M&A Roundtable: Securing the Deal - Managing Cyber and IT Risk in M&A

Intro (00:00):
You're listening to the Alliant M&A Roundtable, providing insights and expertise on the unique risk management needs of private equity firms.

John Gilbert (00:12):
Thanks, everyone for joining another exciting podcast brought to you by Alliant M&A, I'm John Gilbert. I co-lead the M&A practice here at Alliant. Here we have Larry Shapiro and Chad Neale in part two of our cyber series. I'll let Larry and Chad introduce themselves, but very excited to have both on the line. And with that, Larry why don't I turn it to you to make a quick introduction, and then we'll turn to Chad.

Larry Shapiro (00:37):
All right. Thanks, John. So, this is Larry Shapiro and I lead the Alliant representation and warranties insurance team. Happy to be here, talking with everybody, and excited to be doing it alongside Chad.

Chad Neale (00:47):
Thanks, Larry. This is Chad Neale. I lead the cybersecurity practice within the Alliant M&A group.

Larry Shapiro (00:54):
So, John, I think maybe a good place to get started is to give a little bit of a skid in the market, at least from a representations and warranties insurance perspective. I can say that it's still a very robust market out there we've seen, I think this year it's been quite an active year. It's been a little bit lumpier than the prior year. I think coming off of last year, volume and deal flow was pretty much at an all-time high. And then I think it's been a little bit lumpier throughout the year. This year, we've had a lot of spikes in activity and then some periods where it's not quite a lull, but certainly, it's been a little bit more fits and starts. I think this year, you know, the marketplace continues to be very robust and that's true, notwithstanding any global political concerns, as well as any concerns around inflation. And I think where we're situated today, we're seeing some pretty high volume in terms of, you know, potentially insured transactions. And we've seen a lot of good, healthy appetite in the market as underwriters continue to perform quite well.

John Gilbert (01:58):
Yeah, that's great, Larry, appreciate that and those really insightful comments in the market. It certainly has been an exciting 12 months or longer in the Reps and Warranties insurance market and a lot of evolutions as well. You know, as we think about underwriters and what they look for as they're looking to underwrite a particular transaction, Chad, I'd love to hear from you on how cyber security diligence and IT diligence has really evolved over the last few years, you know, are more firms doing due diligence in that area now? And what are the driving forces behind that, if there is, an increase in diligence activity, are IT cyber-attacks, is it lenders, maybe it's Reps and Warranties underwriters... I'd love to hear any kind of commentary on that.

Chad Neale (02:42):
Absolutely. Well, I think it's really a combination of all those factors that you just listed that are kind of driving a shift that I've seen in the last two to three years. And you're seeing a much greater focus by the investment teams around cyber security and IT diligence as they're looking at potential acquisitions. I think there's just a much greater appreciation today of the impact technical debt can have on the investment thesis and the negative impact the cyber security event can have on value creation. You can't really go a day or two without reading about a new attack, that's impacted organizations either from a loss of information standpoint or what you're seeing more and more due to ransomware is the operational downtime, which turns to financial loss very quickly. What that means practically with this new focus is that firms are asking us to spend more time understanding the scalability, stability, and the security of the seller's business applications and their IT infrastructure. There's also recognition that there's a good chance today that, even still, the cybersecurity posture at many of these portfolio companies is going to be nascent. That's not a surprise but having a really good idea of what the cost to remediate those gaps looks like, in addition to the cost of technical debt is really key for better modeling and prioritization post-acquisition.

John Gilbert (04:16):
Appreciate that Chad, and Larry, on your end, what do you see underwriters as far as their expectations for buyers with respect to cyber security and IT diligence; Did they always require it, or do they require it now? What do they want to see? Any commentary there would be very helpful.

Larry Shapiro (04:34):
Yeah, sure. I mean, I think we think about it from a variety of different perspectives. Certainly, you can take a historical view of it. 2020, 2021, we, in the market, saw a higher percentage of the deals that were looking to be insured and really a higher percentage of the deals that were taking place overall, to be more focused on either the healthcare or on the tech sectors. And so, as we saw a higher percentage of those transactions, being the transactions that were going into the transactional insurance market, we started to see an evolution in the way insurers thought about IT and cyber diligence, right? Because I think a higher proportion of the deals that they were being asked to insure had at least potentially higher risk exposure when it came down to IT infrastructure or with respect to cyber risks. So, you know, if you look at it from the perspective of a particular target, obviously targets that either collect or aggregate or store any meaningful amount of PII or PHI or even sensitive corporate information, they're going to attract attention from the underwriters and the underwriter's expectations around the scope and depth of diligence for any potential exposures is going to be heightened. So, the expectations around diligence have evolved. We've seen a number of third-party diligence providers become more and more prevalent, and I think that it's become far more commonplace for our clients, both strategic players and financial sponsors alike, to more routinely employ third-party diligence providers.

John Gilbert (06:00):
Really, you can't turn on the news without seeing some commentary around cybersecurity, whether it's a breach or a hack or otherwise, and no company seems immune these days. So not surprising that underwriters are increasing the focus on this particular area. As underwriters often go through their sort of review and doing their audit of the diligence that was done by the buyer. Chad, have you seen an increase in the questions that have come from Rep and Warranties insurance underwriters, you know, what do you see as their focus? What is your experience kind of generally been the last year or two?

Chad Neale (06:34):
Well, as you might imagine, since we're already digging in really deep from an IT and cyber perspective, as part of the due diligence process, we're in the front line in, uncovering the state of play at the seller's IT and OT environment, as well as their overall security posture. As a result, it's becoming more of a requirement to bring in specialists who support that underwriting process. It's not uncommon for third-party diligence providers focusing in these areas to be working very closely with the brokers and underwriters during this phase of diligence, from an IT point of view, the focus is really on the adequacy of the infrastructure and the potential impact related to the technical debt at the seller, from a cyber perspective it comes down to how is that organization operating from a cyber hygiene standpoint? Are they patching? Are they running scans to uncover potential vulnerabilities? Do they have good governance in place? So, have they got policies and procedures that are actually operationalized? Then, of course, what kind of investments they've made from a detection and protection standpoint? But also, today you're seeing a very large focus on what kind of ransomware protection and what kind of recovery capabilities are in place to address a potential ransomware attack.

John Gilbert (08:00):
Thanks, Chad, for that, you know, Larry, turning kind of back to the agreement itself and recognizing that the Rep and Warranties insurance policy includes the purchase agreement itself, as really part of the policy, how you've seen the seller's representation, with respect to cyber evolve over the years?

Larry Shapiro (08:18):
So, I think there's an inclination to say that it varies by industry, but also, we oftentimes do see some form agreements and form sets of reps. I think we'll see it vary more specifically by a law firm. Certainly, I think a lot of advisors, lawyers included, they're going to conduct their work or they're going to draft the reps based upon experience. So, over the last two years, there's obviously been a much more heightened exposure to what the risks are, relevant to cyber and IT potential issues. And I think that there are buyers out there that are looking for more protection, but quite frankly, I think they're also cognizant that they're not going to be able to ask for reps that either the seller can't give, or if Reps and Warranties insurance is contemplated, that insurer can't meaningly stand behind. So, notwithstanding the evolution that we have seen around a lot of relevant reps. We're also seeing responses from insurers in the market. And while specific appetite varies insurer by insurer, we still do see a more uniform effort in the last, I'd say 12 months or so, where insurers are looking to knowledge, qualify, certain reps, you know, maybe they'd be reps that are made specifically around potential intrusions or cyber-attacks in particular, to pick up or to acknowledge that there may be some latent issues and you may not know for a while, so you may not know whether or not there's been intrusion or attack. So, you may see some knowledge qualification coming in. So, it's either going to live in the reps themselves, or it's going to be sort of input on a synthetic basis through the policy. So, we've seen an evolution of the reps. We've seen insurers react and respond in the manner in which they're going to cover the reps, and I think it's going to continue to evolve.

John Gilbert (09:53):
I imagine that the insurers are seeing the evolution, and it may be expanding, of certain cyber reps that they're going to have an increased level of diligence or at least an expectation of due diligence that the buyer must do to cover that presentation effectively as well.

Larry Shapiro (10:10):
Yeah.

John Gilbert (10:10):
So, that's certainly interesting.

Larry Shapiro (10:11):
I think that's a key point. I think that as we see the reps expand or as we see the environment around the reps continue to be pretty vibrant. The scope of the diligence, I think the depth and the expertise of the diligence providers become far more important.

John Gilbert (10:25):
Yeah, certainly makes a lot of sense, and that's certainly what we've seen in the market, in terms of the number of buyers that now do robust cybersecurity and IT diligence. Certainly, much greater than it was a year ago, two years ago, and only see that trend continuing. To that end for both Larry and Chad, why is it important for a buyer to have a coordinated approach for cyber-IT diligence, as well as Reps and Warranty insurance placement, and then even in placement of this cyber insurance program, it just seems like there could be a lot of intersections there. Would love to hear your thoughts on the benefits of a coordinated approach.

Chad Neale (11:02):
That's a great question. There's going to be a lot of coordination, even at the very basic level between the reps and warranties insurance and the cyber insurance. I think most people who are familiar with Reps and Warranties insurance understand that it's more of a general type of insurance that wraps the transaction itself, and the expectation will always be that, with respect to customary commercial insurance coverage, Reps and Warranties insurers are expecting that the target is already covered by traditional commercial insurance. So, if it would be commercially reasonable for a particular target to have standalone cyber insurance in place, then the Reps and Warranties insurer will expect coordination between the Reps coverage and the cyber coverage, but they are expecting cyber coverage to be available, to be responsive so that the Rep insurance is not primary on that risk. So that's the first instance of coordination, and then when you start taking a look at how we are assessing the adequacy through the diligence of the target's insurance, cyber insurance, or, you know, the adequacy of their policies and procedures around IT infrastructure and data and cyber protection. I think having an integrated approach between that diligence work stream, in-house, and the brokerage that's coordinating all the other aspects of the diligence that the buyers conducted. I think it's kind of critical that you can walk together in lockstep and be responsive to the concerns that a buyer may have around the adequacy of the target's insurance.

Larry, you bring up some great points, and, you know, from my experience what's really critical from the alignment point of view is that oftentimes on the seller side, they don't have a cyber security expert that's running their cyber program, right? So, they might be representing things in a certain way because they have limited understanding of, really what the root of your question is, and being able to respond in a way that's accurate sometimes not by any fault of their own, except for the fact that they're just not an expert in this space. So having that coordination between the team on the diligence side, that are really experts leaning into these questions and really getting to the bottom of what reality looks like at the seller, can really help inform the underwriting.

John Gilbert (13:25):
That's great guys, really puts Alliant M&A, in a unique position to deliver for our clients, in that we're housed as one unit with cyber-IT diligence, Reps and Warranties insurance, and certainly cyber insurance professionals kind of all wrapped into one. So just the speed and efficiency that we're able to deliver puts us in a very unique position, certainly for our client base and prospective clients as well. You know, Larry and Chad, I would love to get your take on the approach for what a number of our clients do, which is an initial platform acquisition, and then, one, two, or maybe even 10 add-on acquisitions in a relatively fast pace. How do you advise our clients to prepare for the initial acquisition, but then also as they look to make those subsequent acquisitions, is it set in the playbook? Is it preparing for that next deal with Reps and Warranties insurance, and again, also assessing the cyber security piece?

Larry Shapiro (14:21):
I think from a preparation perspective, there is this notion with Reps and Warranties insurance, that buyers are effectively conducting themselves as they would, if it was, or if it wasn't insured. So, I think that there can be an expectation that, you know, you are adequately assessing and preparing for those subsequent or upcoming acquisitions, you know, irrespective of the source of recourse that you have for potential breaches. But, having said that we are all the wiser, each time we run through an underwriting exercise, and if it's a series of add-ons for a particular portfolio company, quite often, I think the approach might be similar in terms of the diligence providers, but also maybe the nature of the target operations. So, I think, it's served us quite well, where we've seen what that particular underwriter has looked for on prior transactions and maybe even for the platform. So, as we start to look at add-ons, we can get far ahead and out in front of a lot of those questions and start preparing for it. I think when it comes down to looking at programs that provide, you know, coverage for full prior acts, I think from a Reps and Warranties perspective, obviously, that's a necessity.

John Gilbert (15:33):
Yeah, and Chad, from your standpoint, you know, put aside even Reps and Warranties insurance, but how do you advise and what's the playbook for your private firms that do have an aggressive add-on acquisition strategy for their portfolio companies?

Chad Neale (15:46):
That's really important to understand going into the due diligence process, because if this company that we're assessing this process is actually going to be a platform where other companies will be acquired and integrated, then we're going to be looking at that IT infrastructure a little bit different than if it was an organic growth strategy that defined their investment thesis. So, when we're involved with those types of transactions, we're looking to see, what type of systems do they have in place today. Are they going to be scalable and are they fairly standard implementations or has there been a tremendous amount of customization in order to support the business? And therefore, there could be some challenges as future acquisitions are made and putting together a strategy to integrate that business with them, whether that's from an operation standpoint, a financial reporting standpoint, we're going to be looking at that technical underpinning and make sure that they're really well positioned. This is an area that we often see that maybe the ERP system that they're on today is not really one that's going to be able to support this, or they're not using the full capabilities of the existing ERP system. They're doing a lot of processes outside of the system, and therefore rolling up the reporting across add-ons is going to be very difficult. Then, of course, from a cyber perspective, having a good program in place so that you've got the type of process to be able to vet add-ons before there's actually integration so that you're not introducing security vulnerabilities and weaknesses that the add-on company will bring with them.

John Gilbert (17:34):
Yeah, that makes a lot of sense, really on both fronts to set a process and prepare on both the Reps and Warranties insurance, they could run the same playbook and be efficient, and then on the cyber-IT side as well. So, thank you. Well, thank you all for listening. Stay tuned for part three of the Cyber M&A podcast series where Chad will discuss in great detail, why his team's work does not stop at the closing of the deal and the important things to do post-acquisition. For more information, please visit www.alliant.com.