Representations and warranties insurance (“RWI”) is a common feature of private M&A transactions, aligning the interests of seller and buyer by transferring the risk of a breach of the representations given by the seller in the underlying purchase agreement to an independent, creditworthy insurer. Before “stepping into the shoes of the seller” and issuing a policy to the buyer, the RWI insurer must underwrite several risks, including the seller’s failure to disclose known matters addressed by the representations given in the underlying purchase agreement.
A central pillar of the RWI underwriting process is that parties negotiate at arms’ length, with a seller engaging in a robust disclosure process to ensure known matters are disclosed pursuant to schedules included in the transaction documents. To encourage a thorough “scheduling” process, RWI insurers have historically required sellers to remain liable for a portion of potential losses. A high proportion of transactions are now structured to eliminate the seller’s liability, with such transactions being commonly referred to as “no indemnity” or “public-style” deals. In order to incentivize robust seller disclosure, RWI insurers preserve their right to pursue sellers in the event of seller fraud.
This article explores the rights available to an insurer to mitigate the risk of inadequate disclosure, and those available to a seller to limit the scope of recourse available to a buyer and/or RWI insurer in a transaction.
Representations, Disclosure and Moral Hazard
The primary purpose of a buyer demanding representations in the underlying agreement is to elicit disclosure from a seller. The information obtained from the disclosure exercise enables a buyer to determine the appropriate purchase price. In this way the representations and disclosure act as a “pre-signing” price adjustment mechanism. The secondary purpose of representations is to act as a “post-signing” price adjustment mechanism, allowing a buyer to recoup any overpayments. When a seller is liable for a breach of the representations, there is a clear incentive to fully disclose known matters, as doing so avoids a post-closing claim against the seller. However, in an RWI-backed deal, the seller has limited or no liability which, prima facie, removes the incentive to disclose; indeed, if an insurer bears the risk of a post-closing claim, the seller is incentivized to limit disclosure in order to achieve a higher upfront price. How do insurers control for this “moral hazard”?
“Moral hazard” is the tendency to increase exposure to risk when the consequences of the risk are borne by a third party (e.g., insurer). As the policyholder, a buyer is a party to the RWI insurance contract, and the RWI insurer can control for the buyer’s moral hazard directly. Matters within its knowledge are carved out of coverage through a “no claims declaration” and corresponding exclusion. The no claims declaration operates as an anti-sandbagging provision, precluding a buyer from making a claim for matters of which it had prior actual knowledge.
Of greater importance to an RWI insurer is mitigating the moral hazard risk of a seller not scheduling known matters. As the seller is not a party to the insurance contract, an insurer has no direct means of controlling seller behavior. The insurer must therefore seek to influence the behavior of the seller indirectly – via the rights of a buyer through the doctrine of subrogation.
The principle of subrogation enables an insurer to attempt to recoup its loss once it has paid the insured under the policy. After payment, the insurer can “step into the shoes” of the insured and proceed against any third party responsible for causing loss. This can be any claim that the insured may have against a third party, including contract, tort or statutory claims. Although an insurance policy will typically contain express subrogation provisions, the rights of subrogation will generally apply even if not stipulated in the policy wording. It is important to understand that an insurer’s right of subrogation derives from the rights of the insured. In the context of RWI, this is the right of a buyer against the seller within the underlying purchase agreement.
Why “fraud” matters
An important mechanism for an RWI insurer to incentivize thorough seller disclosure is to retain the right to recoup from a seller any money paid to the buyer as a result of “fraud.”
As explained below, “fraud” has many interpretations, and it is therefore imperative for a seller to define it appropriately. Undefined or poorly drafted fraud carve-outs in the purchase agreement might expose a seller to unintended claims, e.g., fraud of the management team of which a private equity sponsor had no knowledge. “Fraud carve-out” clauses are frequently included within the “limitation provisions” of the purchase agreement, delineating the instances in which a breaching party will be unable to “shield” itself behind the carefully negotiated limitation (e.g., caps, survival periods).
Two Delaware Court of Chancery cases, ABRY Partners v. F&W Acquisition LLC (“ABRY”) and EMSI Acquisition, Inc. v. Contrarian Funds, LLC. (“EMSI”), demonstrate the importance of carefully drafting limitation provisions and associated fraud carve-outs. While ABRY demonstrates that even a well-crafted limitation provision will not shield a seller from its own intentional fraud with respect to express representations and warranties in a transaction document, EMSI highlights the perils of imprecise drafting in exposing the seller to others’ fraud.
In ABRY, the purchase agreement contained a limitation provision capping the seller’s liability at a defined amount with no fraud carve-out. Citing public policy, the court found that, notwithstanding the limitation cap in the agreement, the seller was unable to shield itself from a claim by the buyer in respect of its own intentional fraud that contradicted the express representations and warranties given by it in the agreement.
EMSI highlights the dangers of “inelegant” drafting and the potential for fraud to be imputed on all sellers as a result. In EMSI, the purchase agreement included a fraud carve-out provision that included “any action or claim based upon fraud.” At the pleading stage, the court ruled that such broad language could be interpreted to permit recovery against all sellers, even if those sellers had no knowledge of the fraud and/or were not responsible for the management of the business. Thus, the defendants’ motion to dismiss was not granted. This position highlights the need for sellers to explicitly limit the fraud carve-out as desired.
As a matter of law, the absence of a clearly defined fraud carve-out could result in an extensive scope of possible recourse against a seller, as “undefined fraud is an ‘elusive and shadowy term,’ which may not be limited to deliberate lying despite that common notion.” More specifically, fraud has many meanings, including “common law fraud” (which includes recklessness), “equitable fraud,” “promissory fraud” and “unfair dealings fraud.” Therefore, the possible interpretations of fraud by courts extend beyond “lies” of a seller.
Notably, ABRY ruled with respect to the express representations and warranties set forth in the purchase agreement that “when a seller lies — public policy will not permit a contractual provision to limit the remedy of the buyer to a capped damage claim.” Consistent with ABRY, RWI insurers are primarily concerned with sellers who knowingly make false representations. Therefore, based on ABRY, practitioners representing sellers should seek to limit the definition of “fraud” to a seller’s actual (not constructive) knowledge of the inaccurate representation expressly given in a purchase agreement, made with intent to induce the other party to rely on the misrepresentation. Defining fraud in such a way avoids future claims by buyers/insurers premised on (i) alleged “reckless” or “equitable fraud”; (ii) alleged fraud based on extra-contractual statements (e.g., statements made in meetings but not enshrined as representations in the contract); or (iii) alleged fraud committed by third parties such as management.
As noted above, the subrogation rights of an RWI insurer against a seller derive from those rights of a buyer against the seller. An understanding of an insurer’s subrogation rights therefore requires an examination of a buyer’s rights against the seller. While there are numerous “limitation provisions” in agreements that limit a buyer’s rights against a seller, the principle clauses are the “non-reliance,” “exclusive remedy” and “indemnification and limitation” clauses. Additionally, in an RWI deal, a seller will often require that the agreement contains a “subrogation waiver” clause to limit any claims the insurer, through subrogation, may have against the seller.
Examining each provision in turn:
Through a non-reliance clause, a seller disclaims liability for all representations other than those contained in the agreement; that is, a buyer is unable to make a claim for statements made in management presentations, data rooms, Q&A trackers and other deal documents. This limits a buyer’s rights to the four corners of the agreement. Given the wide scope of potential statements that may be made by the various parties on an M&A transaction (management, advisors, consultants), buyers typically accept that there should be no fraud carve-out to the non-reliance clause, regardless of whether RWI is used on the deal.
Through an exclusive remedy clause, a buyer’s claims (contract and tort) against a seller for a breach of the representations are limited solely to: (i) the indemnification clause and RWI policy on seller indemnity deals; or (ii) the RWI policy for “no indemnity” or “public-style” deals. It is common for buyers to insist on a fraud carve-out to the exclusive remedy provision. This is often accepted by sellers, but only if fraud is appropriately defined.
Through an indemnification and limitation clause, a seller will indemnify a buyer for a breach of the representations, subject to predetermined monetary caps and survival periods. On an RWI-backed deal with limited seller indemnity rights, the representations will typically survive for 12-18 months and be capped at 0.5% of the enterprise value. On a “no indemnity” or “public-style” deal, there will be no indemnification provisions in the agreement. It is common for buyers to insist on a fraud carve-out to the limitation provisions, and this is often accepted by sellers but only if fraud is appropriately defined.
Through a subrogation waiver, a buyer: (i) acknowledges the seller has limited or no liability for a breach of the representations given in the agreement; and (ii) covenants that the RWI insurer will waive any subrogation rights against the seller, save in the event of fraud. Certain sellers will desire that this waiver be given without the fraud carve-out, but this is typically unacceptable to RWI insurers.
Considerations for buyers and sellers
First, sellers must insist that “fraud” is appropriately defined so that it is limited to the seller’s intentional misrepresentation of the express representations in the agreement with intent to deceive.
Second, the parties must assess whether it is reasonable for the “non-reliance,” “exclusive remedy,” “indemnification & limitation” and “subrogation waiver” provisions to contain a fraud carve-out, taking into account RWI insurer requirements.
As previously noted, the “non-reliance clause” will typically not contain a fraud carve-out. An RWI insurer will never require a fraud carve-out, given the RWI policy only covers a breach of the representations given within the four corners of the underlying agreement. The insurer will never be liable for extra contractual representations, so it would be unreasonable and unnecessary for an insurer to request a fraud carve-out to the non-reliance clause.
In light of ABRY, there is a strong argument that RWI insurers should not require a fraud carve-out for “exclusive remedy” and “indemnification and limitation” provisions. This is because, as a matter of law, the seller is unable to shield itself from the type of fraud of which RWI insurers are primarily concerned, so an RWI insurer’s subrogation rights will be unhindered for circumstances in which it will pursue subrogation. Certain insurers (particularly if the agreement is governed by Delaware law) can accept this, while others require a fraud carve-out to the “exclusive remedy” and “indemnification and limitation” provisions. For agreements governed by the laws of other jurisdictions, particularly New York where the case law is less certain, there are still reasonable arguments for RWI insurers to accept no fraud carve-out to the “exclusive remedy” and “indemnification and limitation” provisions, but the arguments are less compelling.
With very rare exceptions, RWI insurers require the “subrogation waiver” provision to include a fraud carve-out. However, as emphasized above, a seller should insist this fraud carve-out is limited to “actual fraud” with “intent to deceive.”
Given the increasing prevalence of “no indemnity” deals, RWI insurers’ requirement to maintain subrogation rights in the event of seller fraud has never been more important. However, it is imperative that “fraud” is appropriately defined to preserve the delicate balance between an RWI insurer’s need to ensure robust disclosure and a seller’s need to avoid post-closing disputes. Lawyers representing sellers should seek to limit an RWI insurer’s rights of subrogation against a seller to instances of “fraud” that law and public policy do not permit to be limited by contract. Consistent with the ruling in ABRY, this means that the definition of fraud should be limited to a seller’s actual knowledge of an inaccurate misrepresentation given in an agreement with intent to induce a buyer to rely on such misrepresentation.
 Atlantic Global Risk, Atlantic Global Risk: M&A Insurance Market – 2019 Insights 7 (2020)
 Special thanks to Glenn D. West, Partner, Weil, Gotshal & Manges LLP, for his wonderful insights and input; and special thanks to Virginia Wong, Senior Analyst, Atlantic Global Risk, for her hard work and contributions to this article.
 See Sean J. Griffith, Deal Insurance: Representation and Warranty Insurance in Mergers and Acquisitions, 104 U. Minn. L. Rev. 4 (Forthcoming) (2020)
 See Sean J. Griffith, Deal Insurance: Representation and Warranty Insurance in Mergers and Acquisitions, 104 U. Minn. L. Rev. 4-5 (Forthcoming) (2020)
 Sean J. Griffith, Deal Insurance: Representation and Warranty Insurance in Mergers and Acquisitions, 104 U. Minn. L. Rev. 53 (Forthcoming) (2020); C.L. Tyagi & Madhu Tyagi, Insurance Law and Practice, 146
 ABRY Partners V, L.P. v. F&W Acquisition LLC, 891 A.2d (Del. Ch. 2006); EMSI Acquisition, Inc. v. Contrarian Funds, LLC, et al., C.A. No. 12648-VCS (Del. Ch. May 3, 2017)
 Glenn D. West, That Pesky Little Thing Called Fraud: An Examination of Buyers’ Insistence Upon (and Sellers’ Too Ready Acceptance of) Undeﬁned “Fraud Carve-Outs” in Acquisition Agreements, The Business Lawyer, Vol. 69 1053 (2014)
 Glenn D. West, That Pesky Little Thing Called Fraud: An Examination of Buyers’ Insistence Upon (and Sellers’ Too Ready Acceptance of) Undeﬁned “Fraud Carve-Outs” in Acquisition Agreements, The Business Lawyer, Vol. 69 1055 (2014)
Richard is a Managing Director and Co-Founder of Atlantic Global Risk, a specialist transactional risk insurance broker. Richard is responsible for directing Atlantic’s strategic growth and direction, including identifying and developing new product lines.
Alvin is an Executive Director and the head of Atlantic’s Boston office, where he counsels clients on risk mitigation solutions for complex regulatory issues and other matters.
“If you don’t know where you are going, you might wind up someplace else.”
— Attributed to Yogi Berra
Massachusetts has one of the country’s most stringent statutory and regulatory schemes relating to data privacy and security. The complexity and scope of available insurance products dealing with “cyber” exposures, in Massachusetts and throughout the business world, has dramatically increased over the past several years and is now as fractured and complicated as is the law, which differs from state to state and from country to country. Insurance underwriters, insurance brokers, technologists, security professionals, pundits and others offer conflicting advice about how to best move through this maze of insurance policies, technology, and the many potentially applicable state and federal regulations that often conflict. Imagine that there is growing apprehension that a company is at risk. At some point, a lawyer is called to advise on insurance protection. What is that lawyer to do?
The first step is to establish a team of professionals and client representatives who will, together, work through the issues that will allow the development of a meaningful strategy. The team should include the lawyer, an insurance professional, a technology resource (internal to the client’s business operations or external), and a representative of the client who is sufficiently vested with authority so that access to required information will be facilitated. Once the team is in place, the following should happen, in more or less this sequence:
1. The team should develop a realistic understanding of the client’s cyber/privacy and data risk profile. It is important to analyze not just electronic exposures, but traditional paper-based exposures as well. Among the many factors to consider are the following:
A. The type and location of protected information that is procured, handled, managed and stored by the client. Protected information includes, but is not limited to, private personal information (which is defined differently in various jurisdictions and under different regulatory schemes but often consists of an individual’s first name, last name, and either a social security number, bank account number or other similar data point), and confidential business information.
B. The federal, state, and local statutory and regulatory schemes that impact the client’s obligations with respect to protected information. Most states have adopted data privacy regimes that are grounded in statutes (in Massachusetts the applicable statute is Mass. Gen. Laws ch. 93H) and implemented through a series of regulations. Several federal agencies, including the FTC and the SEC, are focused in meaningful ways on the security of personal and other confidential information that is handled by businesses. Courts are, in most instances, finding statutory and regulatory support for robust enforcement actions by these agencies. It is important to keep in mind that many states, Massachusetts among them, have taken the position that their privacy schemes are meant to be protective of their citizens wherever those citizens conduct commerce.
C. The commercial obligations that have been assumed by the client by contract or otherwise in connection with data security and privacy. These should be charted, and compliance measured.
D. The security of non-electronic records that contain protected information.
E. The client’s network and electronic information storage infrastructure. As with non-electronic records, this infrastructure should be assessed by qualified professionals, and a plan should be established for correction of deficiencies.
2. Next, insurance coverage that is already in place should be reviewed. Among the policies to be reviewed are:
A. General Liability policies
B. Directors and Officers Liability policies
C. Errors and Omissions policies
D. Fiduciary policies
E. Crime policies
F. Professional Liability policies
G. Commercial Property policies
The risk profile that has been developed should be reviewed in the context of the insurance coverage that is present in these policies (there are no true “standard forms” and careful, term-specific analysis is required). The insurance professional who is part of the team should assist in identifying potential exposures that are not within the scope of the existing coverage.
3. Having established a risk profile, assessed the protection afforded by the insurance coverage in place and begun the process of correcting deficiencies, the team should next consider whether existing coverage should be supplemented, including whether stand-alone cyber/privacy coverage should be procured. The policy wordings that might be employed to supplement existing policies, and the policy forms that are available as stand-alone products, are not standard forms of insurance. Nearly all wordings can and should be specially negotiated.
As the stand-alone cyber/privacy insurance market has evolved, these general coverage types have become “standard” in most offerings (with the caveat that while the coverage “type” may be standard, the implementation varies from insurer to insurer, and from product to product, in meaningful ways):
A. Third party coverage against claims asserting a “data privacy wrongful act,” a “network security wrongful act,” or other similar coverage grant. This coverage affords the cyber/privacy equivalent of general liability coverage. A client purchases this coverage to protect against third party claims alleging damages due to the client’s handling of protected information.
B. Third party coverage for claims relating to violation of intellectual property rights or copyright.
C. Various types of first party coverages (coverage that will pay an insured for loss that the insured suffers itself, rather than indemnifying an insured for claims asserted by others), such as:
1. Notification and related expense coverage;
2. Coverage for regulatory fines and penalties;
3. Coverage for the expense of recreating information that is damaged, compromised or destroyed as the result of a data security incident, or other covered occurrence;
4. Coverage for the expense resulting from the inability to use a network or other asset as the result of a covered event; and
5. Coverage for fines and penalties payable as the result of a failure to maintain appropriate levels of Payment Card Industry compliance in connection with credit or payment card exposures (this is not as generally available).
There are, of course, additional issues that will arise in the course of developing an appropriate mitigation strategy and insurance structure. For example, it may be necessary to allow an insurer, or several insurers, to independently audit a client’s infrastructure. It may be that an insurer adds exclusions to a policy that render otherwise appropriate coverage difficult to accept – for example, adding an exclusion that would allow an insurer to avoid payment obligations in the event that there is a change in network structure, levels of security protection, or the like. These types of potentially devastating exclusions, sometimes based on ambiguous terms that are difficult to either understand in an operational sense or manage, can make otherwise meaningful protection unacceptable.
So, dealing with the structure of an effective cyber/privacy insurance program requires knowing what you’ve got, knowing what’s lacking, and filling gaps in a targeted way. Know where you’re starting, understand the potential end points, and you’ll get where you’re going and not someplace unexpected.
Alan M. Reisch is a Director in the Litigation Group at Goulston & Storrs, as well as a Founder of the firm’s risk management affiliate Fort Hill Risk Management, and counsels clients in connection with insurance coverage and portfolio analysis, risk assessment and management, fraud, data privacy and other related issues.