Early in 2015, we started predicting “carveouts” of cyber risk from D&O insurance policies, and that coverage after a breach would commonly be contested.
Directors’ and officers’ (“D&O”) insurance is a small but high profile segment of the property and casualty market. The increasing frequency and impact of cyber breaches is affecting its future, and insurers are grappling with the growing litigation risk following cyber breaches.
What is the specific risk to boards of directors? “D&O-related exposures from cyber events arise through allegations that ineffective or negligent corporate governance and board oversight were contributing factors behind inadequate systems defenses and a breach that led to losses and/or a sharp decline in share value.”1 Put simply, board members can’t afford to take their eye off the ball in overseeing their company’s cybersecurity posture.
Warnings about the potential lack of cyber breach coverage by D&O policies began to be heard several years ago. “Corporate directors and officers, and their risk-management professionals, must ensure that they buy appropriately tailored policies that provide protection against the rapidly expanding risks to which they could be vulnerable, both personally and professionally.”2
High-profile cases have included Wyndham, Zappo’s, and Yahoo. The Wyndham case has dragged on since the original breach in 2008-2009. In a far-reaching decision in August 2015, the Third Circuit Court upheld a lower court ruling that the Federal Trade Commission had the authority to regulate corporate cyber security, and the right to pursue a lawsuit accusing Wyndham of failing to properly safeguard consumers’ information.
Data accumulated over the past century about suits stemming from other sources enables underwriters a high degree of confidence. In contrast, D&O underwriters operate without a base of comprehensive data about cyber breaches. The impact of cyber-related suits against directors gives them a lack of confidence, and some predict that “insurance companies will try to insert exclusions into D&O policies just as they do into other policies (even into dedicated cyberpolicies). Many of these terms are vague and destined to lead to disagreements over their effect on the scope of insurance coverage for a cyber-related claim.”3
Early in 2015, we started predicting “carveouts” of cyber risk from D&O, and that coverage after a breach would be contested. Others shared our belief. “Even if a given D&O policy does not specifically exclude losses resulting from a cyberincident, this is no guarantee that such losses are covered. Depending on the nature of the lawsuit, the data compromised, and the specific policy language, significant coverage issues may be implicated by a cyberincident. As the number of cyber-related lawsuits against directors and officers increase, so too may the prevalence of specific cyber exclusions.”4 Not surprisingly, we heard from a prospect in December 2015 who had received a letter from their insurer that specifically dropped coverage for cyber breaches from their D&O policy.
Derivative suits against corporate officers continue to be pursued. Whether they succeed or fail, they damage the reputation of all directors who didn’t exercise proper duty of care in their oversight of cyber risk before a breach occurred. Active engagement is not optional.
[For ideas about actively engaging the board in cyber risk oversight, see “Increasing Board Engagement with Cyber Risk” and “6 Concepts That Help Boards Oversee Cybersecurity” in the Cybergovernance Journal.]
- Mark A. Hofmann, “Cyber risks, consolidation pose challenges for directors and officers insurers”, Business Insurance, April 13, 2016.
- “Cyber Security and Data Breaches — Why Directors and Officers Should Be Concerned,” — Richard Bortnick, The D&O Diary, 9/11/2012.
- Joshua Gold, Risk Management, April 2, 2014.
- “Data Breaches Bring D&O Insurance Issues”, Rachel Raphael and Ellen Farrell, LAW360, September 9, 2015.