How D&O Policies Respond to Cyber Incidents
Annual global cyber losses are expected to reach a staggering $6 trillion by the end of 2021 and $10.5 trillion by 20251 – with North American organizations continuing to be primary cybercrime targets, accounting for more than two-thirds of all global incidents and more than half of all breaches in 2019.2 In this environment, it is vitally important for risk managers to have a clear grasp of how their Directors & Officers policies respond in the event of a cyber incident, including potential coverage limitations and how it differs from their Cyber Liability policy.
D&O vs. Cyber Liability
There are clear differences between Cyber Liability and cyber-related losses that may be covered under a D&O form. Cyber Liability policies provide first-party coverage and third-party coverage for losses a business incurs during a cyber incident. These coverages are not available under a D&O policy, and can include:
- Certain costs to engage breach counsel, helping companies understand what regulatory obligations they have, and to help map initial steps to be taken when remediating an event
- Hiring forensic professionals to determine incident extent
- Certain expenses to notify stakeholders that their information has been compromised
- Certain expenses to repair networks and systems impacted by the incident
- Public relations efforts to manage business reputation
- Other costs to repair a breach, mitigate liability and return operations to normal
- Certain defense costs and damages associated with claims or investigations brought by third parties or regulatory bodies
- Certain costs to monitor credit
A D&O policy provides coverage for third-party liability costs incurred to an individual or entity that arise from an entity’s, director’s or officer’s liability. Coverage typically includes defense costs and damages awarded, or judgment and settlement amounts.
In the event of a cyber incident, available D&O coverages will depend on the policy’s exclusions, which differ between public company and private organization policy forms. Some insurers are attaching a specific cyber exclusion to the D&O policy, and these exclusions differ between public and private-entity forms. D&O exclusions related to contractual violations, or the willful violation of a statute, could limit or also preclude cyber liability coverage. Notwithstanding any specific cyber exclusion, in the event of a cyber incident, the bodily injury or property damage (BIPD) exclusion could also be impactful on coverage.
The BIPD exclusion’s language can sometimes preclude coverage for cyber claims arising from bodily injury or property damage caused by an “invasion of privacy,” which is often a key allegation in cyber incident-related litigation:
- It depends on whether it includes absolute language (i.e. contains broad language such as “based upon”, “arising from,” “directly or indirectly,” “related to”), or
- Excludes only claims “for” invasion of privacy.
The “for” language is preferred, as this will only exclude claims that directly allege “invasion of privacy,” but allow coverage for other more remote claims that might still be in some way related to or arise from a privacy incident.
Shareholders may allege that directors and officers were negligent in taking enough precautions to prevent the incident, or in mitigating reputational damage to the company after the incident. If the D&O policy’s BIPD exclusion excludes coverage for claims arising from an “invasion of privacy,” but does not contain absolute language, then it is likely that individual directors and officers will have coverage for this type of shareholder claim.
However, the BIPD exclusion could be problematic for directors and officers of both public and private companies if they are subject to a lawsuit brought by individuals impacted by a cyber incident who are seeking damages for an invasion of privacy. While this action is typically an exposure for the business entity, individual plaintiffs could try to hold directors and officers responsible for the incident, especially when a corporation or organization is insolvent. An insurer could argue that this falls within the BIPD exclusion if it includes “invasion of privacy” as a prohibited cause of bodily injury or property damage. Ultimately, the coverage available under a D&O policy for individual directors and officers will depend on the specific lawsuit allegations.
D&O Cyber Coverages: Additional Public Company Considerations
For a public company, coverage for the entity under its D&O policy is typically limited to losses arising out of securities claims. Therefore, a corporate entity could have coverage for claims brought against the company under its D&O policy when a cyber incident results in a shareholder lawsuit. The policy may also afford coverage for claims brought against the directors and officers of the company for wrongful acts relating to mismanagement, improper disclosure, or a breach of fiduciary duty relating to a cyber incident. However, the D&O policy will likely not respond if a public company is sued by individuals seeking damages because they were affected by a cyber incident. As with all D&O claims, coverage will be dependent upon the specific allegations and applicable coverage limitations, such as loss-excluding fines and penalties, contractual liability or willful violation exclusions.
Public company directors and officers have a duty to understand the ramifications of cybersecurity on their business, and to proactively design risk mitigation procedures and internal disclosure guidelines specific to their company’s unique cybersecurity needs. In the US, the Securities and Exchange Commission’s guidance on the cybersecurity topic signals a growing and continued focus on this matter and serves as notice that all companies must be prepared. Additionally, Event-Driven Litigation (EDL) is a significant exposure for corporate leadership. Cybersecurity and cyber incidents are particularly fertile ground for the new wave of class action securities claims arising from claims of corporate mismanagement, some of which are in response to breaches and privacy violations.
If a public company experiences a cyber incident its directors and officers could face lawsuits brought by shareholders should the incident result in a drop in the company’s share price. In one example of litigation arising from a cyber breach, the securities class action seeks to recover damages for alleged violations of the federal securities laws claiming that throughout the class period the company made materially false and/or misleading statements and/or failed to disclose that its end users had their personal information exposed.
Further allegations include that the company actively concealed this data breach for several months, violating the company’s purported data privacy and security policies. The complaint goes on to allege that the discovery of the wrongdoing could foreseeably subject the company to heightened regulatory scrutiny and that prior public statements were materially false and misleading. Following a major media outlet’s article exposing the private data of hundreds of thousands of users, the company’s stock price fell.
Public company D&O insurers are increasingly seeking additional information regarding companies’ corporate governance of cyber security, cyber incident response plans, oversight of third-party vendors involving the company’s data, and details regarding cyber insurance purchased.
D&O Cyber Coverages: Additional Private Company Considerations
Private company D&O policies are generally broader than those available to public corporations, as the coverage for the organization is not limited to securities claims and the policies afford coverage for claims brought by customers, vendors, regulators, security-holders and other third parties. Although less common than a public entity, if a private company with shareholders experiences a cyber incident the company’s directors and officers could also face lawsuits brought by stakeholders or regulators, in addition to claims against the organization. Additionally, like public companies, directors and officers may be sued for mismanagement, breach of fiduciary duty or liability resulting from wrongful acts in connection with a cyber incident.
Given the breadth of coverage under private company D&O policies, insurers are increasingly seeking to exclude coverage for cyber claims. Those exclusions will vary of course, and they should be limited to apply to the organization only, with exceptions for securities claims, including derivative lawsuits, which are brought by an organizations’ shareholder against the directors, management and/or other shareholders of the organization, for a failure by management.
Coverage for regulatory investigation or proceedings
Where a corporation is subject to an investigation or audit by the privacy commissioner (Canada) or regulatory investigation in the US related to a cyber event, a D&O policy with regulatory investigations coverage could respond to cover individual directors and officers, providing they are acting in their capacity as such, for defense costs arising out of the investigation, in addition to the corporation, whether private or public.
However, a D&O policy will not provide coverage for the cost of individuals or corporations to comply with any order by the privacy commissioner requiring them to take measures to ensure compliance with Canadian privacy legislation.
A public corporation will not have coverage under the D&O policy for a proceeding brought by the privacy commissioner or interested government body because it will not fall within the coverage that is available for securities claims. Private D&O policies may respond to claims brought by regulators against the entity, but other policy limitations as noted previously may apply -- most notably the entity cyber exclusion (if applicable) and fines and penalties excluded as part of loss.
The coverage available under the D&O policy for a proceeding involving individual directors and officers or a private company will depend on the allegations. If it is alleged that individual insureds or a private company have violated legislation, the D&O policy could respond to cover defense costs, as well as damages or settlement amounts. However, if it is alleged that insureds are guilty of a willful violation of the privacy legislation, a D&O policy may respond to provide defense costs coverage until there is a final and binding determination of guilt. Any settlement or judgements awarded would likely not be covered. If an action is brought on behalf of individuals who suffered damages because of a privacy incident, the coverage available could be impacted by the BIPD exclusion (as discussed above).
Develop a Comprehensive Cyber Program with D&O and Cyber Liability
Over the years, D&O policy coverage has expanded, however, the cyber coverage available under a D&O policy is likely to be limited, at best. The D&O policy does not include first-party coverage, nor is it intended to be the primary insurance policy meant to address liability claims brought by impacted third parties or regulators investigating potential violations of privacy protection laws.
Business interruption, forensic expert, notification cost and public relations coverages provided through a cyber liability policy are critical for businesses with cyber exposures. A cyber incident may not result in litigation in every instance, however, a company can expect to incur significant out-of-pocket costs to mitigate a cyber incident and get back up and running.
As companies and organizations become increasingly reliant upon technology, cyber incidents continue to grow in frequency. Regulators, stakeholders and security holders have responded to cyber incidents that result in reputational, business and financial harm. A key component of risk mitigation includes careful review of D&O policy terms and purchase of a cyber insurance policy. The cyber policy generally provides more comprehensive cyber incident coverage to individuals and corporations (both public and private), including first-party costs not available under a D&O policy. It will also likely preserve the limits of the D&O policy to respond to claims unrelated to cyber liability.
***
All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.
1 (Top 5 Cybersecurity Facts, Figures, Predictions, and Statistics for 2020 to 2021, Cybercrime Magazine)
2 https://enterprise.verizon.com/resources/reports/dbir/2020/data-breaches-by-region/north-america/