Cyber Diligence, powered by W&I insurance, is reaching escape velocity

The proliferation of Cyber Due Diligence in transactions may be at an inflection point, increasingly driven by requirements from insurers underwriting security risks for W&I insurance.

Cyber risks coverage within the increasingly adopted W&I insurance

The W&I insurance market is growing at a fierce pace: for deals valued over £100m the usage of Warranty and Indemnity (W&I) insurance has risen from 40% of deals in 2017 to 88% of deals in 2021, according to Lockton’s 2022 transaction risk report. Underpinning this explosive growth are signs of maturity at handling general exclusions. A few years ago, Cyber risk was typically considered a general exclusion, but not anymore. Insurers are avoiding a default position of imposing outright exclusion on Cyber and instead taking a more considered view.

The impact of Cyber risk in M&A transactions

On the other hand, for buyers including Corporates and Private Equity firms, the insight into the Cybersecurity posture of an asset has become a key input to their valuation models. A number of big-ticket deals that were impacted by security breaches have only accelerated the M&A Cyber agenda. Some prominent instances include:

• Yahoo’s valuation dropped by $150m after a breach during its acquisition by Verizon
• Facebook walked away from Musical.ly, which later became TikTok, over fears concerning user privacy
• Marriot receiving a fine of £18.4m after a breach in its acquisition of Starwood hotels
• Asco’s sale price dropped by over 35% from $650m to $420m after a ransomware attack that forced a substantial portion of the company’s production to be suspended

Cyber risk in M&A transactions can materialise across the entire deal lifecycle - from deal execution to value creation. Furthermore, integration and carve-outs are particularly susceptible to Cybercrime perpetration. The spectrum of threat actors has also increased spectacularly and can now include cybercriminals, nation-states, hacktivists, thrill seekers/trolls, competitors, and insiders. The impact of these risks is not just technical but has a bearing on the asset’s reputation, commercial outlook, and operational continuity.

Cyber due diligence as an enabler for risk transference

In this fast-evolving threat landscape, transferring the risk to insurance providers at the deal initiation stage, as part of W&I insurance, is often agreeable to both buyers and sellers. Insurers will however require a full Cyber diligence to include Cybersecurity in the W&I insurance. Although a number of PE firms are already including Cybersecurity due diligence as part of their deal process, Cyber inclusion in W&I insurance is increasingly fuelling the growth of Cyber due diligence.

Cyber due diligence in M&A is not merely a technical exercise but also requires a transactional lens – it needs to identify where the value lies in an organisation and what needs to be secured before deep-diving into the technology aspects. Another pitfall manifests itself when advisors who adopt a purely technical lens to Cyber diligence ignore the risk of more subtle elements like social engineering, lack of employee awareness and insufficient business ownership of cyber security matters. However, we observe that more sophisticated investors are becoming aware of the need to assess targets before investing and understand the overall security risk profile of their investment portfolio to ensure value realisation and a smooth exit.

In conclusion

Currently, there is a wide spectrum of risk management maturity levels across corporates and PE firms. However, the trend indicates that a majority will define a Cybersecurity risk management strategy at each stage of the deal cycle - including prevention, acceptance, mitigation, or transference of risk. At the deal initiation stage, a combination of ‘prevention’ using Cyber diligence and ‘transference’ via a credible W&I Cyber insurance, is the likely way forward for M&A deal execution professionals, to protect themselves and their shareholders/investors from avoidable risk on investment capital and future returns.

Do not hesitate to contact us to find out more about how BearingPoint Capital can support you in navigating Cyber security related challenges during transactions.