The dream of every startup is to one day be acquired by a PE or VC firm or a Strategic Buyer.
All the hard work and dedication finally pays off. And it’s only natural that these firms will announce the happy news to the world with a press release whether it’s a merger or announcement of a successful round of fundraising.
Unfortunately, these days such announcements have put a target squarely on the backs of soon-to-be or newly acquired companies in all sorts of industries, from manufacturing to tech to healthcare to consumer-oriented businesses. These days, of course, every company has a database full of sensitive data about its customers, clients, and/or own operations and systems. Just as importantly, most companies today rely on their IT systems for day to day operations. Being locked out can cause operations to grind to a halt. Who can go for a day without access to their system?
As noted in a recent article in the Wall Street Journal, hackers involved in ransomware attacks are shifting their focus away from big corporations to smaller targets, including midmarket acquisition targets. Government authorities and law enforcement have noted this trend has been heating up in the last year or so, even as bigger targets like the Colonial Pipeline grabbed the headlines last year.
These cyber criminals know that:
- The PE firms and other deal-makers have deep pockets or the newly acquired company has quick access to cash thanks to their recent payday.
- These startups, which have been focused on growth, may not have very robust cybersecurity measures in place, which makes them easier to hack.
- This lack of cybersecurity could allow the hackers to also sneak into the Acquirer’s systems, as well as other firms in its portfolio, through an unsecured backdoor.
- By attacking smaller, midsize companies they won’t get as much attention from authorities and law enforcement. Even if they ransoms are smaller, they bring that “income” in steadily
In one such case cited in the Journal article, a midsize manufacturer was bought the 4th quarter of 2021 by a PE firm. Two months later, a Russian ransomware group locked up its hardware systems and demanded $1.2 million to release them. The company paid.
This is typical of these attacks. And deal-makers have taken note and are seeking measures to protect themselves and their acquisitions from financial losses and loss of reputation.
Fortunately, there are some best practices that can help prevent such attacks, as well as protections that can provide financial compensation if a ransom is paid.
As noted in my previous article on cyber liability insurance, this specialized type of coverage is fast becoming a must-have in deals. Buyers are basically requiring Sellers to have a policy that will respond to any cyber claims. And Buyers are taking out their own policies as well to cover what the Seller’s policy does not.
When writing these policies, Underwriters have a common set of questions they ask to verify the cyber security and privacy measures in place. If they’re not satisfied, no policy. Or, at the very least, they will load down the policy with broad exclusions and narrow limits.
On the plus side, this has forced companies to bolster their security measures and given them clear direction on how to do so.
One of my contacts, an Underwriting Manager for Toko Marine HCC – Cyber & Professional Lines Group, provided a list of security controls they look for when writing a policy (otherwise they will not write the policy or adjust terms accordingly):
1. Multi-factor authentication (MFA) is required for all remote access to the Insured’s network.
2. MFA is required for all local and remote access to privileged user accounts.
3. A preferred Endpoint Detection and Response tool is required.
As the Underwriter noted:
“If the Insured is missing any of these three important controls the premium and deductible will increase and we will sublimit Breach Event Costs, System Failure, Dependent System Failure, and Cyber Extortion to $250k. Additionally, we will include an endorsement with a $250k ransomware sublimit/50% coinsurance for all losses/expenses related to a ransomware attack.
“If the Insured does not use MFA for all access to emails through a web browser or non-corporate device, cyber crime will be reduced to $25k. If they use MFA for email access, the maximum cyber crime limit available is $100k.”
The implementation of cyber liability insurance is more important than ever, as cyber security has become one of the most costly and largest exposures out there. As a result, Insurers are looking to exclude cyber claims from other M&A insurance products, such as Representations and Warranty coverage.
You should also note for board members of a startup that suffers from cyber security issues, that Directors and Officers insurance may not protect you from investor lawsuits if you did not take proper cyber security measures to protect the company. Failure to Affect and Maintain proper insurance is a standard exclusion clause in D&O policies.
Insurers want deal-makers to take out stand-alone cyber liability policies which are more appropriately underwritten and broader in scope to best handle these exposures. They don’t want D&O or R&W insurance to become “umbrella policies.”
When seeking out help in securing cyber liability coverage, it’s best to reach out to an IT specialist or an insurance broker who is connected with such experts.
I’m happy to help you secure cyber insurance. You can contact me here at pstroth@rubiconins.com.