Representation and Warranty Insurance (RWI) is an increasingly important tool for managing transactional risk in technology-sector M&A. In the first of a three-part series, we look at the types of cybersecurity and privacy risk that RWI insurers typically consider in the context of a technology transaction. Follow-up posts will look at risks related to (i) trade law and sanctions compliance and (ii) taxation.
This post was prepared in collaboration with Cathy Qi of AIG Canada.
By way of background, it will help to begin with a synopsis of current M&A market conditions in Canada. As the pandemic continues, a new reality has emerged that often feels like a live version of Groundhog Day. But there is a silver lining for practitioners in the area of technology M&A: after some choppiness in the initial period of on-and-off lockdowns, the deal market soon stabilized and moved ahead at a steady pace through the remainder of 2020. This trend seems likely to continue in 2021, driven by factors such as:
- Large amounts of private equity dry powder;
- Growing activity from family offices;
- Renewed M&A interest among corporate buyers; and
- Ongoing uncertainty spurring additional exits, contributing to M&A activity.1
Representation and Warranty Insurance
Representation and warranty insurance (RWI) is now widely accepted as a useful tool for transactional risk management. Technology M&A is no exception. In our experience, insurers underwriting RWI in technology transactions tend to focus on a few key areas of risk, one of which is cybersecurity and privacy.
Correspondingly, a purchaser - typically the insured in a RWI policy - may also wish to focus on these same areas to help (i) avoid exclusions and limitations from RWI coverage arising from a lack of adequate diligence in these areas and (ii) determine the appropriate risk allocation between the purchaser and seller where such risks are likely to result in exclusions and limitations from RWI coverage.
Cybersecurity and privacy
It should be no surprise that cybersecurity and privacy top the list. RWI insurers expect robust due diligence on cyber and privacy matters for targets in all industries. For targets in the technology space, this area is almost always listed as an area of heightened scrutiny for RWI insurers - particularly if the target collects, stores, handles and otherwise processes confidential information (including personal information) and/or has material reliance on providers of Infrastructure-as-a-Service (IaaS) and/or Software-as-a-Service (SaaS).
When considering coverage in the technology sector, some of the factors that RWI insurers typically tend to focus on include the following:
- Cybersecurity protections against cyber and ransomware attacks;
- The nature of the business the target is engaged in (e.g. B2B or B2C);
- The jurisdiction in which the target operates and the applicable regulatory environment (risk factors may be amplified for targets whose operations are subject to the laws and regulations of multiple jurisdictions);
- The type of data that the target collects, stores and handles, including whether the data constitutes sensitive or personal information (including personal health information, financial information, etc.);
- The availability and testing of business continuity/disaster recovery plans;
- Any history of unauthorized access to the target's data (including privacy breaches and cyber incidents and notifications made to privacy and other relevant authorities) as well as its responses to such incidents;
- Material privacy complaints or settlements;
- Regulatory cyber or privacy investigations or orders; and
- Underlying insurance coverage (e.g. cyber and E&O).
For technology companies that provide an ongoing service (whether it is SaaS or IaaS, etc.), the integrity and availability of such service is of critical importance. As a result, RWI insurers focus on:
- The security of the environment where such service is provided; and
- The policies and practices deployed by the business to protect such environment designed to ensure the security, integrity and continued availability of such service.
Scope of coverage
RWI insurers rely on target companies having obtained adequate coverage (in terms of the amount and the scope of cybersecurity insurance) for their business operations and will often only provide coverage for covered losses on breaches of privacy and cybersecurity related representations that is no broader than and in excess of such existing insurance. If such coverage is considered good enough for the target's operational requirements to permit a seller to make the privacy and cybersecurity representations to the buyer to sell the business, then the RWI insurer's assumption of a breach of such representations may follow the same scope. In the event that the coverage limit for existing cybersecurity insurance is not deemed adequate (the level that is deemed adequate will depend on the target's business and varies deal to deal), RWI insurers may elect to provide coverage, if at all, only after a threshold amount of covered losses (in excess of the coverage limit of the existing cybersecurity insurance policy) have been incurred by the insured or limit the coverage to a certain amount for covered cybersecurity matters.
As noted above, the types of data processed by the target are critically important to RWI insurers, and RWI insurers typically ask purchasers detailed questions on the sensitivity of the personal information processed by the target. RWI insurers would likely exclude personal health information from coverage on the basis that cybersecurity breaches involving such information may impose significant or difficult to quantify risks.
In the second post in the series, we will look at risks in the areas of trade law and sanctions compliance.
1 Crosbie & Company Canadian M&A Special Report-M&A Outlook for 2021, January 8, 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.