Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ

Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ
Cyber Resilience

04 of 11

This insight is part 04 of 11 in this Collection.

July 24, 2024 8 mins

Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ

Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ

Cyber incidents continue to grow in frequency and severity, especially as new technology emerges. While D&O and cyber liability policies offer distinct coverage differences, terms need to be carefully structured to avoid potential gaps.

Key Takeaways
  1. Following a cyber incident, any available D&O coverage is often dependent on the policy’s terms, conditions and exclusions.
  2. Cyber liability policies, meanwhile, provide broader first and third-party coverage for losses related to a cyber incident.
  3. A comprehensive cyber program, that includes both D&O and cyber liability policies, is crucial for optimal risk mitigation.

The cyber landscape remains active. Ransomware attacks remain significant, while enterprise data breaches rose to historic highs in 2023. Technology advancements, including generative artificial intelligence (AI), require directors and officers to remain vigilant as threat actors harness applications to drive new exposures.

Directors' and officers' (D&O) policyholders must have a clear grasp of how their policies will respond in the event of a cyber incident. This includes understanding the differences between how their D&O policy coverage differs from their cyber liability policy.

D&O Versus Cyber Liability

D&O:

A D&O policy provides coverage that arises from liability to a third party. The entity coverage for public companies is generally limited to securities claims, but private organizations’ coverage is broader. Coverage typically includes defense costs and damages awarded, or judgment and settlement amounts.

D&O Policy Terms and Conditions

Following a cyber incident, available D&O coverage will often depend on the policy’s exclusions. It’s imperative to have a clear understanding of the D&O policy terms and conditions:

  • Some insurers are attaching a specific cyber exclusion or confidential information exclusion to the D&O policy. These exclusions differ between the public and private sectors.
  • D&O exclusions related to contractual violations or certain unlawful conduct could limit or negate coverage for cyber-related losses.
  • The bodily injury or property damage (BIPD) exclusion could also impact any cyber coverage. BIPD exclusion language can preclude coverage for cyber claims arising from bodily injury or property damage caused by an “invasion of privacy,” which is often a key allegation in cyber incident-related litigation.
Cyber Liability:

Cyber liability policies provide first and third-party coverage for business losses that are tied to a cyber incident. These coverages, which are not available under a D&O policy, include:

  • Costs to engage a breach counsel to help companies understand what regulatory obligations they have and map out initial steps when remediating a cyber event
  • Hiring forensic professionals to determine the incident magnitude
  • Expenses to notify stakeholders that their information has been compromised
  • Expenses to repair networks and systems impacted by the incident
  • Public relations efforts to manage business reputation
  • Other costs to repair a breach, mitigate liability and return operations to normal
  • Defense costs and damages associated with claims or investigations brought by third parties or regulatory bodies
  • Credit monitoring costs
  • Damages, settlements and judgments related to certain third-party liability due to a cyber event
  • Business interruption loss

D&O and Cyber Coverages: Public and Private Considerations

Public Companies

Public company cyber coverage under a D&O policy is typically limited to securities claims losses. Therefore, a corporate entity could have coverage for claims brought against it under its D&O policy when a cyber incident results in a shareholder lawsuit.

The policy may also cover claims brought against directors and officers for wrongful acts relating to mismanagement, improper disclosure or a breach of fiduciary duty relating to a cyber incident. However, the public D&O policy will likely not respond if a public company is sued by individuals seeking damages from a cyber incident, as in the case of a consumer class action. Depending on the complaint allegations, this would likely fall under a cyber policy’s third-party liability coverage. As with all D&O claims, coverage will be dependent upon the specific allegations and applicable coverage limitations, including carveouts from the “loss” definition for fines and penalties, as well as contractual liability or conduct exclusions.

“As cyber risks continue to become more complex, public company management teams and boards need to be on their front foot, particularly as the regulatory framework evolves,” says Timothy Fletcher, CEO of Aon’s Financial Services Group in the U.S. “A holistic review of D&O and cyber insurance programs is critical to ensure best in class coverage in the face of the potential financial implications emanating from a cyber event.”

The U.S. Securities and Exchange Commission recently recognized the importance of cyber security risk management transparency with investors and regulators under its Cybersecurity Disclosure Rules. The rules require public companies to:

  • Annually disclose information regarding cybersecurity risk management, strategy and governance.
  • Disclose material cybersecurity incidents generally four business days after determining that the incident is material.

Additionally, event-driven litigation presents significant exposure for corporate leadership. Cyber security and incidents are fertile ground for class action securities claims arising from claims of corporate mismanagement, some of which are in response to breaches and privacy violations.

Private Companies

Private company D&O policies are generally broader than public corporation forms. The coverage for the organization is not limited to securities claims and policies provide coverage for claims brought by customers, vendors, regulators, security-holders and other third parties.

If a private company with shareholders experiences a cyber incident, the company’s directors and officers could also face lawsuits brought by stakeholders or regulators, in addition to claims against the organization. As with public companies, directors and officers could additionally be sued for mismanagement, breach of fiduciary duty or liability resulting from wrongful acts in connection with a cyber incident.

Given the breadth of coverage under private company D&O policies, insurers are increasingly seeking to exclude coverage for cyber claims. These exclusions will vary and should be limited to the organization only, with exceptions for securities claims, including derivative lawsuits.

Quote icon

As cyber risks continue to become more complex, public company management teams and boards need to be on their front foot, particularly as the regulatory framework evolves.

Timothy Fletcher
CEO, Financial Services Group, U.S.

How D&O Covers Cyber Regulatory Investigation or Proceedings

When a business is under investigation or audit by the privacy commissioner (Canada) or regulatory investigation (U.S.) related to a cyber event, a D&O policy with regulatory investigations coverage could respond to cover individual directors and officers. This is provided they are acting in their capacity for defense costs arising from the investigation, in addition to the corporation.

However, a D&O policy will likely not provide coverage for the cost of individuals or corporations to comply with any order by the privacy commissioner, for example, which requires compliance with Canadian privacy legislation.

A public corporation is unlikely to have coverage under the D&O policy for a proceeding brought by the privacy commissioner or interested government body because the proceeding may not be a securities claim. Private D&O policies may respond to claims brought by regulators against the entity, but other policy limitations, as mentioned previously, may apply — most notably the entity cyber exclusion (if applicable) and fines and penalties excluded as part of the loss.

The coverage available under the D&O policy for a proceeding involving individual D&Os or a private company will depend on the allegations. If it is alleged that individual insureds or a private company have violated the legislation, the D&O policy could respond to cover defense costs, as well as damages or settlement amounts. However, if it is alleged that insureds are guilty of a willful violation of the privacy legislation, a D&O policy may respond to provide defense costs coverage until there is a final and binding determination of the wrongdoing.

Develop a Comprehensive Cyber Program with D&O and Cyber Liability

While D&O policy coverage has expanded over the years, cyber coverage available under a D&O policy is likely to be limited. The D&O policy does not include first-party coverage, nor is it intended to be the primary insurance policy meant to address liability claims brought by impacted third parties or regulators investigating potential violations of privacy protection laws.

Business interruption, forensic expert, notification cost and public relations coverages provided through a cyber liability policy are critical for businesses with cyber exposures. A cyber incident may not result in litigation every time. However, a company can expect to incur significant out-of-pocket costs to mitigate risk and get back up and running.

With more technology comes more cyber incidents — and regulators, stakeholders and security holders must respond accordingly to combat the resulting reputational, business and financial harm. A key component of risk mitigation includes a careful review of D&O policy terms and the purchase of a cyber insurance policy.

The cyber policy generally provides more comprehensive cyber incident coverage to individuals and corporations (both public and private), including first-party costs not available under a D&O policy. It’s also likely to preserve the limits of the D&O policy to respond to claims unrelated to cyber liability. Both policies, along with optimal wording to capture the exposures attenuated by cyber incidents, are crucial for optimal risk mitigation.

Aon’s Thought Leaders
  • Timothy Fletcher
    CEO, Financial Services Group, U.S.
  • Nick Reider
    Senior Vice President, Deputy D&O Product Leader, North America
  • Adam Furmansky
    Deputy D&O Product Leader, North America
  • Shruti Engstrom
    Senior Vice President, E&O/Cyber, North America

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.