Understand entity wording in cyber policies. Learn what coverage applies to subsidiaries, acquired entities, and newly created divisions.
Cyber insurance policies define who is covered through entity wording: typically the named insured (the company that purchased the policy) and sometimes explicitly listed subsidiaries or affiliated entities. The critical issue is that entities not explicitly listed in the policy are not covered, creating major gaps during mergers and acquisitions. If Company A purchases a cyber policy naming only Company A, and Company A acquires Company B mid-policy, Company B is not automatically covered by Company A's policy unless the policy language includes automatic coverage for acquisitions. Different policies handle this differently: some policies have automatic subsidiary coverage for entities meeting thresholds (under 50% ownership, acquired before policy expiration), while others require a schedule amendment. Brokers must verify: (1) Is the named insured correct? (2) Are all operating entities listed? (3) Does the policy cover newly acquired entities? (4) What is the definition of 'subsidiary' (ownership percentage, consolidation method)? (5) What notice period is required for a new acquisition to be added? A common post-renewal gap occurs when a client merges with or acquires another company between policy renewal and effective date. The new entity should be added via endorsement or notice, but if the broker doesn't realize the acquisition occurred, the new entity goes uninsured. For holding companies with multiple operating subsidiaries (common in private equity, real estate, or healthcare organizations), verifying that all meaningful entities are listed prevents gaps.
Broker renews cyber insurance based on current policy. Client acquires new company three months later. New entity experiences cyber incident; broker discovers coverage applies only to named insured, new entity not covered.
Brokers don't systematically review entity wording at renewal. Clients don't notify broker of acquisitions before they happen. Policy schedules unclear about which entities are covered. No visibility into policy language on automatic acquisition coverage.
Policy review checklist showing: named insured, all listed subsidiaries with ownership percentages, automatic acquisition coverage language, endorsement process for new entities, and list of entities needing coverage.
BindLedger policy organizer tracks entity coverage, flags missing subsidiaries, and alerts when acquisition notice is required.
Use supplement parser
Use supplement parser →“Buyers inherit all kinds of risks when they acquire a company, including undetected or undisclosed cyber breaches that can lead to damaging ransomware attacks or costly data breaches.”
“Cyber risk considerations in M&A transactions are increasingly important as digital assets and data become central to enterprise valuation.”
“Most cyber policies provide some form of automatic coverage for acquired companies that fall within the acquisition threshold, but this provision covers acts or events after the acquisition date, not prior acts.”
“Organizations with subsidiaries must verify that all operating entities are properly scheduled on the cyber policy to avoid coverage gaps.”
“Holding companies with multiple subsidiaries require careful verification that all operating entities are scheduled on the cyber policy.”