Cyber M&A Webcast of the German M&A Association – Cybersecurity insurances
The second session on cyber M&A on May 10, 2021 focused on the topic of insurance. The participants were Dr. Sven Erichsen (Managing Director Erichsen GmbH), Ralph Noll (Partner Cyber Risk, Deloitte) and Christian Plath (Partner Operational Transaction Services at Deloitte). The moderator was Stefan Finkenzeller (PMG Projektraum Management GmbH).
Ralph Noll, who also heads the Cyber Response Team at Deloitte, began by explaining what the current cyber threat situation looks like and how this needs to be taken into account in risk management. Supply chains in particular are becoming increasingly interconnected these days. There are frequent outages here, as individual suppliers suffer from ransomware attacks in particular, usually encryption Trojans. The cloud is also leading to ever greater networking. Applications that were previously only available from the internal network are now available worldwide. CFO fraud, such as forged payment instructions or invoices, is a growing issue. Nevertheless, cyber insurance is not yet an issue for many companies, either because the cost-benefit ratio is viewed critically or because there is a lack of knowledge about this topic as part of risk management. Incidentally, the typical German SME sector is now also the target of these attacks and is hit proportionally harder, especially as many companies cannot afford an expensive cyber response program.
According to Dr. Erichsen, the aim of cyber insurance is primarily to cover the costs of a cyber incident. However, cyber insurance, which nowadays has the value of fire insurance, also serves the purpose of prevention, as companies are often not yet sufficiently equipped with security measures. A good cyber insurance company also reminds its customers to implement these measures, proactively provides information on current risks and has a network of service providers, e.g. incident response service providers. Medium-sized companies in particular, which are at the beginning of the digitalization process, are unfortunately always lagging behind. The problem here is the lack of communication between IT and commercial management. Due to a lack of a common language, IT security reminders, e.g. in risk assessment, do not always reach the management.
According to Christian Plath, there have already been several incidents where cybersecurity incidents in the context of M&A transactions have led to significant purchase price reductions. As always, due diligence is important, which also means asking about cyber insurance and IT security measures. In the case of carve-outs, attention should be paid to how this is handled in the context of TSAs (Transitional Service Agreements). As the buyer only has access to the company after closing, the seller must assume the risks until the end of the TSA term. It is always good if the object of purchase has cyber insurance. From the point of view of due diligence, the decisive factor is concrete, verifiable IT security measures or audit reports that are made available.
One interesting question from the participants is the insurance of damage caused in the course of warfare. Ralph Noll said: “It is often difficult to identify the groups of perpetrators and this is usually clarified once the damage has long since occurred. Sven Erichsen noted that warfare is in fact often excluded and is the subject of controversial debate. However, the insurer bears the burden of proof here. Ransom demands from countries that are subject to international sanctions are also problematic. But these cases have been very rare so far.
As always, further dates will be announced on the website of the German M&A Association and via social media (LinkedIn). Questions and suggestions can be directed to stefan.schneider@ma-review.com or martin.kuegler@parthenon.ey.com.
