Buyer Beware: A Case Study on What your Rep & Warranty Policy Won’t Cover

Written By Mary Guzman

Following the recent M&A conference I attended, I’ve spoken with several underwriters and claims adjusters about a scenario I envision where IP is at the core of a claims issue that is not likely to be covered.  Not only is it not covered by the R&W insurance, the loss likely will not find a home anywhere else!

As chance would have it, one senior claims adjuster was dealing with the exact scenario.  I had one of them send me some Deal documents (just the R&W section, without client names to protect confidentiality) and two versions of a “typical” R&W policy as well.  Since this is not my area of expertise but “gap hunting” is (as a Cyber, Media, and Tech specialist), I needed to do some homework. 

Suspicions confirmed, the scenario goes like this:

A.   Buyer is purchasing a company largely for its IP, some patents but mostly Trade Secret Assets (TSAs). The deal is approximately $10M (could be much bigger obviously)

B.    The Buyer purchases a typical R&W policy, which triggers off of a Breach (of Rep or Warranty).  *Unrelated aside; this is very confusing because in Cyber we speak about Breach as a trigger for coverage all the time too; but it’s a “security breach” or “privacy breach”…too many breaches for me to keep straight…

C.    In the transaction documents, the Seller represents, as typical, that they (paraphrasing):

1.     own the IP they are bringing to the table,

2.     as far as the Specified Persons (CEO, CFO, GC) are concerned, they do not have Actual Knowledge of any theft or misappropriation of any IP.  The deal document then goes much further and says Seller does not know of any third-party custodians of those TSAs (who have been granted legal access) that may have disclosed or otherwise hindered or negated their value, AND they also do not know of anything that would prevent the recovery of those assets (this is quite a statement to live up to), and

3. are using:

                                               i.     “industry standards” and regulatory requirements to protect their data generally (they have a SAS 70 II and do Penetration testing every year, fix all known security vulnerabilities…(again this is a standard no one should actually agree to; it is not possible), and

                                             ii.     “Reasonable efforts” to protect Trade Secret Assets (TSAs). 

D.   The deal goes through, and months later (as is very typical in a cyber event), they discover that the Seller had a “security breach” involving the theft of a lot of data, including both PII (a “privacy breach” LOL) and what they believed to be TSAs. 

E.    The Buyer now sees the deal as far less valuable because the IP (the main reason they bought the company) has been compromised.  Buyer wants to collect under the R&W policy.

F.    The R&W market DENIED the claim because there was no Breach of an R or W – the Seller did have “standard” procedures in place, but the theft happened anyway.

G.   To make matters worse, the Seller was not able to demonstrate that they were making “reasonable efforts” to protect the R&D they considered TSAs; therefore, they could not get a TRO or seek damages for the TSAs. (Full disclosure I made this part up but only because it is almost certainly true.  Most companies do not keep adequate evidence of their trade secret protection because they don’t even determine up front what and where their trade secrets are, much less what they are worth). 

To placate the client, the carrier is going to pay $1M (or $2M) of the loss. 

If the Buyer did continue the Sellers’ cyber insurance policy which had, say, a $2M limit, it may respond to the “breach response” (that word again) and other costs associated with the PII, but it will NOT cover the value of the TSAs.  They never do. 

The Buyer has no other recourse!  Incidentally if I were the Buyer, I would be arguing there IS a Breach of Rep because the Seller did not have a mechanism in place to detect theft of IP assets and/or a process in place to recover them or seek Damages on the back end.  In other words, it a gray area that could end up in litigation itself.

In summary, I could see this happening on a regular basis, as the average time to discover a cyber breach is 225 days or something like that (depends on whose report you read).  Perhaps more important than the fact that the R&W policy won’t pay is the fact that their IP is impaired now and no longer has any value as a Trade Secret.  The TSARM process we’ve created (www.tradesecretinsurance.com), with the Crown Jewel Insurance policy at the center of it, would have mitigated or even prevented this entire thing.  Block chain evidence of what the TSAs are and how they are protected (metadata only) plus dark web monitoring and an up-front security assessment specifically looking for “chatter” about the Sellers’ trade secrets, etc. would have given ample evidence of “reasonable efforts” and would have allowed for much quicker knowledge of the security breach.  Therefore, may have led to an ex parte seizure or at least Damages on the back end.  In the meantime, the Buyer would have been paid the Fair Market Value of the scheduled TSAs. 

This has big implications for IP heavy M&A deals; but also in the above scenario, the Buyer should want to have Crown Jewel Protector in place on a continuous basis because the hack could have easily both occurred and been discovered post-close.   Therefore, this process is equally applicable OUTSIDE of the Transaction environment for any company that has a heavy IP portfolio.

To learn more about Crown Jewel® Protector, email us at info@crownjewelinsurance.com

Mary Guzman

Founder and CEO of Crown Jewel® Insurance.

Previous

Trade Secrets inside Critical Infrastructure companies bring huge risk!
Next

Trade Secret litigation severity way up! We’re not in Kansas anymore….