How can private equity firms identify and mitigate inherited liability risk from vulnerable portfolio companies?
Ongoing big ticket regulatory fines coupled with high profile corporate veil cases indicate that private equity deal teams must remain alert to the risk of buyout firms inheriting liabilities from vulnerable portfolio companies. Increasing GDPR fine activity, including the UK Information Commissioners’ intention to fine British Airways £183 million and an international hotel group £99 million for GDPR failings, is of particular concern. In parallel, the UK Supreme Court recently examined the circumstances in which a parent company can be held accountable for its subsidiary’s actions. In our view, private equity firms should take careful but active steps to identify and mitigate this inherited liability risk; there is no doubt that PE funds are increasingly in the firing line.
Increasing Liabilities for Portfolio Companies – and PE firms
The UK Information Commissioner’s proposed fine against an international hotel group underlines the risk of acquiring a company with regulatory vulnerabilities. This intended fine relates to a 2014 data breach in the systems of a subsidiary, which occurred prior to (but was not discovered until after) the acquisition of the subsidiary by the group in 2016, and refers to inadequacies in due diligence on the target’s security measures. The GDPR regime uses the EU antitrust concept of “undertaking”, meaning that liability for fines (capped at the higher of €20 million or 4% of a group’s annual global turnover) could extend to a PE sponsor and could be calculated on the basis of the entire portfolio. In an antitrust context, European courts have found a financial sponsor jointly and severally liable for the cartel behavior of a prior-owned portfolio company, imposing a multimillion Euro fine, despite the sponsor having no knowledge of the behavior and no longer owning the company.
Policies and Guidelines Risk Piercing the Corporate Veil
There is also increasing unease that in certain circumstances the corporate veil can be “pierced”, rendering a PE firm liable for the actions of its portfolio companies, particularly if the portfolio company has engaged in criminal behavior such as cartel activity, bribery, corruption, money laundering, or tax evasion. We have also seen attempts to render parent companies liable for subsidiaries’ environmental, health, and safety liabilities, including if the parent exercises a degree of supervision or control, or if the parent has issued relevant policies and guidelines. Further, political and media pressure may result in additional areas of liability for PE sponsors, including for pension liabilities.
Mitigating, Not Increasing, the Risk
Deal teams should consider carrying out technical or enhanced due diligence on targets in higher risk areas. However, there are certain risks, including data and cyber-related risks, which may never be fully mitigated. While the popularity of W&I insurance on private equity acquisitions is increasing, the insurance may not be of use for regulatory fines, which are generally not insurable as a public policy matter. Deal teams should strive to be fully aware of the nature and extent of such risks, and should price them in if possible. Further, while PE sponsors should focus on encouraging best practice across their portfolio (promoting a compliance culture at portfolio level and ensuring that management teams enforce training and compliance policies), given the increasing instances of the corporate veil being pierced or peeped through by linking parent liability to statements and commitments made by parent companies, PE sponsors need to tread this line carefully. PE sponsors must be confident that their companies are covered, without becoming embroiled in day-to-day management — a step that may increase the risk of liability.
Policies Should be Approached with Care – Key Takeaways from Recent Corporate Responsibility Case Law
“Even where group-wide policies do not of themselves give rise to a duty of care to third parties, they may do so if the parent does not merely proclaim them, but takes active steps, by training, supervision and enforcement, to see that they are implemented by relevant subsidiaries.”
“Similarly, … the parent may incur the relevant responsibility to third parties if, in published materials, it holds itself out as exercising that degree of supervision and control of its subsidiaries, even if it does not in fact do so. In such circumstances its very omission may constitute the abdication of a responsibility which it has publicly undertaken”
Buyout Firms Should:
- Carefully review corporate representations, both public and contractual, regarding implementation of standards — words have legal meaning and can be assessed
- Consider supervision and control. In relation to a relevant risk, evaluate if the firm could have, in substance, taken over the management of the relevant activity of a portfolio company in place of, or jointly with, the portfolio company’s own management
- Evaluate if the firm has given relevant advice to a portfolio company about how it should manage a particular risk
- Implement mitigation measures to limit the risk that liability for portfolio company actions tracks back to the buyout firm