Specialty Podcast: Cyber Risks for Financial Institutions During M&A

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Jacob Borth (00:08):
Welcome back to another Alliant Specialty podcast. This is Jacob Borth from Alliant Mergers and Acquisitions Group. I'm a senior member of our transactional risk team and in I'm based in New York City. With me this morning I have two senior members of Alliant’s Merger and Acquisition Cyber and IT consultancy team, Michael White and Nolan Wilson. Thanks for joining.

Michael White (00:28):
Thank you very much. Good morning.

Nolan Wilson (00:29):
Good morning, Jacob. How are you doing?

Jacob Borth (00:31):
Doing well. How about yourself?

Nolan Wilson (00:32):
I'm good. Thanks for having me.

Jacob Borth (00:34):
Very good. What we're seeking to achieve in our recording this morning is to highlight mergers and acquisitions surrounding financial services, including as a function of its recent uptick in deal activity, but most specifically typical cyber and network security exposures underwritten to and rep warranty insurance within the industry class. We ultimately look to highlight Alliant’s comprehensive offering and expertise in rep warranty insurance and cyber and network security diligence and how the marriage of an effective insurance program and due diligence amidst a merger or acquisition can address the exposures and focus. So, what does M&A look like for financial services in 2023? Despite the broader M&A market being slightly slower in parts of 2022 and into 2023, transactions surrounding targets in the financial services industry have not seen the same level of slowdown as other industry classes. By some accounts, these transactions have actually increased.

Quarter 3, 2023 is looking to be a record quarter for deal value within financial services. There are a number of factors that are driving this uptick of deals within the industry class. Most investment advisors and asset managers have stated service offering and investment diversification. The current fee environment, which is often and widely described as a race to zero, there's heavy competitive pressure and technology as the main drivers of M&A. Of course, recognizing potential macroeconomic and geopolitical headwinds of the last few weeks, many asset managers want to be a one-stop shop for their investors and many are moving from single strategy or niche strategy to becoming multi-strategy providers. According to a recent PitchBook article, in the first half of 2023, private equity invested more than in any other year of the past decade to acquire asset managers, with deal value total about 20% higher than the previous peak of all of 2021.

Complimentary to those figures, the period of 2019 through 2022 saw a 13% jump in strategic alliances of asset managers and financial services, according to Ernst and Young Data. I attended a recent asset manager symposium. They had estimated that 75% of asset managers were actively looking at or would be looking at acquisitions in the coming 12 months. So, we as insurance brokers aren't necessarily expecting this trend to wholly capitulate despite the current interest rate environment and again, potential economic and geopolitical headwinds. Those in the industry are bullish on the M&A trend in financial services. Of course, one of the bigger and more notable acquisitions in this space this year is the $2.7 billion acquisition of Angelo Gordon by TPG. So, with respect to rep and warranty insurance and financial services transactions, what does the make-up look like and what does that look like in 2023?

More and more deals are being facilitated with rep and warranty insurance, meaning more rep and warranty policies are being placed as a percentage against the overall M&A market. And we say as much, despite slower M&A years more broadly, in both 2022 and 2023. The rate at which new insurers have entered has also increased. Our product has never seen so much insurer competition and capacity as it does now, whereas just a few short years ago, maybe a handful of reliable insurers would underwrite these transactions, to which that figure is certainly more than doubled in 2023. More and more transactions surrounding financial institutions themselves are being insured and we don't see that trend nor the trend of insurers' propensity to insure as much, as slowing anytime soon. So, who will underwrite two FI transactions? Mainstays in the marketplace continue to be relied upon for underwriting this industry class; those who continue to have staying power and brand maturation in the marketplace itself.

The fact that there are less deals to be had and continued insure capital into the market has undeniably created a soft rep and warranty insurance marketplace with pressure on pricing and broader terms and conditions in the insurance policies themselves. More insurers than ever are willing to underwrite and assume risk for financial services deals. So, what types of deals will said underwriters look at? I've personally worked on transactions and facilitated a rep and warranty policy for as small as $7 million in enterprise value within this industry class. This holds true for the broader rep and warranty marketplace as well. But we want to emphasize as much for transactions and what have historically been viewed as tougher industry classes, and in this case, financial services. Our team is largely focused on middle market transactions, and while we recognize everyone may have a different definition of what middle market actually means, we’ve facilitated policies in this industry class for both micro and mega deals.

With that, what are some of the exposures for the rep and warranty insurers? The more things change, the more they stay the same certainly holds true. The rep and warranty policy intends to cover breaches of the representations in an acquisition agreement, regulatory matters, employment related matters, including partnership disputes, employment practices, litigation, failure to promote retaliatory practices, wrongful termination, amongst others. Rep and warranty insurers will look at errors and omissions or customer claims against the general partner, investment advisor or trader. And to this end, does the target company have sufficient insurance in place? Is certainly a question that is asked on every transaction that we work on. And of course, data collection and data privacy practices and network security matters. So, what do rep and warranty underwriters specifically underwrite to as respect to network security, information technology and data privacy? The first question that's typically asked on our underwriting call is: please describe any analysis concerning the protection of trade secret information, if any.

Does the company have any custom or proprietary software? Please also provide an overview of any diligence regarding the company's information, technology systems, but what is the status of the company's backup and business continuity systems, if any? And this next one as well couldn't be more front and center: What personal or other sensitive information does the company receive? What does it store and how does it use that information? What data privacy and security rules or laws apply to the company? Is there exposure to payment card industry or PCI? Is there exposure to general data protection regulation or GDPR? Is their exposure to California privacy laws, etc.? Rep and warranty insurers will also request an analysis of data privacy and security issues with an emphasis on cyber incidents and known material risks. If any issues to the aforementioned, insurers can reasonably expect it to inquire to mitigation efforts and potentially inquire as to disclosure between buyer and seller on those specific matters.

And last but not least, does the target company procure network security and cyber liability insurance? The takeaway for our listeners is that having a proactive comprehensive risk management approach and a broker who is asking the right questions, understanding the acquisition and the target’s business as a whole and interpreting potential exposures can make all the difference and more bluntly, save real time and dollars across a portfolio. And we highlight as much regardless of whether the transaction is occurring at the fund or general partner level or the portfolio company level via add-on acquisition. And with that, I think this is a perfect segue for the cyber team to jump in. So I'll pass the microphone to both Michael and Nolan.

Michael White (08:45):
Thank you, Jacob. Moving on to discuss why financial services companies are attractive targets to cyber activity, and there's multiple reasons. Two examples are the sensitivity of the client data they possess, as Jacob had mentioned, and that they're often highly regulated with regard to sensitivity of client data. They have client personal information that can be used to create an identity. This information is considered PII or personally identifiable information. Another type of client information is financial, which can be exploited to take clients' money. In addition to possessing this information, financial services companies can have the need to share the information with other firms. It is in the process of sharing this information that can potentially lead to data exposure. We have found that customer information is often stored permanently in secure systems. But when taken out of the secure system and shared, the end-to-end sharing process is less secure.

It is the full end-to-end process that the cybersecurity and risk focus should be placed upon. Financial companies are subject to strict regulation. However, these regulations can also make financial companies more attractive targets as cyber criminals know that they may be able to extort money by threatening to publicly expose their vulnerabilities, resulting in a breach of regulatory compliance as well as a loss of confidence from their customers. Morgan Stanley had to pay a $35 million penalty after customer sensitive information was left unencrypted on hard drives that were taken out of decommissioned servers. The accusation was that they had failed to properly dispose of thousands of hard drives and backup tapes containing personal identifiable information. Another area that has been the source for drawing the attention of threat actors is when investment announcements are made. The announcement creates awareness for companies that do not often receive a lot of public attention.

The awareness is not only of the company that is the subject of the investment, but also the private equity company performing the investment. There are sophisticated threat actors that specialize in targeting these business transactions. They perform complex reconnaissance on private equity firms and their portfolio companies in order to obtain key employee credentials, they can hijack relationships, intercept email, and even initiate wire transfers to steal invested dollars. And though the impact is great, there are a number of reasons why portfolio companies haven't created robust cybersecurity programs. Reasons such as cost, lack of expertise and lack of awareness. The private equity firms that own these companies should take a leadership role in understanding the strengths and weaknesses of their portfolio companies’ cybersecurity programs and make sure that their business owners understand and are prepared for the threats. Also, a private equity firm's investment horizon is often three to five years.

A strong cybersecurity program can help make a company more attractive to potential buyers as it reduces the risk of a data breach or other cyber incident. It is difficult to say how much money a company saved by preventing a cyber attack. This can make it challenging for companies to justify spending money on cybersecurity once you have estimated the cost of the cybersecurity program and the losses that were prevented by the program. You can plug these numbers into an ROI formula to calculate the ROI of the program. And once ROI is understood, a decision can be made whether to accept the risk, transfer the risk or reduce the risk. Risk transfer is the process of moving the financial burden of a cybersecurity risk to another party, such as an insurance company. This can be a very good option for organizations that cannot afford to bear the full cost of a cybersecurity incident. Risk reduction is the process of taking steps to reduce the likelihood of a cybersecurity risk. This can involve implementing technical controls such as firewalls, intrusion detection systems and non-technical controls such as security awareness training for employees. The specific items that are included in a cybersecurity program will vary depending on the size and complexity of the organization.

Nolan Wilson (15:12):
Awesome, thanks Michael. This is Nolan. I can jump in from an insurance perspective. I think everything that you and Jacob highlighted are critical points to the underwriting of the cyber insurance policy. To what Jacob was talking about around specifically M&A transactions, most cyber insurers will talk about the increased risks that occurred during the M&A process and at closing of a particular deal. I think the acquiring company may have done some due diligence but would not have access to get into the system of the target company and a lot of additional information could come to light following the close of the acquisition. The insurers have seen a lot of claims activities emanating from this and that's why they are concerned about a lot of the exposures that you talked about. I think from an underwriting perspective on cyber insurance, the proactive approach is definitely the way to go.

I think we've seen a lot more success with the insurance purchasing when we can show the insurance marketplace that the client has a robust cybersecurity practice, that it's proactive doing the phishing training. You talked about social engineering. Jacob had talked previously about having a backup systems and business continuity. All these things are extremely important to show the underwriters that the buyer is taking a proactive approach and will result in better terms and conditions, more competitive pricing, lower deductibles or retentions. So, it's really the right approach. The last thing I wanted to touch on from the insurance perspective is if both the acquiring party and the target company have a cyber insurance policy, you just want to make sure that you coordinate a lot of the language so that you're moving over to assuming the purchaser of the target company is going to be the insurance that stands just to make sure that you're not losing any coverage. There are extended reporting periods; there's prior acts coverage that come into play. So, it's just important to coordinate all the parties with the insurance to make sure that you have consistent coverage in these acquisition scenarios.

Jacob Borth (17:13):
Nolan, and just on that last point, and I know your group gets sick of our group pinging and asking this on just about every transaction. But just touch on where you've seen obtaining prior acts and insurers' willingness to provide prior acts coverage. They have an existing program that's one thing. But if you're going in blind, if you're going into procuring a policy today, maybe speak to trends that you've seen with prior acts coverage, because it's certainly pertinent to the rep and warranty process as well.

Nolan Wilson (17:44):
Yeah, absolutely. Everything we had talked about earlier, the increased risk during this M&A activity, I think it's even more important that you do have the prior acts coverage in place. So, depending on the size of the target company, especially relative to the acquiring company, you may be asked for more underwriting information. But the insurance company that's taking on that risk is certainly going to want to do their due diligence and understand the different controls that are in place. You guys talked about the technology systems, the backups, access to personal information, how that's protected. All of these things are important factors in the insurance company that will provide the go forward coverage and potentially prior acts coverage to factor in when you're going to obtain the prior acts coverage and the amount of premium it might be. So, the cyber insurance policies do have automatic acquisition thresholds that are generally ranged from 10% to 25% of the acquiring company's revenues, but that only includes coverage as of the date of the acquisition and going forward. So, anything that occurred prior to is not covered unless you negotiate that prior coverage into the acquiring company's insurance policy, or you buy an extended reporting period under the target company's policy if they have even purchased one. So, with the increased exposure during this time, I think it's more critical to make sure you have a plan in place to make sure everyone's on the same page with what is and what might not be covered going forward.

Jacob Borth (19:09):
Excellent, and appreciate it. Appreciate your participation, both Nolan and Michael. And with that we'll close out today's podcast and recording. And again, our thanks to everyone for listening. We look forward to working with everyone soon.