12.07.2022 | Birgit Rummel, Nuala Read

The changing cyber landscape and M&A insurance

Special Topic, Strategien & Visionen

The cyber landscape

The digitalisation of the global economy continues, and it is clearly an accelerating trend. This article focuses on how this growth has increased the risk and threats around cyber and the consequent impact this has had on the insurance market, M&A deals, and M&A insurance.

Surveys have shown that cyber perils were the biggest concern for companies globally in 2022. According to the Allianz Risk Barometer, “The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the Covid-19 pandemic, all of which have heavily affected firms in the past year.”1

The rising tide of cyber-crime is translating into costs for the global economy estimated at an incredible USD 6 trillion in 2021. Whilst industries like healthcare and e-commerce are seeing record levels of threats (according to RiskIQ’s 2021 Evil Internet Minute Report2), this is an escalating menace regardless of industry, sector, country, or the size of the company.

Cyber security & cyber insurance

As cyber has evolved into a distinct new area of risk, the insurance market is naturally being asked to cover “new” types of losses including data breaches, data theft, systems outages, and failure, as well as ransomware attacks. Consequently, the insurance market has had to work out the best way to offer protection for clients.

In the last few years, insurers have started to move towards offering stand-alone cyber coverage with many insurance companies no longer including this within other policies: this removes the ambiguity that can occur with the so-called “silent cyber” coverage. In 2021, Lloyd’s of London led the way with a requirement that all their policies be clear in their cyber coverage: full coverage, limited coverage or excluded.

As our understanding of these cyber risks increases, the insurance market is increasing their focus on clients’ cyber security when coverage is requested. As businesses look to insurance for protection more and more, the growing expertise of cyber insurers is educating companies on what they need to do to manage and reduce these risks; this helps both business and insurers.

With cyber incidents, claims and losses augmenting exponentially each year, the insurance market is going through a period of flux as it looks to correctly assess and “price” cyber risks; cyber losses in 2020–2021 have deteriorated, mainly a surge of ransomware claims.

The insurance market recorded a 245% increase in global incidents since Q1 2019 (+390% ransomware, partially offset by a 70% reduction in data breach). In addition, there has been an 85% rise in remediation costs since 2019.

James Auden at Fitch Ratings observed that, “While cyber insurance premium rates are rising sharply, concerns remain that underwriters can successfully price this business longer term, given constantly evolving risk exposures and sources of loss.”3

Cyber security and M&A

In an M&A deal, cyber can be a problem for both parties. A breach discovered on the seller’s side can reduce their asking price for their business and, equally, a buyer can be left counting the cost should a cyber issue come to light after the deal completes.

Many of the examples relating to cyber incidents and losses apply to trading companies or government bodies. As with many factors in M&A deals, there is not much public information available, but we highlight the following as public examples of cyber impacting on M&A:

• In 2013, a cyber attack in Yahoo’s systems was discovered mid-acquisition. As a result, Verizon (the buyer) was able to shave USD 359 million off the final price – that is, 7% of the total deal value.

• In 2020, the ICO fined Marriott Hotels for a cyber breach in their 2016 acquisition of Starwood Hotels. The fine was applied because Marriot had not made investigations pre- or post-sale and allowed customer data to be exposed.

Cyber security & M&A insurance

Until recently and in line with most other insurance classes, M&A insurance covered cyber exposure, whether silently or explicitly, for most deals. However, as the cyber threat landscape has deteriorated, coverage offered under M&A policies has also changed. M&A insurers are not immune to the changes in the cyber landscape and the impact on other insurance classes; as a result, the M&A market position has become increasingly cautious.

There are still a range of coverage options available in the M&A insurance market; but generally, the cyber coverage offered will very much depend on the cyber risk exposure of the target. Some insurers will be more cautious than others, as is usual in other areas of this type of insurance.

It has been noted that with the rise of prominent cyber incidents, we are starting to see buyers look for an increasing number of warranties around cyber and IT, that they then ask insurers to cover. This is not surprising, as 80% of dealmakers said they have uncovered data security issues in at least 25% of their M&A targets in the previous two years..4

However, despite a heightened awareness of the potential impact of cyber and/or technology on the profitability of an M&A target, research shows that less than 10% of the deals undertake cyber due diligence.5 Often cyber is not considered sufficiently “material” to investigate and cyber security is usually put into the post-transaction action list.

However, we note the increasing impact that cyber is likely to have in M&A deals:

• In the last year, we saw a significant rise in economic espionage, such as the theft of high-value intellectual property by nation-states.6

• Extended supply chain threats are challenging organisations’ broader business ecosystem.

• New regulations aim to hold organisations and their executives more accountable in the protection of information assets and IT infrastructure.

As awareness of cyber risks in M&A deals increases, and demand for cyber insurance grows, a collaborative Cyber-M&A coverage approach will help clients get their deals done effectively.

1 Allianz Risk Barometer 2022: https://www.agcs.allianz.com/news-and-insights/news/allianz-risk-barometer-2022-press.html 2 Infosecurity Magazine: https://www.infosecurity-magazine.com/news/cybercrime-costs-orgs-per-minute/ 3 Reinsurance News: https://www.reinsurancene.ws/cyber-insurance-in-pc-industry-grew-by-22-in-2020-fitch-ratings/ 4 PwC: https://www.pwc.com/us/en/deals/publications/assets/pwc-when-cyber-threatens-m-and-a.pdf 5 Aon Top Five Cyber Risks in M&A: https://www.aon.com/unitedkingdom/insights/top-5-cyber-risks-in-mergers-and-acquisitions.jsp 6 Accenture Cost of Cyber Crime 2019: https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf
Insurance in M&A TransactionsM&A InsuranceCybersicherheit
Autor
Birgit Rummel

Birgit Rummel, is a qualified German lawyer specialising in Corporate Finance and M&A. She leads our Transaction Risk Insurance team for the DACH and CEE regions. Before joining Tokio Marine HCC in 2016, Birgit worked at Munich Re for over 14 years. She has a proven track record of handling complex cross-border transactions and combines insurance and reinsurance know-how with market management experience. She holds an Executive Master‘s in International Business and Law from H.S.G. in Switzerland. Birgit speaks German, English and Spanish. 

Autor
Nuala Read

Nuala Read, joined Tokio Marine HCC in 2017. She currently leads our UK team in their offering of tailored insurance coverages to clients involved in M&A deals. Nuala has worked in the insurance industry for over 25 years. Her career has focused predominantly on both the broking and the underwriting of M&A insurance products. Her vast experience in this field has seen her place a plethora of specialist M&A policies that often sit alongside complex deal structures and, thanks to this, Nuala is heavily consulted in the development of M&A insurance policies that bring value to both deal parties. Nuala is ACII qualified and holds a degree from Bristol University. 

Das könnte Sie auch interessieren