In a previous blog post, we discussed how to manage cyber
security risks during the negotiation and due diligence stages of
an M&A transaction. In this post we discuss cyber security
insurance as a tool for managing this unwelcome risk.
The cyber security risk
Although businesses have been ramping up their information
security systems, the pace of cyber security breaches is not
slowing down. One study estimates that cybercrime will cost
businesses $2.1 trillion globally by 2019. And, as recent security
breaches have taught us, a security breach can have reputational,
moral, and deeply political complications. The 2014 hack of Sony
Pictures cost the company $100 million, derailed plans
for the distribution a movie concerning North Korea, and raised
ethical questions about the appropriate response to cyber
On top of this, businesses will soon face stricter legal
requirements around the disclosure of security breaches in Canada.
New rules regarding the mandatory disclosure of security breaches
were approved by Parliament in June 2015 and may come into force at
any point. The Digital Privacy Act amends the Personal
Information Protection and Electronic Documents Act and
requires that an organization report any breach of security
safeguards that reasonably creates a real risk of significant harm
to an individual. Notification must be made to the Privacy
Commissioner and to the individual involved. Significant harm under
the statute includes financial loss, bodily harm, damage to
reputation or relationships, and loss of employment, business or
Cyber security breaches and their associated financial,
reputational, and regulatory risks are here to stay.
Insurance as part of the solution
While the key to managing cyber security breaches will always be
to implement strong data protection systems, cyber security
insurance is becoming a popular way to address the financial
consequences of cyber security breaches. A cyber security policy
insures against risks to a company's information technology and
data assets, and leaves the insurance company with the uncertainty
of actual damages in the case of a breach.
In the context of M&A, the problem with cyber security risk
is valuing and allocating risk among parties. Similar to reps and
warranty insurance (which we discuss here), cyber security insurance allows a
company to allocate risk by transferring some to the insurance
company and leaving the buyer and seller to allocate any remaining
risk that falls outside the policy. Cyber security insurance is
also valuable before M&A. Having a policy in place may help
ease concerns of acquirers as the insurance would cover security
breaches that may have already occurred prior closing but have yet
to materialize. This has been found to hold true in jurisdictions
that have data breach notification laws like the ones currently
pending in Canada. Coverage can be a standalone product or can be
built into existing policies such as business continuity insurance
or supplier chain insurance.
Cyber security risk represents a new and significant risk to
businesses. Simply being aware of this risk is critical in an
M&A deal. Once recognized, however, placing appropriate
security measures, conducting IT due diligence, and allocating risk
by way of negotiation or insurance will help all parties cut
through data breach uncertainty and settle material issues
Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global legal practice. We provide
the world's pre-eminent corporations and financial institutions
with a full business law service. We have more than 3800 lawyers
based in over 50 cities across Europe, the United States, Canada,
Latin America, Asia, Australia, Africa, the Middle East and Central
Recognized for our industry focus, we are strong across all
the key industry sectors: financial institutions; energy;
infrastructure, mining and commodities; transport; technology and
innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global
business principles of quality, unity and integrity. We aim to
provide the highest possible standard of legal service in each of
our offices and to maintain that level of quality at every point of
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia,
Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South
Africa (incorporated as Deneys Reitz Inc) and Fulbright &
Jaworski LLP, each of which is a separate legal entity, are members
('the Norton Rose Fulbright members') of Norton Rose
Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein
helps coordinate the activities of the Norton Rose Fulbright
members but does not itself provide legal services to
The content of this article is intended to provide a
general guide to the subject matter. Specialist advice should be
sought about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Under the Income Tax Act, the Employment Insurance Act, and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions or GST.
Under the Income Tax Act, the Employment Insurance Act, the Canada Pension Plan Act and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).