Cybersecurity can’t just become a priority after an incident has brought a company to its knees, especially as cyber risks continue to escalate in number, severity, and sophistication, according to Aon’s 2019 Cyber Security Risk Report. Today’s boards, C-suites, and security and risk leaders need to be preparing for attacks by continually assessing their vulnerabilities, fixing their security gaps, and proactively mitigating their risks – lest they’re left exposed to the fallout from cyber incidents.
“In the last few years, the nature of the risk is constantly changing. Now, every single crisis goes viral very quickly, and then normally affects the reputation of the company. This can be a cyber incident, a class-action after a cyber incident, a #MeToo crisis,” said Alessandro Lezzi (pictured above), focus group leader of international cyber and tech at Beazley, which recently announced it was combining its capabilities in cyber insurance and executive risk into one division. “Because of this, we’re seeing that all these risks, that are changing all the time, pose an extreme complexity at the board level.”
Cyber incidents can impact the heads of companies in a variety of ways, from a CEO losing their job after an incident – think Target’s CEO, president, and chairman’s resignation in 2014 after a breach affected its Canadian operations – to the share value of a company dropping post-breach, like Equifax’s stock plunged after 143 million of its US customers were impacted by a cybersecurity breach.
Lately, cyber risk has also come up in merger and acquisition activity. Marriott experienced a massive breach that impacted hundreds of millions of people after hackers went after the Starwood reservation system to access guest data. Marriott had acquired Starwood back in 2016, while the hack affected around 300 million guests who had stayed at Marriott’s Starwood brand hotels since 2014, according to news reports.
The incident emphasized how important due diligence is during an M&A transaction.
“The due diligence around information security in an M&A transaction has been somewhat limited, so what we like to see our clients that are engaging in M&A activity do is a few things,” explained Rob Rosenzweig (pictured, below), national cyber risk practice leader for brokerage Risk Strategies. “Ask for information around the IT infrastructure that the acquisition target is currently deploying. Understand what, if anything, they’re doing from a risk management standpoint, whether it be specific to the IT infrastructure – things like penetration testing or network assessments. If so, see the most recent reports from those audits to understand what, if any, vulnerabilities have been identified, and if some of those vulnerabilities have been resolved or are they still outstanding.
“We also want to dig a little bit more in terms of information governance, and policies and procedures – what sort of information does the acquisition target collect on its customers or employees, how are they protecting that information, and how are they storing that information?”
Doing the due diligence doesn’t mean that a potential buyer will walk away from the transaction if there are red flags identified, but it does mean that companies are in a position where they know more and can thus be better prepared. That includes uncovering and addressing the gray areas in insurance coverage before discovering that both policies cover cyber claims, or that neither of them do.
“There needs to be some clarity as to how an issue that’s uncovered post-close is going to be dealt with,” said Rosenzweig. If Company A acquires Company B, and a cyberattack occurs post-acquisition, there could be questions of whether that should be picked up under the buyer’s policy or whether there’s some ability to address that claim under the seller’s legacy policies that they had in place at the time the transaction closed.
Nonetheless, sometimes even the most prudent due diligence in the world will still miss underlying issues, because of the widespread nature of cyberattacks today. A competitive M&A landscape also doesn’t bode well for due diligence.
“This is still somewhat uncharted territory and a developing landscape, both in terms of the threats that are out there and the regulatory environment,” said Rosenzweig. “Given some of the trends that we’re seeing in the M&A landscape, it’s very much a seller’s market as businesses struggle to bolster organic growth, so I think some of it is a function of, if you’re a prospective buyer and you’re asking tough questions in the due diligence process, there might very well be another less sophisticated buyer that isn’t going to ask those questions that forces your hand to think about how far you want to push that agenda, if the deal is really important.”
Beyond M&A, the regulatory landscape is similarly increasing the interconnectedness between cyber risk and the C-suite. For example, the General Data Protection Regulation (GDPR), which is an extra-territorial European law that applies regulations on any company offering goods or services to EU residents or monitoring the behavior of EU residents, states that certain companies need to appoint a data protection officer, which adds D&O exposures.
“Rating agencies are also taking into account cybersecurity when rating a company, which again poses a challenge to companies because if they want access to the market to increase their capital to get money from investors, they need to take care of their cybersecurity posture,” said Lezzi, adding that, in this environment, putting cyber and executive teams together makes sense. “The two risks are more and more interlinked. This is also the reason why are we putting these two divisions together – to match the risks and be able to provide effective solutions to clients.”