What happens when a company experiences a data breach, and shareholders blame the directors and officers? Is it the D&O insurance that should respond? Or the cyber policy? Or both?
With more and more high-profile cases like Target and Wyndham where Ds and Os are the target of blame after a breach, board members are increasingly concerned about cyber events leading to D&O claims. And, they’d absolutely expect a D&O policy to protect them in the event of such claims.
But there’s been talk by some that perhaps D&O insurers will attempt to exclude cyber events, just like general liability insurers have in recent times. It’s true that it’s a “buyer beware” situation if you’re relying on the commercial general liability (CGL) policy to cover cyber events resulting in a loss, such as data breaches.
In fact, there have been many unsuccessful attempts by companies involved in a data breach to get their GL policy to respond in absence of cyber insurance. In other cases, courts have agreed that certain aspects of a data breach could fall under a CGL policy, making insurance carriers nervous.
Insurers argue that CGL policies were never meant to cover data breach claims. Enter the cyber exclusions that insurers are now adding to CGL policies.
In fact ISO, the organization that issues standard policy forms for insurers, recently issued a standard endorsement to exclude cyber from the CGL policy, and carriers are starting to use this more and more.
These exclusions are pushing companies to buy cyber policies, which is the appropriate type of policy to cover first-party and third-party costs for events such as a data breach.
But could those cyber exclusions also be the fate for D&O coverage? Not likely. CGL policies provide broad coverage to the entity, so they were vulnerable to responding to claims against the company by the individuals whose data was breached.
The entity coverage under most D&O policies is limited to securities claims, i.e., shareholder lawsuits. So D&O insurers really only need to be concerned when a cyber loss is so big that it causes shareholders to take notice, as was the case with the derivative shareholder lawsuits filed against Target and Wyndham earlier this year.
Derivative lawsuits are especially concerning for boards, as most jurisdictions do not permit a company to indemnify Ds and Os for this type of suit.
Fortunately, D&O policies are exactly designed to cover shareholder lawsuits, whatever the source of the underlying problem. Rather than excluding cyber events, D&O insurers will likely start asking more questions of boards to better understand if Ds and Os are actively looking at cyber risk and doing their duties as directors to manage it.
The personal liability associated with these types of lawsuits should encourage directors to pay a lot more attention to cyber risk. The U.S. Securities and Exchange Commission (SEC) is also increasingly focused on this topic, hosting a Roundtable on Cybersecurity in March 2014, and launching cyber security assessments of more than 50 registered investment advisors and broker dealers in April.
Add to that the fact that ISS (Institutional Shareholder Services), a proxy advisory that advises shareholders how to vote on corporate ballots, stated Target should sever ties with seven out of 10 directors for not managing Target’s systems to the best of their ability, and we can begin to see how cyber has become a critical topic in the boardroom.
To prepare, board members should be asking specific questions about their cyber risk. Woodruff Sawyer’s Priya Huskins and I wrote a useful piece that covers the gamut of what boards need to do to manage cyber risk, and you can access that here.
In the end, corporations should have a robust risk management program that considers all aspects of a potential cyber event, including both cyber coverage and D&O insurance. And, to place those policies, boards should be prepared to answer tough questions about how they are managing cyber risk.