The increase in successful cyberattacks driven by both an explosion of ransomware activity and a series of high profile zero-day vulnerabilities, is forcing cyber insurers to further scrutinize the companies they insure and the policies they offer.
As insurers examine the potential impact of cyberattacks, the traditional scope of cyber security due diligence activities is being extended. The external forces of deal insurance, in turn being driven by the threat landscape, have accelerated the need for Merger and Acquisition (M&A) practitioners to fully embrace the discipline and invest in enhanced cyber security due diligence to meet the needs of the M&A insurers. An informed insurance market requires great comfort and assurance regarding critical controls and overall resiliency.
A Journey of Improvement and Maturity
Cyber security due diligence is on a journey. While it is a relative newcomer in the world of due diligence, greater expectations are being placed on the deliverables and insights obtained through the due diligence process. This article aims to reflect on the change in expectations of the cyber security diligence output, and how the diligence process will be impacted.
A History of Cyber Security Due Diligence
In its journey, cyber security due diligence is at a impass. For approximately ten years, cyber security due diligence has been developing as a niche within the wider M&A space. As with all new specialties, M&A practitioners and their teams initially sought to delivery cyber security as a “value add” on top of existing due diligence workstreams. Most frequently, it would be referred to as diligence around ‘secure networking practices’ and would therefore usually fall into the existing IT workstream.
There have been many examples of insufficient cyber security due diligence delivered by well-intentioned IT professionals with very little due diligence experience. This issue was often exacerbated by the fact that organizational leadership often failed to properly prioritize due diligence, causing the "cyber question" to fall to an unprepared associate, who may not have realized the gravity of the task. Naturally, this resulted in insurers being forced to rely on secondary, deprioritized cyber security due diligence information. Fortunately, this situation has improved, but more change is on the horizon.
Appreciation of Cyber Security Risk as a Business Risk
Cyber security risk is now firmly on the agenda of most boards of directors. The understanding of how cyber security risk manifests itself as a business risk has been driven by potential loss of core intellectual property, and the risk potential for new investors to inherit fines from regulators in relation to previously undisclosed breaches. The focus has been on providing answers to the two following questions to deal team stakeholders:
- Can anything be identified that will undermine the value of the transaction so significantly that it will prohibit the ability of the organization to deliver value through the pre-determined deal thesis?
- As a secondary consideration, what is required to raise the current cyber security posture of the organization to a level on par with similar organizations in the marketplace?
While the two questions above still need to be answered, further change is also required. This change is being driven by the wider forces of an increasingly risk adverse insurance industry seeking to obtain specifics on internal controls. As a result, not only has there been a greater volume of cyber security deal services procured by investors and their agents, but that organizations are now being asked to provide a greater level of visibility into their current controls.
The Current State of Pre-investment Diligence and Cyber Security
A more technically astute cyber security insurance industry combined with a greater understanding of the economic impact of cyber security incident or attack on businesses has resulted in the reduction of coverage and an increase in cyber security insurance premiums. This trend is being reflected within the coverage that insurers are willing to provide and the scope of coverage for cyber security incidents within the larger deal insurance being offered.
The requirements for the addition of cyber security insurance as part of the wider transaction insurance was previously met by a lightweight approach (including external perimeter scans and dark web activity searches). While valuable, these activities no longer furnish the necessary insights now required to encourage the confidence the insurers need to insure the cyber security element of the transaction.
To be able to answer the specific questions on the key threats that the insurance industry is requesting, a different type of engagement with the target is required. This approach must leverage the traditional due diligence model of documentation reviews and more importantly, requires interaction with the stakeholders in addition to the technical scans and dark web research.
Such is the change in the insurance industry that losses arising from cyber security incidents are only being provided by insurance companies when there is a high degree of confidence with regards to certain controls. The existence of key controls could amount to the difference between moderate business disruption with minimal loss, and catastrophic interruption with significant financial loss for a business. It is for this reason that insurers are seeking to confirm the existence of these controls especially within the cyber security M&A insurance space.
The in-focus controls include the Kroll 10 Essential Cyber Security Controls for Increased Resilience (and Better Cyber Insurance Coverage), with an additional concern around the controls that ensure the resiliency and ability of the organization to recover from ransomware incidents, such as comprehensive offline backups. Ultimately, under-investing in cyber due diligence or reducing the scope of the cyber due diligence exercise has the potential to cause otherwise insurable organizations to not be covered for cyber security incidents. This is a post-deal impact not often seen by diligence providers. It could, however, be tremendously damaging for the business and the investors and is something that the deal practitioner should always keep in mind.
Future State
Cyber security risk shows no sign of becoming less of a concern for organizations, particularly those going through significant business change such as an acquisition or new investment. Threat actors will continue to seek new and creative ways to extort their targets, and the wider insurance industry will pursue deeper insights about the economic impact of such attacks. The attention and focus on specific controls that relate to high-impact attacks will go on to guide insurance policy decisions.
The genie is out of the bottle. The insurance industry has changed and there is a greater understanding of cyber security risk, the threat landscape and how specific organizations should, and most importantly do, protect themselves. The cyber security insurance industry continues to be one of the fastest moving areas of insurance, a fact reflected in the current threshold now in place within the significantly restricted “deal environment”.
Cyber security deal professionals must work with several partners, including investors who scope buyside due diligence cyber engagements, the broader cyber community with specific knowledge and insights into new and emerging attacks and, of course, the insurance industry.