In a previous blog post, we discussed how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction. In this post we discuss cyber security insurance as a tool for managing this unwelcome risk.

The cyber security risk

Although businesses have been ramping up their information security systems, the pace of cyber security breaches is not slowing down. One study estimates that cybercrime will cost businesses $2.1 trillion globally by 2019. And, as recent security breaches have taught us, a security breach can have reputational, moral, and deeply political complications. The 2014 hack of Sony Pictures cost the company $100 million, derailed plans for the distribution a movie concerning North Korea, and raised ethical questions about the appropriate response to cyber terrorism.

On top of this, businesses will soon face stricter legal requirements around the disclosure of security breaches in Canada. New rules regarding the mandatory disclosure of security breaches were approved by Parliament in June 2015 and may come into force at any point. The Digital Privacy Act amends the Personal Information Protection and Electronic Documents Act and requires that an organization report any breach of security safeguards that reasonably creates a real risk of significant harm to an individual. Notification must be made to the Privacy Commissioner and to the individual involved. Significant harm under the statute includes financial loss, bodily harm, damage to reputation or relationships, and loss of employment, business or professional opportunities.

Cyber security breaches and their associated financial, reputational, and regulatory risks are here to stay.

Insurance as part of the solution

While the key to managing cyber security breaches will always be to implement strong data protection systems, cyber security insurance is becoming a popular way to address the financial consequences of cyber security breaches. A cyber security policy insures against risks to a company's information technology and data assets, and leaves the insurance company with the uncertainty of actual damages in the case of a breach.

In the context of M&A, the problem with cyber security risk is valuing and allocating risk among parties. Similar to reps and warranty insurance (which we discuss here), cyber security insurance allows a company to allocate risk by transferring some to the insurance company and leaving the buyer and seller to allocate any remaining risk that falls outside the policy. Cyber security insurance is also valuable before M&A. Having a policy in place may help ease concerns of acquirers as the insurance would cover security breaches that may have already occurred prior closing but have yet to materialize. This has been found to hold true in jurisdictions that have data breach notification laws like the ones currently pending in Canada. Coverage can be a standalone product or can be built into existing policies such as business continuity insurance or supplier chain insurance.

Cyber security risk represents a new and significant risk to businesses. Simply being aware of this risk is critical in an M&A deal. Once recognized, however, placing appropriate security measures, conducting IT due diligence, and allocating risk by way of negotiation or insurance will help all parties cut through data breach uncertainty and settle material issues efficiently.

Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global legal practice. We provide the world's pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members ('the Norton Rose Fulbright members') of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.