When companies merge or acquire other businesses, the focus is traditionally on how their operations and finances align. The Marriot breach (which exposed the personal information of 500 million guests), the Yahoo breach (which killed a pending acquisition) and others have taught us that it’s time IT systems and cyber controls play a central role in M&A due diligence.

If you’re involved in an M&A, some questions to ask the other business might include:

  • What anti-virus encryption systems are utilized?
  • Which portable devices are used by employees to access the company network?
  • What does the network infrastructure look like?
  • Are they using VPN, or virtual private network?
  • How many personal records do they hold, including clients and employees?
  • How are outsourced software and hardware providers utilized?

Businesses with all levels of cyber insurance will want to consider their coverage options ahead of a merger or acquisition. In this case, there are three options for cyber coverage: Fold the new company into your existing cyber coverage, create a new policy for the combined business or the two cyber policies will co-exist until renewal.

When merging with or acquiring a company without cyber insurance, take a look at your own limits and potential liabilities. How will their lack of cyber coverage impact your cyber limits going into the M&A? What can you do to change your policy to accommodate the incoming risk?

If your business is considering an M&A, make sure to engage the following risk management best practices:

  1. Ask for their cyber insurance application. One of best ways to gauge a company’s cyber risk is to review their insurance application. Use the answers to the application’s 5-10 questions as a guide point for potential liability. If there’s an issue, you know where you need to spend your resources. Work with their cyber insurance broker to walk through the internal audits they need to complete.
  2. Consult with an attorney that specializes in cyber and privacy law. An attorney working regularly with cyber breaches will be able to scope out potential risks you haven’t considered with the company you are about to merge with, or acquire.
  3. Work with the company to mitigate risk prior to the merger/acquisition. If there’s a known or potential cyber issue, conduct penetration testing and bring in outside experts or vendors, if necessary, ahead of the deal.
  4. Talk to your broker sooner rather than later. Your broker may be the last person you would think to inform of an impending merger or acquisition. However, letting them in on the deal at least 30 days out will ensure you have more insurance options at your fingertips.
  5. Consider M&A insurance. Sometimes called Reps and Warranties coverage, dedicated M&A insurance provides coverage for the entire M&A process. Underwriters are starting to include cyber exposure as part of the dedicated M&A policy as well.
Contact your HUB Cyber Risk Services specialist for more information on making your upcoming merger or acquisition successful for all parties.