BDO Knows: Transaction Advisory Services

January 2017

A Case for Reviewing Cyber Coverage at the Onset of M&A Activity


Download PDF Version


Cyber Insurance Considerations in M&A Deals

Merger and acquisition (M&A) activity continued to make headlines in 2016.  Corporate giants including AT&T, Bayer AG, CenturyLink and General Electric announced massive acquisitions, while the Verizon/Yahoo! deal highlighted the importance of cybersecurity due diligence in the M&A context. Simultaneously, uptake of insurance for cyber-related risks – so-called cyber insurance – continued to increase in 2016.  Appreciation of the role of cyber insurance in connection with M&A activity, therefore, is taking on increased importance.

While people may think of cyber insurance when confronted with a data breach, the role of cyber coverage may not be top of mind in the context of a merger or acquisition. It should be, though, because cyber policies typically contain provisions that directly affect coverage in light of such transactions. Enterprises should take a close look at their cyber policy provisions early on in the deal-making process so that coverage for the affected enterprises can be secured.

While Commercial General Liability (CGL) policies often require notice of newly acquired organizations within a specified number of days (e.g., 90 or 180 days) after an acquisition, cyber policies may contain specific requirements that the insured must satisfy to obtain coverage for subsidiaries acquired or created, or for entities involved in mergers or consolidations.  Insureds that are considering mergers or acquisitions should ensure compliance with those policy terms by carefully reviewing their cyber insurance policies early in the transaction process. Relevant provisions might be found in various sections within cyber policies, including in the policy’s conditions, definitions and exclusions.


Mergers and newly acquired or created subsidiaries

The steps an insured must take to secure coverage for a newly acquired subsidiary vary from policy to policy and may depend on the financials of the subsidiary. For example, under one cyber policy, if the acquired entity has revenue greater than 10 percent of the named insured’s total annual revenue, the named insured must:
  • provide written notice before the acquisition;
  • obtain the insurer’s written consent; and
  • agree to pay any additional premium required by the insurer.

Another insurer requires an insured that merges with, acquires or creates an entity with assets exceeding 10 percent of the total assets of the insured to provide full details of the transaction as soon as practicable. The insurer is then entitled to impose additional terms, conditions and premiums, at its sole discretion.

Under the terms of a different policy, if the named insured acquires or creates another organization in which the named insured has an ownership interest of greater than 50 percent, the organization is covered for insured events that take place after the date of acquisition or creation, but only if the named insured provided notice to the insurer no later than 60 days after the effective date of the acquisition or creation, along with any information the insurer should require.

The insured may be exempted from that process if, among other things, the new subsidiary’s gross revenues are 10 percent or less than those of the named insured.
Relevant terms are implicated under another cyber policy if the insured acquires or creates an entity that becomes a subsidiary, acquires an entity by merger, or purchases assets or assumes liabilities of an entity without acquiring the entity.

If the total assets of the acquired or created entity, or the combined total amount of the purchased assets or assumed liabilities, are less than 30 percent of the consolidated assets of the insured named insured provides written notice as soon as practicable, but in no event later than 60 days after the effective date of the transaction. The named insured will have to provide any requested information and may be subject to an increased premium.

A different insurer requires the named insured to provide notice of a newly formed or acquired subsidiary within 60 days of the transaction if the named insured has more than 50 percent of the legal or beneficial interest of the entity. If, however, the total assets or total revenues of the new entity exceed 15 percent of the total assets or revenues of the named insured, the named insured must provide the “full particulars” of the new entity, and the insurer must agree in writing to provide coverage. The insurer may then charge an increased premium and amend policy terms.


Divested entities and changes in ownership

Coverage under a cyber policy also may be impacted by changes affecting entities that initially are covered under the policy. For example, policies may provide that if the named insured’s legal or beneficial interest in a subsidiary becomes less than 50 percent, the entity will no longer qualify as a subsidiary under the policy and will lose coverage. Cyber policies also may contain provisions that will be triggered in the event of a takeover of the named insured.


Final Thoughts

Corporate transactions may have important effects on the coverage provided under a cyber insurance policy. Because there are no standard-form cyber policies, the provisions that might be implicated by any such transaction, including important notice requirements, will vary from policy to policy. Entities should carefully review their coverage at the very outset of the deal-making process to ensure that they fully understand their rights and obligations and comply with all policy provisions to maximize coverage.