Whether it’s from M&A activity or a rise in regulation, boards and C suites are more exposed than ever to cyber fallout
Cybersecurity can’t just become a priority after an incident has brought a company to its knees. According to Aon’s 2019 Cyber Security Risk Report, cyber risks continue to escalate in number, severity and sophistication, which means today’s boards, C-suites, and security and risk leaders need to be preparing for attacks by continually assessing their vulnerabilities, fixing their security gaps and proactively mitigating their risks.
“The nature of the risk is constantly changing,” says Alessandro Lezzi, focus group leader of international cyber and tech at Beazley, which recently announced it was combining its cyber insurance and executive risk capabilities into one division. “Now, every single crisis goes viral very quickly and then normally affects the reputation of the company. This can be a cyber incident, a class action after a cyber incident, a #MeToo crisis. Because of this, we’re seeing that all of these risks, which are changing all the time, pose extreme complexity at the board level.”
Cyber incidents can impact the heads of companies in a variety of ways, from a CEO losing their job after an incident to the share value of a company dropping post-breach. Equifax’s stock, for example, plunged after 143m of its US customers were impacted by a cybersecurity breach.
Lately, cyber risk has also come up in merger and acquisition activity. Marriott experienced a massive breach that impacted hundreds of millions of people after hackers went after the Starwood reservation system to access guest data. The hack affected around 300m guests and emphasised how important due diligence is during an M&A transaction.
“The due diligence around information security in an M&A transaction has been somewhat limited,” says Rob Rosenzweig, national cyber risk practice leader at Risk Strategies, “so what we like to see our clients that are engaging in M&A activity do is a few things: Ask for information around the IT infrastructure that the acquisition target is currently deploying. Understand what, if anything, they’re doing from a risk management standpoint ... things like penetration testing or network assessments. If so, see the most recent reports from those audits to understand what, if any, vulnerabilities have been identified and if some of those vulnerabilities have been resolved or if they are still outstanding. We also want to dig a little bit more in terms of information governance and policies and procedures – what sort of information does the acquisition target collect on its customers or employees, how are they protecting that information, and how are they storing that information?”
Doing due diligence doesn’t mean that a potential buyer should walk away from the transaction if red flags are identified, but it does put the acquiring company in a position where they know more and can thus be better prepared. That includes uncovering and addressing the grey areas in insurance coverage before discovering that both policies cover cyber claims – or neither of them do.
“There needs to be some clarity as to how an issue that’s uncovered post-close is going to be dealt with,” Rosenzweig says. If Company A acquires Company B and a cyber attack occurs post-acquisition, for instance, there could be questions of whether that should be picked up under the buyer’s policy or whether the claim can be addressed under the policies the seller had in place at the time the transaction closed.
Nonetheless, sometimes even the most prudent due diligence in the world will still miss underlying issues. “This is still somewhat uncharted territory and a developing landscape, both in terms of the threats that are out there and the regulatory environment,” Rosenzweig says.
The regulatory landscape is also increasing the interconnectedness between cyber risk and the C suite. For example, the EU’s General Data Protection Regulation [GDPR], which applies regulations to any company offering goods or services to EU residents or monitoring the behaviour of EU residents, mandates that certain companies need to appoint a data protection officer, which adds D&O exposures.
“Rating agencies are also taking into account cybersecurity when rating a company, which again poses a challenge to companies because if they want access to the market to increase their capital to get money from investors, they need to take care of their cybersecurity posture,” Lezzi says.
In this environment, he adds, putting Beazley’s cyber and executive teams together just made sense. “The two risks are more and more interlinked. This is also the reason why we’re putting these two divisions together – to match the risks and be able to provide effective solutions to clients.”