Cyber has become a global risk management concern in mergers and acquisitions (M&A).
“The potential impact of cyber exposures on M&A is a growing focus for deal-makers,” said Clyde & Co’s recent “Insurance Growth Report.” The report, the global law firm’s mid-year tally and analysis of M&A, devoted more attention than usual to cyber issues.
However, experts from the firm say insurers often entirely exclude cyber risks from the W&I [warranty and indemnity] covers used for these deals.
“W&I insurers’ appetite to assume cyber risk remains low - with the risk often excluded entirely,” said Reece Corbett-Wilkins (pictured above).
Corbett-Wilkins is a Clyde & Co partner and member of the firm’s cyber incident response team. His experience includes dealing with the cyber incidents that impact government agencies and private sector companies.
Corbett-Wilkins said W&I exclusions mean transaction parties are generally required to allocate cyber risk in the transaction “without the benefit of insurance protection”.
He said the approach to cyber risk has “changed significantly” in the last few years as the legal and regulatory landscape has evolved.
“Large cyber breaches have given markets greater clarity over the financial and non-financial exposures that can result,” he said. “Cyber risk is not a barrier to M&A but is being more carefully diligenced,” he said.
IT systems and governance of privacy issues are two areas where Corbett-Wilkins has noticed this change.
“Diligence in IT systems has expanded into far more technical information security considerations, while privacy compliance diligence is generally more comprehensive, including a focus on data governance practices,” he said.
Corbett-Wilkins said this has been driven by “significant changes” in Australia’s legal and regulatory framework including expanded rights and obligations under the Privacy Act, increased information security regulation on insurance and insurance intermediaries, and focus by regulators on data and privacy management.
The most important change in recent years, he said, could be tougher penalties.
“Perhaps most significant, very material increases in penalties for non-compliance,” he said.
Generally, he said both insurance carriers and intermediaries are now subject to “more onerous information management regulation.” He said this has the impact of “elevating the specific risk to acquisition targets in the sector.”
The result, said Corbett-Wilkins, is “far more focused legal and technical due diligence on cyber risk than was the case even five years ago.”
In the Clyde & Co M&A report, London-based partner Rosehana Amin said some cyber risks are being driven by “the nature of interlinked systems.”
“When there is a compromise and the related legal issue of who is the data controller,” said Amin. “When a purchaser acquires the target company’s data, will the contract make it clear who retains responsibility?”
According to the report, the first half of 2023 saw a widely anticipated worldwide dip in M&As. The report said M&A deals were down 17% worldwide. Across APAC, the situation was a little better with a 12% drop.
However, in Australia, the number of M&A deals remains much the same as last year. Matt Ellis, Clyde & Co’s specialist in corporate and regulatory law answered Insurance Business questions about the local M&A scene.
“While there has been a marked decline in M&A activity, a number of sectors have remained attractive investments despite the global economic headwinds,” said Melbourne-based Ellis.
“Particularly, M&A activity in the energy and resources sector has remained reasonably strong, providing a counterbalance to more significant declines in sectors such as technology and consumer markets.”
In the Clyde & Co report, Munich-based partner Eva-Maria Barbosa, said “the lull in insurer M&A will be short-lived.”
“Given the time taken between announcement and completion of a deal is typically nine to 18 months, the number of completed deals we are seeing now reflects market sentiment from early 2022,” said the regulatory expert.
She said Clyde & Co is already seeing transactions come back in the broker space, paving the way for carrier activity to follow.
“M&A in Europe won’t reach the levels of 2022 again for some time but it will begin to pick up again in the second part of the year,” said Barbosa.
Are you a stakeholder in the M&A insurance market? How do you see the cyber challenges? Please tell us below.