Insurance companies starting to wise up to cyber risk in M&A deals

Insurance companies starting to wise up to cyber risk in M&A deals | Insurance Business

Insurance companies starting to wise up to cyber risk in M&A deals

Mergers and acquisitions in the insurance brokerage space hit record highs in 2018. And, if the first six months of 2019 is anything to go by, this M&A trend is not showing any signs of changing in the near term.

As insurance brokers and agents consider selling, there’s a lot of pre-transaction due diligence to consider. They’ll want to get their books in order, tidy their data up, and reassure accounts about coverage contingency. One thing that the entire market – sellers, buyers, brokers and carriers – are all starting to understand is that their cybersecurity is nearly as important as the overall financial impact of the deal.

“Insurance brokerages and agencies, as well as sellers of any type of business, can help secure and enhance the value of their entities prior to a sale by ensuring their cyber security risks are properly addressed,” said James Arnold, principal, cyber security, KPMG (US). “A well developed and implemented cybersecurity program will help ensure there are no surprises during the deal period and after closing. It will also help put buyers at ease knowing the target cyber security issues have been addressed.”

In the M&A space, there are many horror stories about how poor cybersecurity and a lack of cybersecurity due diligence have negatively affected transaction values. In an extreme case, a buyer might lose their entire purchase amount if they discover a cyber breach after closing a deal. Furthermore, if a buyer discovers a cyber breach after closing a transaction, they will likely be on the hook for regulator investigations, fines and costs resulting from reputational damage and business interruption.

“When negotiating a deal, buyers should demand more time and access to perform pre-deal and post-deal cyber due diligence,” Arnold told Insurance Business. “Data rooms should include cybersecurity information, including detail about the target’s cybersecurity program, incident response plans, playbooks, cyber insurance and any detailed reports about prior cybersecurity breaches, including what happened and what was done to ensure it does not happen again.

“Buyers should also be allowed to interview the target’s cyber security management team, including their CISO and their CIO. Finally, depending on the results of the findings from the cybersecurity due diligence, buyers should be prepared to demand claw backs and tighter reps and warranties to cover cyber security risks.”

Despite seeing instances of poor cyber hygiene in M&A deals, Arnold said he’s “encouraged by where” the markets are moving. The siloes between cybersecurity, M&A and insurance are beginning to come down and all parties involved in transactions “are starting to appreciate the importance of cybersecurity,” he said.