According to a recent New York Times report, the first half of 2019 saw nearly $2 trillion in merger and acquisition activity, with the majority of those deals taking place in the US. During the frenzied period of time leading up to consummation of the deal, consideration of the transaction’s impact on the acquiring company’s cyber insurance coverage may not be top of mind. But because merger and acquisition activity can significantly impact the risk profile of the insured company, cyber insurance policies typically contain very specific notice requirements in order for coverage to be extended to the newly acquired entity. Companies contemplating corporate transactions, therefore, are advised to review and operationalize those notice requirements early in the deal-making process to avoid coverage gaps when the deal is completed.
Cyber Insurance Policy Requirements for Newly Acquired Entities
Cyber insurance policies, like most other policy forms, typically provide coverage to the named insured identified in the policy, as well as to any subsidiary of the named insured that was created by the date the policy took effect. Carriers generally ask enterprises to identify all such subsidiaries during the insurance policy application process. Although disclosed subsidiaries may generally be considered “insureds” at the time a cyber policy issued, the policy is likely to contain provisions that specify the steps the insured company must take to obtain coverage for subsidiaries acquired or created, or for entities involved in mergers or consolidations, during the policy period.
The steps an insured company must take to secure coverage for a newly acquired subsidiary vary from policy to policy, but they typically are triggered by the revenue of the target company relative to that of the insured acquiring company.
For example, under one cyber policy, if the target entity has revenue greater than 10% of the named insured’s total annual revenue, the named insured must: provide written notice before the acquisition, obtain the insurer’s written consent, and agree to pay any additional premium required by the insurer.
Another insurer requires an insured that merges with, acquires, or creates an entity with assets exceeding 10% of the total assets of the insured to provide full details of the transaction as soon as practicable. The insurer is entitled to impose additional terms, conditions, and premiums, at its sole discretion.
Under the terms of a different policy, if the named insured acquires or creates another organization in which the named insured has an ownership interest of greater than 50%, the organization is covered for insured events that take place after the date of acquisition or creation, but only if the named insured provided notice to the insurer no later than 60 days after the effective date of the acquisition of creation, along with any information the insurer should require. The insured may be exempted from that process if, among other things, the new subsidiary’s gross revenues are 10% or less than those of the named insured.
In light of the significantly varying triggers and requirements imposed by different cyber carriers, insureds that are involved in merger or acquisition activity should carefully review their cyber policies early in the deal-making process. Relevant provisions may be found in a variety of different sections of the policy depending on the form at issue — possibly within the conditions, definitions, “other provisions,” and exclusion sections — so a careful review of the cyber insurance policy at issue is required.