Cyber insurance is increasingly common in M&A deals, but it's not a substitute for security due diligence. Understanding the interplay is essential.
What Cyber Insurance Covers
- First-party breach costs (forensics, notification, credit monitoring)
- Business interruption losses
- Ransomware payments (increasingly excluded or limited)
- Third-party liability
- Regulatory fines (where insurable)
What It Doesn't Cover
- Reputational damage
- Loss of competitive advantage
- Future security improvements
- Known vulnerabilities at policy inception
- Acts of war or nation-state attacks (often excluded)
TDD and Insurance Interaction
Pre-Acquisition
- Security posture affects insurability and premiums
- TDD findings may reveal coverage gaps
- Policy change of control provisions
Post-Acquisition
- Policy transfer or new coverage needed
- Security improvements may reduce premiums
- Warranty and indemnity insurance considerations
Due Diligence Questions
- Current cyber insurance coverage and limits?
- Claims history?
- Policy exclusions relevant to the business?
- Change of control provisions?
- Security requirements for coverage?
Key Takeaway: Cyber insurance transfers some financial risk but doesn't eliminate security risk. TDD identifies issues that insurance won't cover or may exclude.
