Aon  |  Financial Services Group

How D&O Policies Respond to Cyber Attacks or Data Breaches

Release Date: April 2024
pdf download Implications for D&O Litigation From Climate-Related Risk

Cyber Attacks or Data Breaches are the number one risk facing organizations globally and is predicted to remain in this position in 2026, according to Aon’s Global Risk Management Survey. In this fraught environment, it is important for policyholders to have a clear grasp of how their directors & officers (D&O) policies respond in the event of a cyber incident, including potential coverage limitations and how their D&O policy differs from their cyber liability policy.

D&O vs. Cyber Liability

There are distinct differences between coverage under cyber liability and D&O liability policies. Cyber liability policies provide first-party coverage and third-party coverage for losses a business incurs tied to a cyber incident. These coverages are not available under a D&O policy, and can include:

  • Costs to engage breach counsel, helping companies understand what regulatory obligations they have and map initial steps to be taken when remediating a cyber event
  • Hiring forensic professionals to determine incident magnitude
  • Expenses to notify stakeholders that their information has been compromised
  • Expenses to repair networks and systems impacted by the incident
  • Public relations efforts to manage business reputation
  • Other costs to repair a breach, mitigate liability and return operations to normal
  • Defense costs and damages associated with claims or investigations brought by third parties or regulatory bodies
  • Credit monitoring costs
  • Damages, settlements and judgments related to certain third-party liability due to a cyber event
  • Business interruption loss


By contrast, a D&O policy provides coverage for third-party liability – i.e., amounts incurred by an individual or entity that arise from an entity’s, director’s or officer’s liability to a third party. The entity coverage afforded to public companies generally is limited to securities claims, while the entity coverage provided to private organizations is broader. Coverage typically includes defense costs and damages awarded, or judgment and settlement amounts.

In the event of a cyber incident, available D&O coverage will depend in large part on the policy’s exclusions, most notably if a cyber or confidential information exclusion applies. Some insurers are attaching a specific cyber exclusion or confidential information exclusion to the D&O policy, and these exclusions, both in substance and utilization, differ between the public and private context. Additionally, D&O exclusions related to contractual violations, or certain unlawful conduct, could limit or preclude coverage for cyber related losses. Notwithstanding any specific cyber exclusion, in the event of a cyber incident, the bodily injury or property damage (BIPD) exclusion could also be impactful on coverage. The BIPD exclusion’s language can sometimes preclude coverage for cyber claims arising from bodily injury or property damage caused by an “invasion of privacy,” which is often a key allegation in cyber incident-related litigation. To the extent that such language appears in the BIPD exclusions, coverage may turn on how the BIPD exclusion’s lead-in is phrased. That lead-in could be worded broadly such that the exclusion applies to claims “based upon,” “arising from,” “directly or indirectly,” or “related to” a violation of privacy. Alternatively, the lead-in might be phrased narrowly such that the exclusion applies only to claims specifically “for” invasion of privacy.

The “for” language is preferred, as this will only exclude claims that directly allege “invasion of privacy,” but allow coverage for other more remote claims that might still be in some way related to or arise from a privacy incident. In addition, private company policy forms, which are broadly covering the entity, will often apply the exclusion to the entity as well as the D&Os, and a securities claim carveback to the exclusion is necessary. Shareholders may allege that D&Os were negligent in not taking enough precautions to prevent the incident, or in mitigating reputational damage to the company after the incident. If the D&O policy’s BIPD exclusion excludes coverage for claims arising from an “invasion of privacy,” but does not contain absolute language, then it is likely that individual D&Os will have coverage for this type of shareholder claim. In the event of a financial insolvency, the “for” wording further protects the personal assets of the insured individuals in the event they are alleged to be responsible for the incident.

D&O and Cyber Coverages: Additional Public Company Considerations

For a public company, coverage for the entity under its D&O policy is typically limited to losses arising out of securities claims. Therefore, a corporate entity could have coverage for claims brought against the company under its D&O policy when a cyber incident results in a shareholder lawsuit. The policy may also afford coverage for claims brought against the D&Os of the company for wrongful acts relating to mismanagement, improper disclosure, or a breach of fiduciary duty relating to a cyber incident. However, the public D&O policy will likely not respond if a public company is sued by individuals seeking damages because they were affected by a cyber incident, as in the case of a consumer class action. Depending on the allegations of those types of complaints, coverage could be afforded under the third-party liability coverage in a cyber policy. As with all D&O claims, coverage will be dependent upon the specific allegations and applicable coverage limitations, such as carveouts from the “Loss” definition for fines and penalties, as well as contractual liability or conduct exclusions.

Public company D&Os have a duty to understand the ramifications of cybersecurity on their business, and to proactively design risk mitigation procedures and internal disclosure guidelines specific to their company’s unique cybersecurity needs. In the US, the Securities and Exchange Commission has recognized in its recent rulemaking the importance of company transparency with investors and regulators around cybersecurity risk management and the impact of cyber events. Additionally, event-driven litigation is a significant exposure for corporate leadership. Cybersecurity and cyber incidents are particularly fertile ground for the new wave of class action securities claims arising from claims of corporate mismanagement, some of which are in response to breaches and privacy violations.

If a public company experiences a cyber incident followed by a stock drop, its D&Os could face shareholder lawsuits. In one example of litigation arising from a cyber breach, the securities class action seeks to recover damages for alleged violations of the federal securities laws claiming that, throughout the class period, the company made materially false and/or misleading statements and/or failed to disclose that its end users had their personal information exposed.

Further allegations include that the company actively concealed this data breach for several months, violating the company’s purported data privacy and security policies. The complaint goes on to allege that the discovery of the wrongdoing could foreseeably subject the company to heightened regulatory scrutiny and that prior public statements were materially false and misleading. Following a major media outlet’s article exposing the private data of hundreds of thousands of users, the company’s stock price fell.

Public company D&O insurers are increasingly seeking additional information regarding companies’ corporate governance of cyber security, cyber incident response plans, oversight of third-party vendors involving the company’s data, and details regarding cyber insurance purchased.

D&O and Cyber Coverages: Additional Private Company Considerations

Private company D&O policies are generally broader than those available to public corporations, as the coverage for the organization is not limited to securities claims and the policies afford coverage for claims brought by customers, vendors, regulators, security-holders and other third parties. Although less common than a public entity, if a private company with shareholders experiences a cyber incident, the company’s D&Os could also face lawsuits brought by stakeholders or regulators, in addition to claims against the organization. Additionally, like public companies, D&Os may be sued for mismanagement, breach of fiduciary duty or liability resulting from wrongful acts in connection with a cyber incident.

Given the breadth of coverage under private company D&O policies, insurers are increasingly seeking to exclude coverage for cyber claims. Those exclusions will vary of course, and they should be limited to apply to the organization only, with exceptions for securities claims, including derivative lawsuits.

Coverage for Regulatory Investigation or Proceedings

Where a corporation is subject to an investigation or audit by the privacy commissioner (Canada) or regulatory investigation (US) related to a cyber event, a D&O policy with regulatory investigations coverage could respond to cover individual D&Os, providing they are acting in their capacity as such, for defense costs arising out of the investigation, in addition to the corporation, whether private or public.

However, a D&O policy will likely not provide coverage for the cost of individuals or corporations to comply with any order by the privacy commissioner requiring them to take measures to ensure compliance with Canadian privacy legislation.

A public corporation is unlikely to have coverage under the D&O policy for a proceeding brought by the privacy commissioner or interested government body because the proceeding may not be a securities claim. Private D&O policies may respond to claims brought by regulators against the entity, but other policy limitations as noted previously may apply – most notably the entity cyber exclusion (if applicable) and fines and penalties excluded as part of loss.

The coverage available under the D&O policy for a proceeding involving individual D&Os or a private company will depend on the allegations. If it is alleged that individual insureds or a private company have violated legislation, the D&O policy could respond to cover defense costs, as well as damages or settlement amounts. However, if it is alleged that insureds are guilty of a willful violation of the privacy legislation, a D&O policy may respond to provide defense costs coverage until there is a final and binding determination of wrongdoing.

Develop a Comprehensive Cyber Program with D&O and Cyber Liability

As companies and organizations become increasingly reliant upon technology, cyber incidents continue to grow in frequency. Regulators, stakeholders and security holders have responded to cyber incidents that result in reputational, business and financial harm. A key component of risk mitigation includes a careful review of D&O policy terms and the purchase of a cyber insurance policy. The cyber policy generally provides more comprehensive cyber incident coverage to individuals and corporations (both public and private), including first-party costs not available under a D&O policy. Both policies, along with optimal wording to capture the exposures attenuated with cyber incidents, is crucial for optimal risk mitigation.

If you have questions or are interested in obtaining coverage, please contact your Aon broker.




Contact


Discuss this article with Financial Services Group professionals Adam Furmansky, Nicholas Reider, Catherine Padalino, Shruti Engstrom. Adam-Furmansky

Adam Furmansky
Senior Vice President, Deputy D&O Product Leader - East
New York



Nicholas-Reider

Nicholas Reider
Senior Vice President, Deputy D&O Product Leader – West
Denver





Catherine-Padalino

Catherine Padalino
Managing Director, FSG Private and Nonprofit Practice Leader
Washington





Shruti Engstrom

Shruti Engstrom
Senior Vice President
New York






About Aon Aon plc (NYSE: AON) exists to shape decisions for the better —to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues in over 120 countries and sovereignties provide our clients with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.

©2024 Aon plc. All rights reserved.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.

The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.

Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it.

Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.