Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ

Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ
July 24, 2024 8 mins

Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ

Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ

Cyber incidents continue to grow in frequency and severity, especially as new technology emerges. While D&O and cyber liability policies offer distinct coverage differences, terms need to be carefully structured to avoid potential gaps.

Key Takeaways
  1. Following a cyber incident, any available D&O coverage is often dependent on the policy’s terms, conditions and exclusions.
  2. Cyber liability policies, meanwhile, provide broader first and third-party coverage for losses related to a cyber incident.
  3. A comprehensive cyber program, that includes both D&O and cyber liability policies, is crucial for optimal risk mitigation.

The cyber landscape remains active. Ransomware attacks remain significant, while enterprise data breaches rose to historic highs in 2023. Technology advancements, including generative artificial intelligence (AI), require directors and officers to remain vigilant as threat actors harness applications to drive new exposures.

Directors and officers (D&O) policyholders must have a clear grasp on how their policies will respond in the event of a cyber incident. This includes understanding the differences between how their D&O policy coverage differs from their cyber liability policy.

D&O Versus Cyber Liability

D&O:

A D&O policy provides coverage that arises from liability to a third party. The entity coverage for public companies is generally limited to securities claims, but private organizations’ coverage is broader. Coverage typically includes defense costs and damages awarded, or judgment and settlement amounts.

D&O Policy Terms and Conditions

Following a cyber incident, available D&O coverage will often depend on the policy’s exclusions. It’s imperative to have a clear understanding of the D&O policy terms and conditions:

  • Some insurers are attaching a specific cyber exclusion or confidential information exclusion to the D&O policy. These exclusions differ between the public and private sector.
  • D&O exclusions related to contractual violations, or certain unlawful conduct, could limit or negate coverage for cyber-related losses.
  • The bodily injury or property damage (BIPD) exclusion could also impact any cyber coverage. BIPD exclusion language can preclude coverage for cyber claims arising from bodily injury or property damage caused by an “invasion of privacy,” which is often a key allegation in cyber incident-related litigation.
Cyber Liability:

Cyber liability policies provide first and third-party coverage for business losses that are tied to a cyber incident. These coverages, which are not available under a D&O policy, include:

  • Costs to engage a breach counsel, to help companies understand what regulatory obligations they have and map out initial steps when remediating a cyber event
  • Hiring forensic professionals to determine incident magnitude
  • Expenses to notify stakeholders that their information has been compromised
  • Expenses to repair networks and systems impacted by the incident
  • Public relations efforts to manage business reputation
  • Other costs to repair a breach, mitigate liability and return operations to normal
  • Defense costs and damages associated with claims or investigations brought by third parties or regulatory bodies
  • Credit monitoring costs
  • Damages, settlements and judgments related to certain third-party liability due to a cyber event
  • Business interruption loss

D&O and Cyber Coverages: Public and Private Considerations

Public Companies

Public company cyber coverage under a D&O policy is typically limited to securities claims losses. Therefore, a corporate entity could have coverage for claims brought against it under its D&O policy when a cyber incident results in a shareholder lawsuit.

The policy may also cover claims brought against directors and officers for wrongful acts relating to mismanagement, improper disclosure or a breach of fiduciary duty relating to a cyber incident. However, the public D&O policy will likely not respond if a public company is sued by individuals seeking damages from a cyber incident, as in the case of a consumer class action. Depending on the complaint allegations, this would likely fall under a cyber policy’s third-party liability coverage. As with all D&O claims, coverage will be dependent upon the specific allegations and applicable coverage limitations, including carveouts from the “loss” definition for fines and penalties, as well as contractual liability or conduct exclusions.

“As cyber risks continue to become more complex, public company management teams and boards need to be on their front foot, particularly as the regulatory framework evolves,” says Timothy Fletcher, CEO of Aon’s Financial Services Group in the U.S. “A holistic review of D&O and cyber insurance programs is critical to ensure best in class coverage in the face of the potential financial implications emanating from a cyber event.”

The U.S. Securities and Exchange Commission recently recognized the importance of cyber security risk management transparency with investors and regulators under its Cybersecurity Disclosure Rules. The rules require public companies to:

  • Annually disclose information regarding cybersecurity risk management, strategy and governance.
  • Disclose material cybersecurity incidents generally four business days after determining that the incident is material.

Additionally, event-driven litigation presents significant exposure for corporate leadership. Cyber security and incidents are fertile ground for class action securities claims arising from claims of corporate mismanagement, some of which are in response to breaches and privacy violations.

Private Companies

Private company D&O policies are generally broader than public corporation forms. The coverage for the organization is not limited to securities claims and policies provide coverage for claims brought by customers, vendors, regulators, security-holders and other third parties.

If a private company with shareholders experiences a cyber incident, the company’s directors and officers could also face lawsuits brought by stakeholders or regulators, in addition to claims against the organization. As with public companies, directors and officers could additionally be sued for mismanagement, breach of fiduciary duty or liability resulting from wrongful acts in connection with a cyber incident.

Given the breadth of coverage under private company D&O policies, insurers are increasingly seeking to exclude coverage for cyber claims. These exclusions will vary and should be limited to the organization only, with exceptions for securities claims, including derivative lawsuits.

Quote icon

As cyber risks continue to become more complex, public company management teams and boards need to be on their front foot, particularly as the regulatory framework evolves.

Timothy Fletcher
CEO of Aon’s Financial Services Group in the U.S.

How D&O Covers Cyber Regulatory Investigation or Proceedings

When a business is under investigation or audit by the privacy commissioner (Canada) or regulatory investigation (U.S.) related to a cyber event, a D&O policy with regulatory investigations coverage could respond to cover individual directors and officers. This is provided they are acting in their capacity for defense costs arising from the investigation, in addition to the corporation.

However, a D&O policy will likely not provide coverage for the cost of individuals or corporations to comply with any order by the privacy commissioner, for example, which requires compliance with Canadian privacy legislation.

A public corporation is unlikely to have coverage under the D&O policy for a proceeding brought by the privacy commissioner or interested government body because the proceeding may not be a securities claim. Private D&O policies may respond to claims brought by regulators against the entity, but other policy limitations as mentioned previously may apply — most notably the entity cyber exclusion (if applicable) and fines and penalties excluded as part of loss.

The coverage available under the D&O policy for a proceeding involving individual D&Os or a private company will depend on the allegations. If it is alleged that individual insureds or a private company have violated legislation, the D&O policy could respond to cover defense costs, as well as damages or settlement amounts. However, if it is alleged that insureds are guilty of a willful violation of the privacy legislation, a D&O policy may respond to provide defense costs coverage until there is a final and binding determination of the wrongdoing.

Develop a Comprehensive Cyber Program with D&O and Cyber Liability

While D&O policy coverage has expanded over the years, cyber coverage available under a D&O policy is likely to be limited. The D&O policy does not include first-party coverage, nor is it intended to be the primary insurance policy meant to address liability claims brought by impacted third parties or regulators investigating potential violations of privacy protection laws.

Business interruption, forensic expert, notification cost and public relations coverages provided through a cyber liability policy are critical for businesses with cyber exposures. A cyber incident may not result in litigation every time. However, a company can expect to incur significant out-of-pocket costs to mitigate risk and get back up and running.

With more technology, comes more cyber incidents — and regulators, stakeholders and security holders must respond accordingly to combat the resulting reputational, business and financial harm. A key component of risk mitigation includes careful review of D&O policy terms and the purchase of a cyber insurance policy.

The cyber policy generally provides more comprehensive cyber incident coverage to individuals and corporations (both public and private), including first-party costs not available under a D&O policy. It’s also likely to preserve the limits of the D&O policy to respond to claims unrelated to cyber liability. Both policies, along with optimal wording to capture the exposures attenuated with cyber incidents, are crucial for optimal risk mitigation.

Aon’s Thought Leaders
  • Timothy Fletcher
    CEO of Aon’s Financial Services Group in the U.S.
  • Nicolas Reider
    Senior Vice President, Deputy D&O Product Leader, North America
  • Adam Furmanksy
    Deputy D&O Product Leader, North America
  • Shruti Engstrom
    Senior Vice President, E&O/Cyber, North America

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
  • Better Decisions Brief: Responding to the CrowdStrike IT Outage

    Alert 3 mins

    Better Decisions Brief: Responding to the CrowdStrike IT Outage

    While the impact of today’s CrowdStrike outage is yet to be fully understood, it serves as an opportunity for C-suite and other business decision-makers to think through technology dependencies and the steps necessary to respond to this outage – as well as to mitigate related risks in future.

  • Insurance and the Metaverse: Safeguarding Virtual Assets

    Article 8 mins

    Insurance and the Metaverse: Safeguarding Virtual Assets

    Insurers are venturing into the thriving digital landscape of the Metaverse, covering virtual assets, safeguarding intellectual property, and protecting the wellbeing of users and avatars. With this evolution, comes new challenges and the unique opportunity to shape the future of insurance.

View All
Subscribe CTA Banner