Cyber issues have become critical considerations for corporate boards and management teams as cyber incidents can result in a host of costs for regulatory investigations, remediation activities and credit monitoring.
Speakers in this RIMS 2016 session included:
- Kieran Hughes, Vice President | Directors & Officers, AIG
- Timothy Fletcher, Senior Vice President and Team Leader, Aon Risk Solutions
- Leslie Lamb, Director, Global Risk Management, Cisco Systems, Inc.
There were 1,500 data breaches in 2015. There have been several well-known recent breach incidents and resulting D&O claims in recent years. One most notable is Home Depot which reported a massive breach of credit card information stemming from an intrusion that was reported in April of 2104, five months before the incident was made public. Target Corporation and Wyndham Worldwide were also among the more well-known of these types of breaches.
There are several sources of claims after a cyber incident, including customers, shareholders, regulatory agencies and other third parties such as financial institutions.
D&O claims arising out of a cyber incident can stem from allegations that include breach of fiduciary duty, waste of corporate assets, conspiracy and aiding and abetting. Named defendants can include the CEO, CIO and various directors.
Derivative claims can arise from a cyber incident as well. Derivative action is a lawsuit brought by a corporate shareholder against the directors, officers and management of the corporation, for a failure by management. These settlement amounts are often non-indemnifiable, subject to individual state laws.
A D&O insurance program can provide coverage for individual Directors and Officers and provide coverage to the company. These policies might provide exclusions of fines and penalties in the Definition of Loss as well as Bodily Injury/Property Damage exclusion and Professional Services exclusions.
Insurers are now increasingly asking cybersecurity and cyber breach questions as part of the D&O underwriting process and insurers are also starting to evaluate aggregation of limits between D&O and Cyber policies.
Risk managers are now playing an increasing role in identifying cyber risks related to the critical considerations of the board and management team. They need to understand Cyber and D&O policies and determine common points of overlap between them. It is critical to keep pace with cyber risk trends and the impact they have on D&O coverage.