Acquiring or selling a business this year but lacking cyber insurance and robust data defence policies? You might want to rethink that valuation.
Last year’s Information Commissioner’s Office (ICO) fine on a Hospitality and Leisure group, due to a breach on one of their acquired businesses, crystalised for many businesses the risk presented by acquired businesses potential lack of digital security. But whereas previously perceived digital issues may have been covered off by some form of Warranty and Indemnity Insurance, Lloyds recent mandate to their Insurers that they must expressly say whether Cyber Insurance is covered or not has forced a rethink in this area.
The fact that in this case the incident was so long before the acquisition but remained undiscovered for a period after the transaction had taken place, highlights the risks involved. It has also forced Mergers and Acquisitions (M&A) solicitors to look at how effective due diligence conducted over a short period can be when digital systems are complex or legacy systems are involved.
The reality is businesses need to cover off their digital exposures prior to getting to due diligence. The use of external scanning is on the rise and the use of intrusive or internal scanning will occur on larger deals too. There needs to be a way to avoid stalemates whereby solicitors on either side of the table sit and demand, and in turn, refuse warranties on data risk. There needs to be mechanisms in place earlier to try to mitigate impacts upon price.
The reality is there is no one answer except that the issues need to be tackled earlier. Corporate Financiers preparing to market businesses need to know what is likely to be encountered at due diligence before they get there. This will allow a chance for sellers to solve or at least mitigate risks before they have the potential to scupper deals.
Buyers must satisfy themselves that there is security in place for the digital assets they are buying and that the selling company has taken the appropriate technical and organisational measures to make that security possible. After all, it is their risk upon completion.
The three digital pillars of people, process and technology sit at the forefront of a buyers acquired risk. Addressing these in advance of a deal and then mitigating via Cyber Insurance may be the best solution for all parties.
To find out more about our Services please contact our team today on T. +44 (0) 203 857 5373 or fill out the form below: