Explore More
-
Capability Overview
Cyber Resilience
-
Product / Service
Directors' and Officers' Liability Insurance
-
Collection
Technology
The cyber landscape remains active. Ransomware attacks remain significant, while enterprise data breaches rose to historic highs in 2023. Technology advancements, including generative artificial intelligence (AI), require directors and officers to remain vigilant as threat actors harness applications to drive new exposures.
Directors' and officers' (D&O) policyholders must have a clear grasp of how their policies will respond in the event of a cyber incident. This includes understanding the differences between how their D&O policy coverage differs from their cyber liability policy.
A D&O policy provides coverage that arises from liability to a third party. The entity coverage for public companies is generally limited to securities claims, but private organizations’ coverage is broader. Coverage typically includes defense costs and damages awarded, or judgment and settlement amounts.
D&O Policy Terms and Conditions
Following a cyber incident, available D&O coverage will often depend on the policy’s exclusions. It’s imperative to have a clear understanding of the D&O policy terms and conditions:
Cyber liability policies provide first and third-party coverage for business losses that are tied to a cyber incident. These coverages, which are not available under a D&O policy, include:
Capability Overview
Cyber Resilience
Product / Service
Directors' and Officers' Liability Insurance
Collection
Technology
Public company cyber coverage under a D&O policy is typically limited to securities claims losses. Therefore, a corporate entity could have coverage for claims brought against it under its D&O policy when a cyber incident results in a shareholder lawsuit.
The policy may also cover claims brought against directors and officers for wrongful acts relating to mismanagement, improper disclosure or a breach of fiduciary duty relating to a cyber incident. However, the public D&O policy will likely not respond if a public company is sued by individuals seeking damages from a cyber incident, as in the case of a consumer class action. Depending on the complaint allegations, this would likely fall under a cyber policy’s third-party liability coverage. As with all D&O claims, coverage will be dependent upon the specific allegations and applicable coverage limitations, including carveouts from the “loss” definition for fines and penalties, as well as contractual liability or conduct exclusions.
“As cyber risks continue to become more complex, public company management teams and boards need to be on their front foot, particularly as the regulatory framework evolves,” says Timothy Fletcher, CEO of Aon’s Financial Services Group in the U.S. “A holistic review of D&O and cyber insurance programs is critical to ensure best in class coverage in the face of the potential financial implications emanating from a cyber event.”
The U.S. Securities and Exchange Commission recently recognized the importance of cyber security risk management transparency with investors and regulators under its Cybersecurity Disclosure Rules. The rules require public companies to:
Additionally, event-driven litigation presents significant exposure for corporate leadership. Cyber security and incidents are fertile ground for class action securities claims arising from claims of corporate mismanagement, some of which are in response to breaches and privacy violations.
Private company D&O policies are generally broader than public corporation forms. The coverage for the organization is not limited to securities claims and policies provide coverage for claims brought by customers, vendors, regulators, security-holders and other third parties.
If a private company with shareholders experiences a cyber incident, the company’s directors and officers could also face lawsuits brought by stakeholders or regulators, in addition to claims against the organization. As with public companies, directors and officers could additionally be sued for mismanagement, breach of fiduciary duty or liability resulting from wrongful acts in connection with a cyber incident.
Given the breadth of coverage under private company D&O policies, insurers are increasingly seeking to exclude coverage for cyber claims. These exclusions will vary and should be limited to the organization only, with exceptions for securities claims, including derivative lawsuits.
When a business is under investigation or audit by the privacy commissioner (Canada) or regulatory investigation (U.S.) related to a cyber event, a D&O policy with regulatory investigations coverage could respond to cover individual directors and officers. This is provided they are acting in their capacity for defense costs arising from the investigation, in addition to the corporation.
However, a D&O policy will likely not provide coverage for the cost of individuals or corporations to comply with any order by the privacy commissioner, for example, which requires compliance with Canadian privacy legislation.
A public corporation is unlikely to have coverage under the D&O policy for a proceeding brought by the privacy commissioner or interested government body because the proceeding may not be a securities claim. Private D&O policies may respond to claims brought by regulators against the entity, but other policy limitations, as mentioned previously, may apply — most notably the entity cyber exclusion (if applicable) and fines and penalties excluded as part of the loss.
The coverage available under the D&O policy for a proceeding involving individual D&Os or a private company will depend on the allegations. If it is alleged that individual insureds or a private company have violated the legislation, the D&O policy could respond to cover defense costs, as well as damages or settlement amounts. However, if it is alleged that insureds are guilty of a willful violation of the privacy legislation, a D&O policy may respond to provide defense costs coverage until there is a final and binding determination of the wrongdoing.
While D&O policy coverage has expanded over the years, cyber coverage available under a D&O policy is likely to be limited. The D&O policy does not include first-party coverage, nor is it intended to be the primary insurance policy meant to address liability claims brought by impacted third parties or regulators investigating potential violations of privacy protection laws.
Business interruption, forensic expert, notification cost and public relations coverages provided through a cyber liability policy are critical for businesses with cyber exposures. A cyber incident may not result in litigation every time. However, a company can expect to incur significant out-of-pocket costs to mitigate risk and get back up and running.
With more technology comes more cyber incidents — and regulators, stakeholders and security holders must respond accordingly to combat the resulting reputational, business and financial harm. A key component of risk mitigation includes a careful review of D&O policy terms and the purchase of a cyber insurance policy.
The cyber policy generally provides more comprehensive cyber incident coverage to individuals and corporations (both public and private), including first-party costs not available under a D&O policy. It’s also likely to preserve the limits of the D&O policy to respond to claims unrelated to cyber liability. Both policies, along with optimal wording to capture the exposures attenuated by cyber incidents, are crucial for optimal risk mitigation.
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.