Key Takeaways
- Cyber reps now routinely include compliance with laws, incident history, technical safeguards, vendor oversight, data inventory, and no-unauthorized-access confirmations. Each element carries distinct indemnity exposure and must be negotiated with specificity rather than bundled into a single omnibus representation.
- R&W insurers exclude pre-existing breaches, lack of MFA, unencrypted PHI, and ransomware events that are known or disclosed. Buyers who rely on R&W coverage for cyber risk without mapping the policy exclusions against diligence findings are carrying uninsured exposure they may not discover until a claim arises.
- Escrow sizing for elevated cyber exposure in middle-market transactions typically runs from 3% to 8% of purchase price as a separate fund, distinct from the general indemnity escrow, with a release schedule extended to align with regulatory enforcement timelines.
- Coordination between the target's cyber insurance policy, the R&W policy, and the contractual indemnity stack requires deliberate sequencing of who pays first, how subrogation rights interact, and whether the target's insurer can pursue the seller for pre-closing events after closing.
Cyber and data privacy representations were once a subordinate section of the general compliance representations in M&A purchase agreements, typically limited to a statement that the target had not experienced a material breach and was in compliance with applicable law. That drafting approach is no longer adequate. Regulators in the United States and Europe have materially expanded the scope of data privacy obligations over the past decade. The frequency and severity of data incidents have increased across all sectors. Courts have enlarged the class of plaintiffs who can bring viable claims arising from data events, and the damages exposure attached to those claims has grown correspondingly. Against that backdrop, buyers and their counsel have responded by demanding cyber and data privacy representations that are substantively detailed, independently scoped for indemnity purposes, and integrated with the R&W insurance program in a way that accounts for the coverage gaps insurers routinely impose on cyber risk.
This sub-article is part of the Cybersecurity and Data Breach Diligence in M&A: A Practical Playbook for Buyers and Sellers. It addresses the full arc of cyber and data privacy risk allocation in acquisition agreements: the substantive content of cyber representations covering compliance, incident history, safeguards, vendor oversight, data inventory, and unauthorized access; data privacy representations covering controller and processor roles, consent frameworks, data processing agreements, and cross-border transfer mechanisms; the application of materiality and knowledge qualifiers to each category; survival periods and whether cyber reps receive fundamental or general treatment; indemnity caps and baskets; escrow sizing when cyber exposure is elevated; R&W insurance scope and standard exclusions; disclosure schedule discipline for incidents and remediation; and the integration of the target's cyber insurance policy with the contractual indemnity and R&W insurance stack.
Acquisition Stars advises buyers and sellers in M&A transactions involving cyber-intensive businesses and data-rich targets. Nothing in this article constitutes legal advice for any specific transaction.
Why Cyber Reps Now Drive Independent Indemnity Terms
The shift from treating cyber as a subset of general compliance to treating it as an independently negotiated indemnity category reflects a convergence of legal, regulatory, and commercial developments that collectively raised the potential dollar exposure of a cyber breach beyond what a standard general indemnity framework was designed to accommodate.
On the regulatory side, the California Consumer Privacy Act and its successor statute, the California Privacy Rights Act, created a private right of action for data breach victims, replacing the prior model under which only regulators could enforce data protection rules. The Health Insurance Portability and Accountability Act enforcement environment has intensified, with the Office for Civil Rights pursuing civil monetary penalties in HIPAA breach cases at levels that can reach millions of dollars for covered entities with inadequate safeguards. State attorneys general across multiple jurisdictions have expanded their enforcement activity under state breach notification and data protection statutes. The Federal Trade Commission has pursued unfair or deceptive acts enforcement against companies whose data security practices fell below their public representations, including as part of post-acquisition integration failures.
On the transactional side, post-closing discovery of undisclosed breaches has generated substantial litigation, including cases in which buyers sought rescission or significant damages after discovering that pre-closing ransomware events, unauthorized access incidents, or regulatory investigations had been concealed from the diligence process. These disputes demonstrated that a general indemnity cap of 10% to 15% of purchase price was often insufficient to cover the actual remediation, notification, regulatory, and litigation costs arising from a significant pre-closing cyber event. The result is a drafting practice that now routinely positions cyber reps as a separate category with their own cap, basket, survival period, and escrow treatment, independent of the general business reps.
Core Cyber Representations Buyers Expect
A well-drafted set of core cyber representations covers six substantive areas, each of which addresses a distinct category of risk that diligence cannot fully resolve through document review alone.
Compliance with laws requires the seller to represent that the target has complied in all material respects with applicable cybersecurity laws, regulations, and industry standards, including sector-specific requirements such as the HIPAA Security Rule, the Gramm-Leach-Bliley Act Safeguards Rule, and applicable state data security statutes. This rep should separately address compliance with contractual security obligations imposed by payment card industry standards or customer-specific security requirements in material contracts.
Incident history requires the seller to represent that the target has not experienced, and has not been notified of, any unauthorized access, data breach, ransomware event, or security incident during a defined lookback period (typically three to five years) that required notification to individuals or regulators, resulted in material business interruption, or caused material remediation expense. Sellers frequently attempt to qualify this rep with materiality thresholds; buyers should resist broad materiality qualifiers on the notification obligation specifically.
Safeguards requires the seller to represent that the target maintains commercially reasonable or industry-standard technical, physical, and administrative safeguards designed to protect the confidentiality, integrity, and availability of its information systems and the personal data stored or processed on them. Vendor oversight requires the seller to confirm that the target has conducted appropriate due diligence on material vendors who process or have access to sensitive data, and has entered into contracts requiring those vendors to maintain adequate security and to notify the target of incidents. Data inventory requires the seller to confirm that the target maintains a reasonably accurate record of the categories and locations of personal data it collects, processes, and stores. No-unauthorized-access requires an unqualified representation that, to the knowledge of the seller, no person has obtained unauthorized access to the target's systems or data during the lookback period.
Data Privacy Reps: Controllers, Processors, and Consents
Data privacy representations address the legal framework governing the target's collection and processing of personal data, distinct from the technical security safeguards addressed in the core cyber reps. The distinction matters because a target can have adequate security and still face significant liability for non-compliant data processing practices, particularly under GDPR, CCPA, CPRA, and the expanding set of state comprehensive privacy statutes.
The controller and processor rep requires the seller to confirm that the target has correctly identified its role as a controller, a processor, or a joint controller in each context in which it processes personal data, and that it has implemented the legal obligations applicable to that role under each applicable legal regime. This rep matters because misidentification of the processing role is a common compliance failure, particularly for companies that operate as both a controller of employee and prospect data and as a processor of client data.
The consent rep requires the seller to confirm that, where the target's processing of personal data relies on consent as the legal basis under GDPR or an opt-in requirement under applicable U.S. law, the target has obtained valid, documented consent from the relevant data subjects prior to processing, and that such consent was obtained in a manner consistent with applicable legal requirements. For email marketing and behavioral advertising, the consent rep should be extended to cover compliance with the CAN-SPAM Act, TCPA, and any applicable state-specific opt-in regimes.
Data processing agreement reps confirm that the target has executed compliant DPAs with all material vendors who process personal data on its behalf and with all clients on whose behalf the target processes personal data as a processor. Privacy notice reps confirm that the target's public-facing privacy disclosures accurately describe its data processing practices. Retention and deletion reps confirm that the target maintains and follows a data retention and deletion schedule consistent with applicable legal obligations.
Knowledge and Materiality Qualifiers
The application of knowledge and materiality qualifiers to cyber and data privacy reps is one of the more consequential negotiation points in any transaction where data risk is material. Sellers seek to qualify as many cyber reps as possible with both materiality and knowledge qualifiers, reducing their exposure to indemnity claims arising from incidents or compliance failures they did not subjectively know about and that did not individually rise to a materiality threshold. Buyers seek to limit or eliminate both types of qualifiers from the most critical reps.
Knowledge qualifiers in cyber reps are particularly consequential because cyber incidents are frequently not known to management at the time of signing. A threat actor who has maintained persistent access to a target's network for six months before signing has created a pre-closing breach that the seller's management may genuinely not know about. If the no-unauthorized-access rep is qualified by seller's knowledge, and the breach is discovered post-closing, the buyer may be unable to sustain an indemnity claim because the seller can truthfully assert that it had no knowledge of the access. Buyers should resist knowledge qualifiers on the no-unauthorized-access rep and should supplement the rep with a technical security assessment during diligence rather than relying on the rep as a substitute for direct verification.
Materiality qualifiers should be analyzed rep by rep rather than applied as a blanket modifier. The compliance-with-laws rep appropriately carries a materiality qualifier because technical or immaterial violations of broadly framed data protection statutes are not a meaningful risk driver. The incident history rep should carry a narrow materiality qualifier tied to the notification obligation (material enough to trigger notification) rather than a general materiality standard. The no-unauthorized-access rep should be unqualified or qualified only by knowledge, not by materiality, because even a small unauthorized access event can be the predicate for a regulatory investigation or class action.
The knowledge standard itself requires negotiation. Sellers prefer a narrow knowledge definition limited to actual knowledge of specifically identified officers. Buyers prefer a constructive knowledge standard that includes what the officer knew or reasonably should have known given the information available to the organization. In cyber contexts, a constructive knowledge standard is more protective for buyers because it encompasses information held in the target's security operations center, in vendor security reports, or in penetration test results that management received but may not have read carefully.
Survival: Standard Cap vs Fundamental Rep
Survival periods for cyber and data privacy reps determine how long after closing the buyer can assert an indemnity claim for a breach of the representation. The survival period is distinct from the statute of limitations that would govern a common law fraud or breach of contract claim, and the contractually specified survival period governs in most jurisdictions absent fraud.
General business reps in M&A purchase agreements typically survive for 12 to 24 months after closing. Cyber reps that are treated as general reps carry this same survival period, which creates a meaningful protection gap: regulatory investigations arising from pre-closing data practices may not be initiated until two to three years after the closing, and class actions predicated on pre-closing breaches can be filed well outside a 24-month survival window. Buyers who accept a standard 18-month survival on cyber reps may find their indemnity claim time-barred precisely when the regulatory or litigation exposure materializes.
When cyber reps are elevated to fundamental rep status, the survival period is typically the applicable statute of limitations (three to six years, depending on the jurisdiction and the nature of the claim) or is stated as unlimited. Unlimited survival is appropriate when the underlying exposure is a regulatory enforcement action with no fixed limitation period, or when the data at issue includes categories subject to ongoing obligation such as health information or financial account data.
A practical middle position available in many negotiations is a tiered survival structure under which the cyber reps survive for 36 to 48 months as a matter of contract (longer than general reps but shorter than fundamental reps), with the indemnity cap for cyber breaches set at a multiple of the general cap. This structure acknowledges that cyber reps occupy a risk category between ordinary business reps and true fundamental reps such as organization, authority, capitalization, and title to equity interests.
Indemnity Caps and Baskets for Cyber Exposure
Indemnity caps and baskets for cyber and data privacy rep breaches require negotiation as a unit because the interaction between the basket (the threshold below which indemnity claims are not payable) and the cap (the maximum aggregate indemnity obligation) determines the practical reach of the indemnity protection.
The general indemnity basket in middle-market transactions typically runs from 0.5% to 1.5% of purchase price, structured either as a deductible (only losses above the basket are payable) or as a tipping basket (once the basket is exceeded, all losses are payable from dollar one). For cyber reps treated as general reps, the basket structure is the same as for other business reps, which means small cyber incidents that individually fall below the basket threshold are not covered. Buyers seeking comprehensive cyber indemnity should negotiate either a separate lower basket for cyber claims or, where the risk profile justifies it, dollar-one indemnity for any breach of the cyber reps.
The general indemnity cap is typically 10% to 20% of purchase price for general reps, subject to a separate higher cap (often 100% of purchase price) for fundamental reps, fraud, and intentional misrepresentation. Cyber reps treated as general reps sit within the general cap, which may be inadequate if a significant pre-closing breach results in regulatory fines, class action settlement costs, and remediation expenses that together exceed the cap. Buyers should seek a separate cyber-specific cap that is a multiple of the general cap (typically two to three times) when the diligence record suggests material cyber risk that does not rise to the level of a known incident but creates credible exposure above the general cap.
When cyber reps are treated as fundamental reps, the general cap does not apply. The indemnity obligation for breach of a fundamental cyber rep is subject either to the purchase price as a ceiling or to the statutory or common law limitations on contract damages, depending on negotiation. Sellers almost always resist uncapped fundamental treatment for cyber reps and will accept it only when the diligence record reveals a specific known risk that cannot be adequately addressed through a purchase price adjustment or escrow.
Escrow Sizing When Cyber Is Elevated
Escrow accounts in M&A transactions serve as a funded mechanism to satisfy indemnity claims without requiring the buyer to pursue the seller through litigation. In transactions where cyber exposure is elevated, a cyber-specific escrow, separate from the general indemnity escrow, is a negotiating tool that gives the buyer a funded remedy while limiting the seller's post-closing administrative burden.
General indemnity escrows in middle-market transactions typically represent 5% to 15% of purchase price, held for 12 to 18 months. A cyber-specific escrow is sized based on the estimated worst-case regulatory exposure (fines, penalties, and notification costs for a plausible breach of the scale suggested by the target's data footprint) plus a reserve for class action defense and settlement costs, discounted by the probability of occurrence and adjusted for the coverage available under the R&W policy after its cyber exclusions are applied.
Practical escrow sizing benchmarks for elevated cyber exposure in middle-market transactions run from 3% to 8% of purchase price as a separate fund. At the lower end of the range, the escrow addresses a moderate breach affecting a contained data set in a sector with modest regulatory enforcement history. At the upper end, the escrow addresses a business with a large database of sensitive health, financial, or payment card data in a sector with active regulatory enforcement, where the R&W policy excludes most cyber losses and the diligence record includes evidence of prior incidents or inadequate controls.
The release schedule for a cyber-specific escrow is typically extended beyond the general escrow release date to align with the regulatory enforcement timeline. If the applicable statute of limitations for a state attorney general enforcement action is four years, and the cyber rep survival period is four years, the escrow should be held for a commensurate period rather than released at 18 months. Sellers resist extended escrow holds because they affect the economics of the transaction, and the negotiation typically results in a staged release that returns a portion of the escrow at the standard release date and holds the remainder for the extended period.
R&W Insurance: What Gets Covered
Representations and warranties insurance has become a standard feature of middle-market and large M&A transactions, and in many deals the R&W policy has replaced seller-funded indemnity as the primary recovery mechanism for breaches of general reps. The interaction between R&W coverage and cyber rep indemnity is one of the more technically complex aspects of modern deal structuring.
A buy-side R&W policy covers losses arising from an inaccuracy in the target's representations as of the signing date, subject to the policy's retention (the buyer's equivalent of a deductible), the policy limit, and the policy's exclusions. For cyber reps, the basic coverage framework insures the buyer against losses arising from the seller's breach of a cyber rep where the underlying condition (the breach, the compliance failure, or the inaccurate safeguard description) was not known to the buyer or the seller at the time of signing and was not otherwise excluded from coverage.
Coverage for cyber reps that are characterized as general reps is subject to the same policy limit and retention as other general rep coverage. Coverage for cyber reps elevated to fundamental status may receive a separate limit or be excluded from the policy entirely, because fundamental reps carry uncapped or high-cap indemnity exposure that insurers are often unwilling to underwrite at standard premium rates.
Insurers increasingly offer cyber-specific endorsements or sublimits within the R&W policy to address the gap between the general policy coverage and the excluded cyber risks. These endorsements typically cover a narrow category of losses (for example, losses arising from a pre-closing data breach that was not disclosed and was not excluded under the standard known loss exclusion) subject to a sublimit that is a fraction of the main policy limit. The endorsement premium is separate from the base policy premium and reflects the insurer's specific assessment of the cyber risk presented by the target's profile.
Common R&W Exclusions: MFA, Ransomware, Known Breach
R&W insurers apply a set of standard cyber-specific exclusions that limit or eliminate coverage for losses arising from the categories of risk that insurers have identified as too frequent, too predictable, or too directly tied to known conditions to be appropriately covered under a representations and warranties policy.
The most common standard exclusion in current R&W policies is the exclusion for losses arising from cyber incidents where the incident was enabled by the target's failure to implement multi-factor authentication on systems or accounts that a reasonable security program would have protected. The MFA exclusion reflects the insurer's view that MFA is now a baseline control requirement rather than an optional security enhancement, and that losses resulting from its absence are not insurable because the risk was knowable and correctable at the time the policy was bound. Insurers apply this exclusion after reviewing the target's MFA deployment status in the underwriting process.
The ransomware exclusion covers losses arising from ransomware events that were disclosed in the disclosure schedule, that were known to management at signing, or that arose from a condition (such as unpatched systems or inadequate endpoint detection) that was identified in a pre-signing security assessment and not remediated. Insurers who discover post-signing that a ransomware event occurred pre-signing but was not disclosed will deny coverage under the known loss exclusion and may also assert the seller's deliberate concealment as a basis for rescission of the policy.
Unencrypted protected health information is a common exclusion in transactions involving healthcare targets, reflecting the HIPAA Security Rule's encryption-related requirements and the elevated regulatory exposure associated with PHI breaches. Pre-existing breach exclusions cover any unauthorized access or data exfiltration that occurred before the policy inception date, regardless of whether the breach was known to the seller. Buyers who discover post-closing that a pre-closing breach occurred must pursue the seller directly under the purchase agreement indemnity rather than seeking recovery under the R&W policy.
Disclosure Schedule Discipline for Incidents and Remediation
The disclosure schedule to the purchase agreement is the formal mechanism by which sellers qualify their representations by disclosing exceptions to the matters covered by each rep. For cyber and data privacy reps, the disclosure schedule is simultaneously a legal risk-shifting tool and a document that must be prepared with precision because its contents determine what the seller has disclosed and therefore what is excluded from indemnity and R&W coverage.
Incident disclosures should describe each prior security incident with enough specificity to allow the buyer to assess the scope of the underlying condition and the adequacy of the remediation. A disclosure that says "the company experienced a phishing incident in 2024 that was remediated" is insufficient. An adequate disclosure identifies the date of discovery, the vector of access, the systems or data affected, the scope of the exposure, the regulatory notifications made (if any), the remediation steps taken and completed, the status of any regulatory inquiry arising from the incident, and any litigation or claims asserted by individuals whose data was affected. Each element of this description bears on the buyer's ability to assess residual exposure.
Remediation disclosures require the same level of specificity. If the seller discloses that a prior vulnerability was identified and remediated, the disclosure should identify the specific vulnerability, the systems affected, the remediation method applied, the date of completion, and any post-remediation testing that confirmed the effectiveness of the remediation. Incomplete remediation disclosures create disputes over whether a disclosed condition was adequately addressed and whether any post-closing incident arising from the same underlying vulnerability is covered by the disclosed exception or gives rise to a new indemnity claim.
The disclosure schedule preparation process should include a review by the target's CISO or equivalent technical officer, not just its legal team, because legal counsel reviewing contracts and regulatory correspondence alone will miss technical conditions that are known to the security team but not documented in legal records. Sellers whose disclosure schedules are prepared without technical input create risk of inadvertent misrepresentation when the technical record differs from what the legal record shows.
Coordinating Cyber Insurance with the Indemnity Stack
A target that carries its own cyber liability insurance policy at the time of closing presents a coordination issue that the purchase agreement must address. The target's cyber policy, the R&W policy, and the contractual indemnity obligation are three overlapping but distinct recovery mechanisms, and the interaction among them determines which party bears the economic loss from a pre-closing cyber event discovered post-closing.
The target's cyber insurance policy typically covers the post-closing entity for losses arising from incidents that began or were discovered during the policy period. If a pre-closing breach is discovered post-closing during the policy period, the target's insurer may provide coverage under its first-party breach response provisions for notification, forensic investigation, and credit monitoring costs. Whether this coverage reduces the seller's indemnity obligation depends on how the purchase agreement's indemnity provisions address recoveries from third parties: most purchase agreements require the indemnified party to apply insurance recoveries against indemnifiable losses before calculating the net indemnity claim.
The R&W policy's interaction with the target's cyber policy requires careful drafting because both policies may cover the same loss through different mechanisms. The R&W policy insures the buyer against losses arising from the seller's misrepresentation. The target's cyber policy insures the target against breach response and liability costs. To the extent both policies respond to the same event, the policies' other-insurance and subrogation provisions determine the priority of recovery.
Subrogation rights deserve specific attention. If the target's cyber insurer pays a post-closing claim for a pre-closing breach and then seeks subrogation against the seller, the seller's indemnity obligation under the purchase agreement and the R&W policy may be implicated simultaneously. Purchase agreements should address subrogation rights by specifying whether the target's insurer is subrogated to the buyer's indemnity rights against the seller, whether the seller retains the right to control the defense of claims that may give rise to indemnity obligations, and whether the buyer's recovery from the target's cyber insurer offsets the buyer's claim against the seller or the R&W policy.
Public-to-Public vs PE Buyer Drafting Differences
The structure and emphasis of cyber and data privacy rep negotiation differs meaningfully between public-to-public acquisitions and transactions in which a private equity sponsor is the buyer, reflecting differences in deal economics, regulatory exposure, post-closing integration objectives, and governance structure.
In public-to-public transactions, the buyer's indemnity recovery is structurally limited because the target's shareholders receive merger consideration at closing and the target no longer exists as a separate entity post-closing. The indemnity obligation runs from the target's former shareholders (or, in a merger, from a post-closing indemnity fund established from a portion of the merger consideration), and enforcing an indemnity claim requires either a specific escrow or a claim against a large and dispersed group of former shareholders. R&W insurance is the dominant recovery mechanism in public-to-public transactions, and the negotiation of cyber reps is shaped primarily by the scope of the R&W policy the buyer can obtain. Sellers in public-to-public deals are less willing to accept specific cyber escrows because the mechanics of distributing merger consideration to shareholders make withholding a portion for a specific escrow administratively and legally complex.
In PE buyer transactions, the seller is typically a founder, an operator, or an existing PE sponsor who remains identifiable and solvent post-closing, making direct indemnity recovery more feasible. PE buyers are more likely to negotiate specific cyber escrows, cyber-specific indemnity caps that exceed the general cap, and longer survival periods for cyber reps, because the seller's ability to fund an indemnity obligation is credible and the negotiation is between sophisticated counterparties with aligned incentives to reach a commercially viable risk allocation.
PE buyers who acquire cyber-intensive businesses also typically conduct a more intensive technical diligence process than strategic buyers in public-to-public transactions, because the PE model depends on value creation post-closing and a discovered pre-closing breach that disrupts operations or triggers regulatory enforcement can materially impair the investment thesis. The technical diligence investment in PE transactions generates a more detailed disclosure schedule, a more specifically qualified set of cyber reps, and a more precisely sized cyber escrow than the compressed diligence timelines characteristic of many public-to-public deals.
Frequently Asked Questions
When is a cyber rep treated as a fundamental representation rather than a general business rep?
A cyber rep is elevated to fundamental status when the target's business is materially dependent on its data assets or on uninterrupted digital operations, when the diligence process reveals that prior incidents were not disclosed or were inadequately remediated, or when the buyer's risk profile or lender requirements demand unlimited or uncapped indemnity exposure on cyber. Healthcare, financial services, and SaaS targets are candidates for fundamental treatment. Fundamental cyber reps survive indefinitely or for the applicable statute of limitations, are not subject to the general indemnity cap (or carry a separate higher cap), and often sit outside the basket structure so that dollar-one indemnity applies. The decision to push for fundamental treatment is negotiated based on the specific cyber profile revealed in diligence, not as a default drafting position.
What is the typical indemnity cap range when cyber is treated as a fundamental rep?
When a cyber rep is negotiated as a fundamental representation, the indemnity exposure for breach of that rep typically ranges from 100% of the purchase price to uncapped, depending on the severity of the risk profile revealed in diligence. In middle-market transactions, a common compromise positions the cyber fundamental cap at two to three times the general indemnity cap, which itself is often 10% to 20% of purchase price, resulting in a cyber cap of 20% to 60% of purchase price. In transactions where a specific known risk or undisclosed incident is identified in diligence, buyers sometimes negotiate a cyber-specific escrow funded at a dollar amount tied to the estimated remediation or regulatory exposure, with the escrow sitting outside the general cap entirely. The precise range is always fact-specific and turns on the nature of the data, the regulatory environment, and what diligence uncovered.
How do R&W insurers handle MFA-related exclusions?
R&W insurers commonly exclude losses arising from the target's failure to implement multi-factor authentication on systems that process, store, or transmit sensitive personal data or financial information. The exclusion is typically framed as a specific exception to coverage for cyber losses where the underlying breach was enabled or materially facilitated by the absence of MFA on accounts that a reasonable security program would have protected with MFA. Insurers may conduct a pre-binding cyber assessment (a lightweight questionnaire or a full technical scan) to assess MFA deployment, and targets with incomplete MFA deployment on privileged accounts, email, VPN, or cloud consoles face either a broader exclusion or a higher retention. Buyers negotiating R&W coverage for a target with MFA gaps should expect the insurer to condition coverage on post-closing remediation as a warranty rather than accepting the gap as a disclosed but covered risk.
What ransomware events must be disclosed in the seller disclosure schedule?
Sellers should disclose all ransomware events that occurred during the survival period covered by the cyber reps, which typically runs three to five years prior to closing. Disclosable events include any encryption of systems or data by ransomware, whether or not a ransom was paid, any extortion demand even if resolved without encryption, any data exfiltration by a threat actor who deployed or threatened to deploy ransomware, and any regulatory notification triggered by a ransomware event. Sellers sometimes attempt to limit disclosure to events that resulted in material business interruption or that exceeded a dollar threshold in remediation costs. Buyers should resist these limitations and instead insist on disclosure of all events, with a separate column in the schedule describing the remediation taken and the current status. Undisclosed ransomware events are a primary driver of post-closing indemnity disputes in healthcare and manufacturing sector acquisitions.
What is the scope of R&W insurance coverage for known breaches?
R&W insurance does not cover losses arising from breaches or incidents that were known to the seller as of the signing date, because R&W coverage is designed to protect against unknown or misrepresented conditions rather than disclosed risks. If a breach is disclosed in the disclosure schedule, it is excluded from R&W coverage by the known loss exclusion, and the buyer must negotiate a specific indemnity or a purchase price reduction to address that risk. If a breach was not disclosed but was known to one or more members of seller's management at the time of signing, the insurer can deny coverage under the known seller fraud or willful misrepresentation exclusion. Buyers who discover post-closing that a breach was known pre-signing but not disclosed can seek recovery from the seller directly under the indemnity provisions, but the claim falls outside the R&W policy, eliminating the insurer as a recovery source and leaving the buyer dependent on the seller's solvency.
How should a data processing agreement rep be formulated in an M&A purchase agreement?
A DPA rep should confirm three things: first, that the target has executed data processing agreements with all third-party vendors who process personal data on the target's behalf, and that those agreements meet the requirements imposed by applicable law (GDPR Article 28, CCPA service provider contract requirements, or equivalent); second, that the target has complied in all material respects with its obligations as a data processor when processing data on behalf of its own clients, and has executed compliant DPAs with all clients who requested them; and third, that no vendor or client has notified the target of a breach of the DPA or of a regulatory inquiry arising from the target's data processing activities. The rep should include appropriate knowledge and materiality qualifiers on the compliance obligation, but the existence of DPAs with material vendors and clients should be unqualified.
How are cross-border data transfer reps typically drafted?
Cross-border transfer reps confirm that any transfer of personal data from the European Economic Area, the United Kingdom, or Switzerland to a third country (including the United States) has been made pursuant to a valid transfer mechanism recognized under applicable data protection law. For GDPR-regulated transfers, this means reliance on adequacy decisions, Standard Contractual Clauses (SCCs) as updated in June 2021, Binding Corporate Rules, or the EU-U.S. Data Privacy Framework where applicable. The rep should also confirm that the target has conducted and documented transfer impact assessments (TIAs) where required by applicable supervisory authority guidance, and that no supervisory authority has issued an order or informal guidance challenging the target's transfer mechanisms. Sellers should disclose any transfer mechanisms that lapsed or were not updated following the Schrems II decision and confirm that replacement mechanisms are in place.
What are current escrow size benchmarks when cyber exposure is elevated?
When cyber exposure is elevated based on diligence findings, escrow sizing for cyber-specific risk typically ranges from 3% to 8% of purchase price in middle-market transactions, separate from the general indemnity escrow. The precise size depends on three inputs: the estimated cost of the worst-case regulatory penalty or class action exposure based on the number and sensitivity of records at risk, the estimated cost of breach notification and remediation for a plausible incident, and the extent to which R&W insurance covers the residual exposure after the insurer's cyber exclusions are applied. Buyers in regulated industries (healthcare, financial services) or transactions involving large databases of sensitive personal information typically negotiate at the higher end of this range and sometimes supplement the escrow with a specific indemnity for identified risks that falls outside the general cap. The escrow release schedule may also be extended for cyber-specific escrow beyond the standard 12 to 18 months to align with the statute of limitations for regulatory enforcement.
Related Reading
Counsel for Cyber and Data Privacy Risk Allocation in M&A
Acquisition Stars advises buyers and sellers on the drafting and negotiation of cyber and data privacy representations, indemnity structures, escrow mechanics, and R&W insurance coordination in M&A transactions. Submit your transaction details for an initial assessment.
Related Practice Areas
Our attorneys handle M&A transactions and securities matters nationwide. Alex Lubyansky leads every engagement personally.