Digitalisation has helped businesses across the globe streamline processes and spur innovation. However, it has also created a conduit for cyberattacks – an increasingly costly foe. In fact, between 2020 and 2022, the average cost of a data breach increased by over 12 percent, from $3.86 million to $4.35 million. In the US, the costs are even higher, averaging $9.44 million.
As bad actors get more sophisticated and financial implications increase, it’s critical for stakeholders to consider potential effects on their investments.
In the private debt market, it’s even more important to consider these impacts given the material costs associated with a data breach. A primary concern for lenders is that a borrower will expend capital addressing such liabilities that could otherwise be used to service their debt and/or grow the enterprise. A diversion of funds and increased liabilities on the balance sheet of a borrower could result in financial covenant defaults under a company’s credit documents, creating risk of another type.
How can lenders evaluate their investments and protect themselves should a portfolio company be compromised?
A company’s cybersecurity programme, including written policies and procedures, is critical for effective breach response. Lenders must know how to assess the strength of these programmes as a diligence matter. An adequate programme should include a cyber risk assessment and a cyber-incident response plan. While there will be common elements among different organisations, there is no replacement for a programme which is tailored to the company’s business with effective training for employees.
Cyber risk assessments
A cyber risk assessment is an ongoing process that continually reassesses the changing regulatory landscape and technological advances. Assessments should occur at regular intervals and be incorporated into the company’s written policies. Assessments should identify the information/data that is most sensitive to the company, including information about finances and personally identifying information (PII). PII includes individuals’ names, addresses, social security numbers and other sensitive information. The assessment should review the cyber risk protocols of vendors who have access to company data. The US Securities and Exchange Commission is especially focused on third-party service providers that have custody of, or access to, PII. Regular third-party audits of information systems have become standard for businesses handling PII.
Cyber-incident response plan
A company’s CIRP should identify the officer tasked with leading response efforts, including coordinating mitigation efforts, remediation actions and law enforcement communications. That officer will be the main point of contact with the senior management and outside counsel who can act quickly if a breach does occur and coordinate decision making with senior management and other professionals (such as forensic and IT professionals) while working to protect information through the assertion of privilege. When creating a CIRP, a company must evaluate the need to communicate with investors, lenders or customers in the event of a breach. Certain organisations even retain a PR consultant for brand protection.
If a borrower has been subject to a cybersecurity incident, lenders must understand what steps are necessary to protect their investment while considering the dynamic of their relationship with their borrower.
Notification requirements and events of default
Loan agreements typically require borrowers to notify lenders of certain material events, such as litigation or a labour dispute. Unless data security was an issue identified during the diligence phase preceding funding of the loan, often there will be no explicit requirement to notify lenders of a cyber-incident.
In some cases, borrowers must notify lenders of an event that would reasonably be expected to result in a material adverse effect. Case law discussing what constitutes a material adverse effect is fact-specific and usually dictates a high bar for lenders. While a breach could have a material adverse effect, the burden will be on the lender to show that such a standard is met. Ultimately, it is unlikely that a lender will feel confident in claiming that a cybersecurity incident has had a material adverse effect on a borrower’s business and even where it is clear, the company will likely be in such dire straits that there will be separate contractual breaches to address.
Where there is no specific notice requirement, the lender may be able to rely on investor portals for making sure they are kept in the loop. For example, public companies must file an 8-K when an unscheduled material event occurs. New Item 1.05 of Form 8-K will require SEC-reporting companies to disclose a material cybersecurity incident within four business days of such determination. Private companies may be subject to the Cyber Incident Reporting for Critical Infrastructure Act if they operate in critical infrastructure sectors such as energy, financial services, healthcare, water, food and agriculture, enumerated by that law. Lenders could consider adding these reporting requirements to their loan agreements depending on the borrower’s industry and vulnerability.
Typically, a loan agreement’s provisions will not specifically cover a data breach as an express event of default unless a borrower fails to comply with a notice requirement or the underlying event clearly results in a material adverse effect on the business. In some instances, even a material adverse effect will not trigger an event of default but instead will shut off the borrower’s access to any remaining unfunded lender commitments (eg, pursuant to a revolving line of credit), typically subject to a material adverse effect standard.
Most lenders will request information about the scope of the breach and types of information disclosed. This, and the circumstances surrounding the breach, will impact whether the associated liability is covered by insurance or will be met by the borrower. Most loan agreements will require that a borrower maintain insurance reasonably equivalent to similarly situated businesses in the same industry. Unless the company is in an industry prone to data breaches it may not have a cybersecurity policy.
However, maintaining a cyber insurance policy has become more standard for companies interacting with PII or transacting on the internet. Policies vary greatly. Losses following a breach could include: lawsuits from affected individuals; regulator fines; breach of contract claims; notification costs; payment of ransoms; damage to equipment; system downtime losses; system repair costs; and costs of third-party consultants, technicians and counsels.
During diligence, lenders must determine which types of losses a borrower may be likely to face and ensure that such losses are covered by insurance. Following a breach, a review of a borrower’s cyber-insurance policy should be performed to ensure the borrower’s response is compliant with the policy.
Given the material costs and reputational harm associated with a data breach, lenders should remain vigilant for potential cybersecurity-related pitfalls in credit documents. Understanding how to assess companies’ vulnerabilities and how to address them during diligence and documentation will help maintain a constructive partnership with borrowers during an incident and arm them with knowledge necessary for a fulsome underwriting process.
Bharat Moudgil and Vincent Tennant also contributed to this article