The increase of hackers infiltrating the networks of companies can inflict serious damage, especially when they are being acquired since the breaches can lower their valuations by a large percentage.
The role of cybersecurity insurance can serve as a stopgap measure as fraudsters penetrate systems through various mechanisms such as malware and phishing. Hacks which occur as companies are hammering out the details of an acquisition can be extremely expensive - after Yahoo, a Sunnyvale, Calif.-based Internet company, reported its breaches, New York-based Verizon (VZ - Get Report) renegotiated the terms of their deal, slashing $350 million off the table.
The number of cybersecurity insurance policies has risen as companies are seeking solutions to lower their financial liability in case of a major attack. The market reached an estimated $3.5 billion in written premiums in 2016 of which $3 billion was written for U.S.-based companies, said Greg Reber, CEO at AsTech, a San Francisco-based security consulting company in a research paper. Experts predict the number of policies sold could easily double by 2020.
Even though nearly 100% of all businesses purchase commercial property and liability insurance, only 20% to 35% of U.S. companies have purchased cyber risk insurance coverage, according to a report by the Organisation for Economic Co-operation and Development, a Paris-based intergovernmental economic organization with 35 member countries.
The coverage offered among the insurers varies widely and while some will provide certain losses such as ransom payment or those stemming form human error, others refrain from it. The policies rarely provide compensation for breaches where millions of customer records are stolen or intellectual property is lost because quantifying the value of the future business is difficult, Reber wrote.
The majority of underwriters offer policies for liability such as technology errors and omissions liability, media and intellectual property, regulatory fines and defense cost, network security, privacy, data breach expenses, network/cyber extortion threat, crisis management expenses and payment card industry coverage and business interruption.
While more companies are attempting to lower their risk by adding policies, the industry is fairly new and determining how much coverage to obtain, how much to pay and what the policies cover remains murky, he said.
"The questions are many and the answers are few," Reber said. "An emerging trend is security vendors are guaranteeing their products and services. This will most likely be demanded in the future."
The continuation of weak cyber security practices has "definitely" affected the valuations of companies, he said. Yahoo lost approximately 20% of its value in the merger with Verizon when the previous breach and lack of remediation became known. Based on Yahoo's November 2016 form 10-Q filed with the Securities and Exchange Commission, the company did not have an insurance policy during its breaches, said Reber.
Although a policy will pay for forensics and legal fees after a breach, it does not cover material valuation change, said Jake Olcott, former counsel to the U.S. House of Representatives Homeland security committee and currently vice president of strategic partnerships at BitSight, a Cambridge, Mass.-based security ratings company.
When companies such as Equifax (EFX - Get Report) , an Atlanta-based credit bureau company, suffer large market cap losses, those are not covered by insurance to "make up the difference in the price before the breach," he said.
Costs of Breaches
The hacks are costly to companies - Equifax saw its market cap dip to $13 billion, down from $16.8 billion before announcing the breach and $17.3 billion year-to-date from its high.
Security experts should be part of the mergers and acquisition discussions because companies need to understand "their own security posture, including past breaches when going into merger talks and when obtaining insurance," Reber said.
The premiums being charged for cyber risk insurance coverage vary widely and can be expensive - they are estimated to be three times more expensive than general liability coverage and six times more expensive than property coverage for the same amount of coverage, he wrote in his paper.
Although the risk is the same, anecdotal reports have shown significant variation in prices quoted by different insurance companies for the same underlying risk. A U.S.-based pharmaceutical company received premium quotes which varied by 300% for the same coverage, Reber wrote.
The impact financially to companies was $3.6 million on average, based on a Ponemon Institute study, but the average breach claim was $665,000, according to a 2016 Netdiligence Cyber Claims Study, Reber wrote.
An increasing number of claims from smaller companies which generate under $300 million in revenue is a "strong indication that businesses of these sizes are becoming more attractive targets," he wrote.
Cyber risk insurance is helping companies mitigate their costs since having a policy can lower their expenses by 3.8% while "board involvement" during a breach response can decrease costs by 3.6%.
Acquiring companies are not just gaining the assets of another business, but also their liabilities, said Hitesh Sheth, CEO of Vectra, a San Jose, Calif.-based provider of automated threat management solutions.
"Knowing that attackers may have free rein in a network for 99 days before they are detected, acquiring companies should be prepared for the potential risk and liability of a cyberattack for at least one quarter past the close of a deal," he said.
The company being acquired should have implemented internal network monitoring to detect reconnaissance and lateral movement attacker behaviors in order to find and respond to an attack in real time, Sheth said.
M&A Deals Pose Higher Risk
M&A deals in the tech industry require extensive testing of the products to help the buyer avoid losses in the future because customers and shareholders place blame on them, not the company who created the technology or product, said Mike Weber, vice president, labs, of Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services.
When Whole Foods disclosed its breach in September, Amazon (AMZN - Get Report) had just acquired the Austin-based supermarket chain and had not merged their systems. If Amazon, the Seattle-based Internet behemoth, had conducted a cyber due-diligence assessment, the evidence of a breach would have likely been discovered and its financial impact could have been discussed during the negotiations.
While cyber insurance can provide a financial cushion, they can not save a company's brand, value and reputation long-term after a breach, he said.
During the M&A process, large amounts of highly sensitive and business critical information is shared among advisors and the organizations themselves and the problem is compounded when the data is accessed by many people from multiple devices such as laptops and smartphones and in various cities, said Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management.
"In the case of cloud-based storage, the information might be co-mingled with the data of other organizations transmitted in many different ways, such as email, file transfer protocol or instant messaging and could be retained beyond the period specified for legal or regulatory purposes and improperly destroyed when information is no longer required," he said. "The information can often attract the attention of highly motivated, capable and well-funded adversaries, such as unscrupulous competitors and organized criminal groups and the extensive footprint of these assets provides more opportunities for attackers to gain access."
Why Policies Are Needed
The maximum cyber insurance program available to a large company is $100 to $150 million since the market is relatively new and the volume of premiums remains low, said Dan Cotter, an attorney for Butler Rubin, a Chicago-based law firm. While Equifax disclosed it had cyber insurance in that range, the problem arises that its exposure will likely will be larger, he said.
"For the buyer, it gives some comfort that in the event of a breach, there is some resource available to respond to a significant breach," he said.
Coverage which is well-crafted is beneficial because it adds value for companies in highly regulated industries like healthcare, financial services, banking or retail, said Dan Farris, co-chair of the technology practice at Fox Rothschild and a former software engineer.
"It can help a seller in negotiations in some instances," he said. "Risk mitigation and demonstrating that liabilities and potential exposure to a buyer are hedged can help a seller push for a higher purchase price."
An insurance policy can impact the amount an acquirer is willing to pay, said Sara Romine, a partner in the Dallas office of Carrington, Coleman, Sloman & Blumethal.
"The devil is in the details and the prospective buyer will want to know exactly what the policy covers, the adequacy of the limits relative to the potential cost of a security incident and whether the coverage tracks the specific risks the company faces," she said.
The purchaser should look for how well the company safeguards and stores their data and the use or dissemination of the data.
These insurance policies are valuable for unlisted companies where the drop in value after a breach is more difficult to quantify beyond the fines and lawsuits, said Ebba Blitz, CEO of AlertSec, a cloud-based encryption company in Palo Alto, California.
Already having an IT security chain which includes a VPN tunnel, multi-factor authentication and firewalls protects a company as well as third-party contractors and customers against a breach prevents companies from losing valuation during a merger.
"Companies should invest their cybersecurity dollars in prevention over cure," she said.
A policy can ensure that the buyer is protected in case of malware or other breaches that may not be discovered until after a deal closes, said Michael Tanenbaum, executive vice president of Chubb Financial Lines, a Zurich-based insurance company.
"From the acquirer's perspective, a robust cybersecurity program with a cyber insurance component allows them to better assess the potential cyber risks of the target company," he said.
Even companies who have a policy in place must ensure that they implement the strongest security protocols or risk having their coverage not payout.
"Insurance companies now often demand the insured to implement cybersecurity controls to avoid voiding coverage," said Yan Chen, an associate professor at Florida International University in Miami.
More of What's Trending on TheStreet: