In the insurance industry, we LOVE our mergers and acquisitions! M&A remains one of the most popular ways to build both insurance agencies and carriers. Also, with incumbents looking to capitalize on new technologies and the business models they enable, M&A between established firms and insurtech will become more common.
Due diligence is a critical part of the M&A process. Traditionally, it focuses on financial aspects: P&L statements, debt load, revenue projections, contracts, etc. But here are some areas that might not get the attention they deserve.
Insurance Licensing & Compliance
A key fact that many buyers and sellers overlook is that agency licenses are attached to the entity’s Federal Employer Identification Number. If the post-M&A entity won’t have the same FEIN, the licenses associated with that FEIN won’t be available for use. It takes time (and money) to get new licenses in place. I’ve seen this issue derail more than one deal and/or delay a new entity’s ability to service an acquired book of business or start soliciting new business. And even a short delay in being able to transact business can jeopardize a venture’s profitability.
For more on preparing your insurance agency for sale, listen to Spot On Insurance Episode 55, featuring Joyce King.
If you’ll continue to use the agency’s licenses after the merger/acquisition, ask for a review of producers affiliated to those licenses. Any affiliations for individuals no longer employed with the agency need to be terminated before closing. This is also a great opportunity to confirm who serves as the Designated Responsible Licensed Producer (DRLP) for each agency license. You’ll want to be sure that these DRLPs will be staying after the transition – or that you have another appropriately licensed individual ready to step into the gap. Remember, many states require that the DRLP be an officer, member, etc. for the organization.
Lastly, while you’re checking compliance, don’t forget to review Secretary of State registrations. This can be more of an issue for agencies than for carriers since whether an entity transacting business in a non-resident state needs to register with SOS depends on its business model. If a business needs to register, a careful review of its standing in each jurisdiction should be completed. Catching up past-due annual returns and missed foreign corporation tax fillings – even de minimis filings – can be expensive, due to interest and penalties.
Surplus Lines Compliance
If the agency you’re targeting does business in excess and surplus lines – also known as the non-admitted market – a thorough compliance review needs to be done. Depending on the state, it can take up to two years for a licensee to be notified of a deficient/untimely surplus lines tax filing or report. If you’ll continue to use the agency’s surplus lines licenses after the merger/acquisition, how such matters will be handled and who will be responsible for any fees, fines, etc. arising from pre-merger/acquisition deficiencies needs to be addresses in the sale contract.
If the licenses won’t be transitioned, it’s important to surrender them appropriately – and immediately! If a state requires zero reports from surplus lines licensees, the licensee remains responsible for these reports for as long as the licenses remain active, even if the agency licensed is no longer in business.
Information Management and Technology
The insurance industry runs on information. Unless you’ll be replacing the systems the target company has in place with your own, you’ll want a comprehensive IT audit.
Start with software licensing. In a business’ early days, it’s a terrible temptation to install that piece of software you just paid a small fortune for on more than one machine … despite what the user license says. Our “there’s an app for that” culture further complicates the licensing issue. It’s all too easy for employees to install programs their own IT team isn’t aware of (unless they do regular system audits). Ask for a list of all programs currently in use and require proof that the appropriate licenses are in place. Require that all unlicensed software – and unused applications, for that matter – be removed before closing.
Hopefully you’re taking a close look at all contracts in force for the target entity, but pay careful attention to contracts for IT services. Because companies often lack the skill set to handle their own IT needs, outsourcing is a popular choice; but this can lead to a patchwork of providers. Additionally, cloud-based data storage and similar Internet-based solutions often supplement a firm’s on-site infrastructure. You need a thorough understanding of what IT functions are outsourced, with whom, and at what cost. Check for redundancies in services and functionalities that are being paid for, but not used. Finally, know when the existing contracts are due to renew and whether costs are likely to increase.
And while we’re talking about future IT expenses, let’s talk about “future-proofing.” This buzzword appears with increasing regularity. Future-proofed systems supposedly won’t need significant modifications as technology changes. Usually, however, future-proof just means that the updates and upgrades are invisible to the end user – and such convenience often comes at a price. So if you want that fantastic website that’s driving clients to your door to continue to function effectively, you’ll need to maintain the relationship with whoever is doing the behind-the-scenes work or have equally knowledgeable personnel ready to take over.
Since we’re on the subject of IT, let’s talk about cybersecurity. With more and more jurisdictions passing (or at least considering) cybersecurity and data privacy regulations, you need to understand what measures the target company has in place for addressing these areas and what their vulnerabilities are. Will the Chief Information Security Officer (CISO) and/or other key players in the agency’s cybersecurity program be staying after the transition? If two firms are merging, how their cybersecurity programs will merge is an essential consideration. Misunderstandings about who is responsible for what can easily create exploitable gaps in your cyber defenses.
Additionally, cyber breaches are notoriously slow-moving disasters. (There’s even something called a cyber hurricane!) Recent data shows that breaches go undetected for an average of 191 days. Verifying the scope of the breach and identifying the system vulnerabilities that made it possible can add to this total. Who will be responsible for notifying regulators and clients of breaches that actually occurred prior to the transition needs to be spelled out in the M&A contract, as does how liability for any litigation arising from a breach will be handled. Even if your firm won’t be legally responsible, you could still face serious damage to a brand you’ve paid good money for. The recent Marriott breach is a case in point.
Increasingly, some of a target agency’s most valuable assets may be intangible – its intellectual property. Request a detailed IP inventory as part of the due diligence process. Will the former owners take any key assets with them? A clear chain of title for all IP that will be available after the transition should be provided, as well as a schedule for when patents, copyrights, etc. need to be renewed.
For more detailed information about due diligence for intellectual property, check out this article by Jennifer Criss, The “Do’s” of IP Due Diligence. And for more information on the types of intellectual property and what you need to do to protect them, listen to this Spot On Insurance podcast, featuring Joel Leviton, an intellectual property attorney with Stinson Leonard Street.
It Pays to Be Thorough
Of course, there a lots of other questions you can include in your due diligence process. Check out this article by Richard D. Harroch and David A. Lipkin for more ideas.