According to a new Deloitte report, M&A activity is expected to dramatically increase in 2019. And it’s probably safe to say that during the frenzy of activity leading up to completion of the deal, ensuring compliance with cyber insurance policies may not be top of mind. But to maximize coverage following the completion of the transaction, entities are strongly encouraged to take a close look at their cyber policy provisions early in the deal-making process so that they can satisfy any applicable notice and underwriting requirements. In addition, cyber insurance purchasers that are contemplating M&A activity should carefully consider such policy provisions prior to purchasing a cyber form.
Cyber insurance policies, like most other policies, typically provide coverage to the named insured identified in the policy, as well as to any subsidiary of the named insured that was created by the date the policy took effect. Carriers generally ask enterprises to identify all such subsidiaries during the application process. Although disclosed subsidiaries may generally be considered “insureds” at the time policies are issued, cyber policies often contain provisions that specify the steps the insured must take to obtain coverage for newly acquired or created subsidiaries or for entities involved in mergers or consolidations. But finding that information within the policy typically requires some effort. Due to the lack of policy standardization of cyber forms, it’s important for the insured to carefully review its entire cyber policy for relevant provisions, which might be found within its conditions, definitions, and/or exclusions sections.
Mergers and newly acquired or created subsidiaries
The steps an insured must take to secure coverage for a newly acquired entity vary from policy to policy and often depend on the relative financials of the subsidiary. For example, under one cyber policy, if the acquired entity has revenue greater than 10% of the named insured’s total annual revenue, the named insured must: provide written notice before the acquisition, obtain the insurer’s written consent, and agree to pay any additional premium required by the insurer.
Another insurer requires an insured that merges with, acquires, or creates an entity with assets exceeding 10% of the total assets of the insured to provide full details of the transaction as soon as practicable. The insurer is then entitled to impose additional terms, conditions and premiums, at its sole discretion.
Under the terms of a different policy, if the named insured acquires or creates another organization in which the named insured has an ownership interest of greater than 50%, the organization is covered for insured events that take place after the date of acquisition or creation, but only if the named insured provided notice to the insurer no later than 60 days after the effective date of the acquisition or creation, along with any other information the insurer should require. The insured may be exempted from that process if, among other things, the new subsidiary’s gross revenues are 10% or less than those of the named insured.
Relevant terms are implicated under another cyber policy if the insured acquires or creates an entity that becomes a subsidiary, acquires an entity by merger or purchases assets, or assumes liabilities of an entity without acquiring the entity. If the total assets of the acquired or created entity, or the combined total amount of the purchased assets or assumed liabilities, are less than 30% of the consolidated assets of the insured, the new entity may be entitled to certain coverages under the policy if the named insured provides written notice as soon as practicable, but in no event later than 60 days after the effective date of the transaction. The named insured will have to provide any requested information and may be subject to an increased premium.
A different insurer requires the named insured to provide notice of a newly formed or acquired subsidiary within 60 days of the transaction if the named insured has more than 50% of the legal or beneficial interest of the entity. If, however, the total assets or total revenues of the new entity exceed 15% of the total assets or revenues of the named insured, the named insured must provide the “full particulars” of the new entity, and the insurer must agree in writing to provide coverage. The insurer may impose a premium increase and amend policy terms.
A newer cyber form automatically extends coverage to a newly acquired entity if its annual revenue does not exceed 20% of the insured company’s annual revenue. If that percentage is exceeded, coverage will be extended for 45 days, during which time the insured must provide “full details” about the entity and agree to any policy amendments, including premium increases, required by the insured. If the insured doesn’t agree, coverage for the entity is automatically terminated after 45 days. Another cyber insurer has very similar provisions, but they have a 35% revenue trigger and provide a 60 day window of automatic coverage.
One cyber insurer also considers the types and volume of protected information held by the acquired entity before automatically extending coverage. Under that form, coverage is automatically extended to acquired entities that have an annual revenue up to 20% of the named insured’s annual revenue, unless “that acquired entity stores a total number of unique, personally identifiable records that are in excess of 20% of the total unique, personally identifiable records that the Named Insured stores (as at the date of completion of such acquisition).” The insured must obtain the insurer’s written consent and agree to any increase in premium prior to the acquisition if automatic coverage is not triggered.
Coverage under another insurer’s policy will hinge, in part, on the knowledge and expectations of potential insurance claims attributable to senior executives of the named insured and of the acquired or newly created entity. That form provides automatic coverage for any acquisition or newly created entity if the insured has ownership interest of less than 50%. If the insured’s interest is greater than that, the insured must provide notice at least 60 days after the effective date of such acquisition or creation. Automatic coverage will be granted until the end of the policy period or for 90 days, whichever is earlier, if the newly created or acquired subsidiary has substantially similar business operations, its gross revenue is equal to or less than 10% of the total gross revenue the named insured listed on the application, and, if prior to the effective date of such acquisition or creation, no senior executive of the named insured or of the acquired or created organization, knew or could have reasonably expected that a claim would be made or coverage triggered under the policy.
Divested entities and changes in ownership
Coverage under cyber policies also may be impacted by corporate divestitures and changes in corporate ownership affecting entities that initially were covered under the policy. For example, policies may provide that if the named insured’s legal or beneficial interest in a subsidiary becomes less than 50%, the entity will no longer qualify as a subsidiary under the policy and will lose coverage. One policy specifies that if the named insured sells a subsidiary, that subsidiary will continue to be an insured, but only with respect to claims or first party insured events that occur on or after the applicable retroactive date and prior to the effective date of the sale. That policy further notes that there will be no return premium.
Cyber policies also may contain provisions that will be triggered in the event of a takeover of the named insured.
Take Away Thoughts
Coverage provided under a cyber insurance policy can be significantly impacted by merger and acquisition activity. Because there are no standard-form cyber policies, the provisions that might be implicated by any such transaction, including important notice requirements, will vary from policy to policy. Entities should carefully review their coverage both prior to policy inception and at the very outset of the deal-making process to ensure that they fully understand their rights and obligations and comply with all policy provisions so that post-deal coverage can be maximized.