale efficiently and consistently grow revenue during the hold period, with a thorough analysis of one-time and recurring capital expenditures. They will also provide the timelines required to bring the target to the level of maturity expected by investment committees, insurance carriers, and potential buyers in the future.
Further consideration should be taken to tailor diligence efforts to the nature of the transaction. Depending on whether the transaction involves a platform company, a carve-out, an asset-only sale, a bolt-on or any other various transaction types, cyber due diligence can provide a customized road map to remediation/integration to address outstanding concerns that insurance carriers or lenders may have.
Second, have open discussions with the seller about why a more proactive strategy is needed pre-close. Not only does it help better protect the business, but it will allow you (the buyer) to obtain cybersecurity coverage on a go-forward basis. This can also help your prospects of obtaining tail coverage.
Due to the increased demand in the market for cyber diligence efforts, sellers are often performing diligence-related assessments before the transaction. Doing so allows the seller to get a head start on remediating high-risk findings and helps establish the narrative for the insurance carriers. When sellers are aware of the cybersecurity risks to the organization, they are open to discussing the necessary investments that may be needed post-acquisition.
Third, have your broker begin market discussions right away. Some insurance carriers are more flexible in their requirements than others. For instance, while all will typically require multi-factor authentication, some may require enterprise-wide adoption while others may only require it for remote desktop users and privileged access. It all depends on what can be accomplished at the target during the diligence process.
What Else Should You Consider?
Additionally, connect your brokers with cybersecurity due diligence vendors/providers. They should ensure the context associated with cybersecurity controls required and risks to the business are appropriately understood across all parties. Hopefully, this open collaboration will help insurance carriers become more comfortable with the mitigating controls within the environment to provide satisfactory overall coverage and avoid exclusions to the policy wherever possible.
In the face of continuously growing cybersecurity threats, organizations across all industries are grappling with the need to understand and mitigate risks to their environments. A surprisingly low percentage of organizations can actually demonstrate a mature cybersecurity posture. At the same time, insurance carriers continue to increase and broaden their verification efforts during the underwriting process to understand the controls and tools to mitigate cybersecurity risks at an organization. Cybersecurity due diligence will help acquirers identify, quantify, and focus on these growing requirements and the amount of effort and capital expenditure it will take to meet them.
Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.