Regulators have expressly warned that organizations must be proactive and dedicated to minimizing cyber risk to themselves and their stakeholders. Accordingly, investigations and litigation targeting senior company executives are on the rise. This session at the RIMS 2017 Annual Conference and Exhibition highlighted the importance of directors and officers (D&O) insurance coverage considerations and how it protects senior executives during a potential cyber risk claim.
- Joshua Gold, Esq. Shareholder, Anderson Kill P.C.
- Scott Corzine, Senior Managing Director, Ankura Consulting Group, LLC
Current Cyber Landscape
Potential exposures for cyber risk include business interruption, regulatory investigations, cyber extortion, third-party liability, business reputation and loss of information (own and others). With all of this at stake, it is important to manage your cyber priorities in the following categories:
- Resources – Do not skimp on money, people and senior management buy in.
- Plans – Strategy around computer security, privacy and breach response must be in place before a breach.
- Implementation – Keep current, update plans/protocols regularly, train and re-train.
Trends show that management liability risk is also a large exposure in the cyber realm. Derivative actions, securities class action suits and regulator claims are on the rise. Losses resulting from most civil suits have been defense costs, rather than settlement or adverse judgement loss, however this is bound to change. Charges against management typically include failure to disclose cyber risk, cyber breach scope and sufficiency of risk management.
No organization is immune to this type of risk and it is just a matter of time before we are dealing with charges beyond fraudulent card charges. Exposures related to the “Internet of Things”, infrastructure and transportation are on the horizon. Widespread public safety is at risk. There is inevitably going to be a cyber event where people die. We are moving well beyond the traditional theft landscape.
D&O Insurance Coverage for Cyber
The D&O product remains one of the better lines of coverage available. It includes broad wrongful act coverage and often includes a broad array of insureds. Certain inclusions have been pared back over the years, making the coverage even broader.
D&O insurance issues meet cyber:
- Application/purchase risk. It’s important to get this process right. A lot of cyber policy applications ask if you have been a subject of a cyber attack. Most say no, but hack attempts could be occurring daily, just deflected. Use careful consideration when answering these questions and be upfront.
- Other insurance/indemnification. Some other insurance clauses claim to be “other indemnity” clauses. There are also more prospects for fights over cyber-related indemnification.
- Bodily injury/property damage. With the Internet of Things coming, it has implications for D&O. It is a matter of time before a cyber incident causes destruction or death.
- Retroactive dates can be troublesome, with broad pleading and vague reference to chronology (i.e. allegations that security has been lax for years).
Finally, we are in dire need of brokers who are well-versed in cyber. Broker assistance is a must when purchasing. Cyber coverage issues changes often and there is little uniformity of cyber insurance products. In addition, potential gaps in coverage may open the door to denials of coverage, whether valid or not. It’s important that the broker have the full view of the whole insurance portfolio so that, among other things, management risk if fully addressed.