How can private equity firms identify and mitigate inherited liability risk from vulnerable portfolio companies?

Ongoing big ticket regulatory fines coupled with high profile corporate veil cases indicate that private equity deal teams must remain alert to the risk of buyout firms inheriting liabilities from vulnerable portfolio companies. Increasing GDPR fine activity, including the UK Information Commissioners’ intention to fine British Airways £183 million and an international hotel group £99 million for GDPR failings, is of particular concern. In parallel, the UK Supreme Court recently examined the circumstances in which a parent company can be held accountable for its subsidiary’s actions. In our view, private equity firms should take careful but active steps to identify and mitigate this inherited liability risk; there is no doubt that PE funds are increasingly in the firing line.

Increasing Liabilities for Portfolio Companies – and PE firms

The UK Information Commissioner’s proposed fine against an international hotel group underlines the risk of acquiring a company with regulatory vulnerabilities. This intended fine relates to a 2014 data breach in the systems of a subsidiary, which occurred prior to (but was not discovered until after) the acquisition of the subsidiary by the group in 2016, and refers to inadequacies in due diligence on the target’s security measures. The GDPR regime uses the EU antitrust concept of “undertaking”, meaning that liability for fines (capped at the higher of €20 million or 4% of a group’s annual global turnover) could extend to a PE sponsor and could be calculated on the basis of the entire portfolio. In an antitrust context, European courts have found a financial sponsor jointly and severally liable for the cartel behavior of a prior-owned portfolio company, imposing a multimillion Euro fine, despite the sponsor having no knowledge of the behavior and no longer owning the company.

Policies and Guidelines Risk Piercing the Corporate Veil

There is also increasing unease that in certain circumstances the corporate veil can be “pierced”, rendering a PE firm liable for the actions of its portfolio companies, particularly if the portfolio company has engaged in criminal behavior such as cartel activity, bribery, corruption, money laundering, or tax evasion. We have also seen attempts to render parent companies liable for subsidiaries’ environmental, health, and safety liabilities, including if the parent exercises a degree of supervision or control, or if the parent has issued relevant policies and guidelines. Further, political and media pressure may result in additional areas of liability for PE sponsors, including for pension liabilities.

Mitigating, Not Increasing, the Risk

Deal teams should consider carrying out technical or enhanced due diligence on targets in higher risk areas. However, there are certain risks, including data and cyber-related risks, which may never be fully mitigated. While the popularity of W&I insurance on private equity acquisitions is increasing, the insurance may not be of use for regulatory fines, which are generally not insurable as a public policy matter. Deal teams should strive to be fully aware of the nature and extent of such risks, and should price them in if possible. Further, while PE sponsors should focus on encouraging best practice across their portfolio (promoting a compliance culture at portfolio level and ensuring that management teams enforce training and compliance policies), given the increasing instances of the corporate veil being pierced or peeped through by linking parent liability to statements and commitments made by parent companies, PE sponsors need to tread this line carefully. PE sponsors must be confident that their companies are covered, without becoming embroiled in day-to-day management — a step that may increase the risk of liability.