Merger and acquisition (M&A) activity hit an all-time highin 2015. Simultaneously, awareness of cyber-related risks and theability to transfer those risks through cyber insurance alsoincreased.

But while many people think of cyber insurance when confrontedwith a data breach, it may not be quite so top of mind in thecontext of a merger or acquisition. It should be, though, becausecyber policies typically contain provisions that directly affectcoverage in light of such transactions. Enterprises should take aclose look at their cyber policy provisions early on in thedeal-making process so that coverage for the affected enterprisescan be secured.

While Commercial General Liability (CGL) policies often requirenotice of newly acquired organizations within a specified number ofdays (e.g., 90 or 180 days) after an acquisition, cyber policiesmay contain specific requirements that the insured must satisfy toobtain coverage for subsidiaries acquired or created, or forentities involved in mergers or consolidations.

Insureds that are considering mergers or acquisitions shouldensure compliance with such policy terms by carefully reviewingtheir cyber insurance policies early in the transaction process.Relevant provisions might be found in various sections within cyberpolicies, including in the policy’s conditions, definitions andexclusions.

Mergers and newly acquired or createdsubsidiaries

The steps an insured must take to secure coverage for a newlyacquired subsidiary vary from policy to policy and may depend onthe financials of the subsidiary. For example, under one cyberpolicy, if the acquired entity has revenue greater than 10 percentof the named insured’s total annual revenue, the named insuredmust:

• provide written notice before the acquisition;
• obtain the insurer’s written consent; and
• agree to pay any additional premium required by theinsurer.

Another insurer requires an insured that merges with, acquiresor creates an entity with assets exceeding 10 percent of the totalassets of the insured to provide full details of the transaction assoon as practicable. The insurer is then entitled to imposeadditional terms, conditions and premiums, at its solediscretion.

Under the terms of a different policy, if the named insuredacquires or creates another organization in which the named insuredhas an ownership interest of greater than 50 percent, theorganization is covered for insured events that take place afterthe date of acquisition or creation, but only if the named insuredprovided notice to the insurer no later than 60 days after theeffective date of the acquisition or creation, along with anyinformation the insurer should require.

The insured may be exempted from that process if, among otherthings, the new subsidiary’s gross revenues are 10 percent or lessthan those of the named insured.

Continue reading...

Cyber policies may contain provisions that will be triggeredin the event of a takeover of the named insured. (Photo:Thinkstock)

Relevant terms are implicated under another cyber policy if theinsured acquires or creates an entity that becomes a subsidiary,acquires an entity by merger, or purchases assets or assumesliabilities of an entity without acquiring the entity.

If the total assets of the acquired or created entity, or thecombined total amount of the purchased assets or assumedliabilities, are less than 30 percent of the consolidated assets ofthe insured named insured provides written notice as soon aspracticable, but in no event later than 60 days after the effectivedate of the transaction. The named insured will have to provide anyrequested information and may be subject to an increasedpremium.

A different insurer requires the named insured to provide noticeof a newly formed or acquired subsidiary within 60 days of thetransaction if the named insured has more than 50 percent of thelegal or beneficial interest of the entity. If, however, the totalassets or total revenues of the new entity exceed 15 percent of thetotal assets or revenues of the named insured, the named insuredmust provide the “full particulars” of the new entity, and theinsurer must agree in writing to provide coverage. The insurer maythen charge an increased premium and amend policy terms.

Divested entities and changes inownership

Coverage under a cyber policy also may be impacted by changesaffecting entities that initially are covered under the policy. Forexample, policies may provide that if the named insured’s legal orbeneficial interest in a subsidiary becomes less than 50 percent,the entity will no longer qualify as a subsidiary under the policyand will lose coverage.

Cyber policies also may contain provisions that will betriggered in the event of a takeover of the named insured.

Related: 3 things to do when looking for Cyberinsurance

Corporate transactions may have important effects on thecoverage provided under a cyber insurance policy. Because there areno standard-form cyber policies, the provisions that might beimplicated by any such transaction, including important noticerequirements, will vary from policy to policy.

Entities should carefully review their coverage at the veryoutset of the deal-making process to ensure that they fullyunderstand their rights and obligations, and comply with all policyprovisions to maximize coverage.

Judy Selby is managing director of BDO Consulting TechnologyAdvisory Services. She can be reachedat [email protected].