As cybersecurity risks increase, it has become even more critical to understand how representations and warranties insurance (RWI) policies interact with cyber policies. RWI carriers have become more conservative in response to the heightened cybersecurity risk environment and buyers should carefully consider the implications of this changing approach.
New approach to RWI with respect to cybersecurity
As for data privacy and security matters, carriers historically were willing to underwrite this risk subject to standard underwriting that involved three key areas of inquiry:
- Confirmation that a commercially appropriate amount of underlying cyber coverage for pre-closing matters would be available to the buyer following the closing (i.e., verifying the availability of prior acts coverage)
- Reviewing the strength of the target’s IT systems, including any past data breaches
- Understanding and assessing the sensitivity of the information being processed by or stored on target’s IT systems, especially any Personally Identifiable Information (PII)
More recently however, RWI carriers have shifted to a more conservative posture in response to the heightened cybersecurity risk environment, including proposing, as part of the carriers’ initial review of an RWI submission, a broad data privacy/cyber security exclusion or that RWI coverage will only be “excess of and no broader than” adequate underlying cyber coverage.
Considerations
Buyers and their advisors should carefully consider the implications of this new approach when debating which RWI carrier to select for underwriting or when negotiating coverage positions with an RWI carrier. A few points to consider:
- At first glance, an excess of and no broader than” position with respect to underlying cyber insurance position may appear to be significantly more favorable than a broad data privacy/cybersecurity exclusion. However, buyers and their advisors should understand that a “no broader than” position means that all exclusions set forth in the underlying cyber insurance policy will be incorporated into the RWI policy. To fully understand what type of data privacy or cyber matters will be covered by an RWI policy, buyers and their advisors should carefully review the exclusions in the underlying cyber policy, particularly when weighed against other factors that may be important to the RWI policy, including premium, retention and other proposed exclusions. At WTW, our integrated Insurance Due Diligence team works with our Transactional Risk team to proactively assess a target’s cyber coverage and risk profile to enable us to negotiate and work through the value of an “excess of and no broader than” cyber position at the initial quoting stage. In addition to outlining for buyers the potential value/limitations of coverage, this holistic approach helps reduce friction during the RWI underwriting process by managing carrier expectations at the outset.
- RWI carriers may restrict coverage when concerned about a target’s susceptibility to ransomware attacks, especially considering recent geopolitical concerns and the loss activity seen in the broader cyber insurance market driven by such attacks. RWI coverage however is retrospective, applying only to pre-closing operations of a target. Ransomware attacks generally manifest on a short fuse so where the buyer learns of a ransomware attack at the target before the RWI policy is bound (typically when the underlying deal signs), the attack will be excluded under the RWI policy as a known pre-closing matter.
- All RWI policies contain ’Other Insurance’ clauses that generally provide that the RWI policy is excess of other available insurance coverage that responds to a loss that is also covered by the RWI policy. To the extent known, RWI brokers should inform carriers at the outset what coverage will be available under the Buyer’s insurance program for pre-closing matters. Cyber policy deductibles are almost always materially lower than RWI policy deductibles, so as a practical matter, buyers are indirectly incentivized to pursue cyber policies as first recourse. However, as most cyber policies are issued on a “claims made” basis and often have “change in control provisions,” that can be triggered at closing, maintaining continuity of cyber coverage to address issues arising from pre-closing operations is critical.
What next?
Some carriers may have firm concerns and may take firm positions with respect to data privacy and cybersecurity matters because certain IT security issues take time to manifest (i.e., concerns that a covered pre-closing matter does not manifest until post-closing when coverage is in place) and because of general industry sector vulnerabilities (i.e., e-commerce), but insureds may achieve broader coverage by sharing additional information with RWI carriers prior to underwriting.
It is critical to that your transactional risk team works side-by-side with an insurance due diligence team to navigate this shifting landscape of cyber coverage. Although RWI carriers have become more conservative in their approach to cyber, it’s imperative to flag issues early and highlight critical considerations to ensure you are maximizing coverage and addressing critical risk factors to the maximum extent possible. At WTW, our fully-integrated M&A group includes a Transactional Risk team of over 20 brokers who work seamlessly with our Insurance Due Diligence team to assist clients in successfully navigating these issues, providing insights and holistic solutions across all stages of the RWI underwriting process.
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
