While cyber risks are nothing new, the increasing exposure that companies and their directors and officers (D&Os) face with respect to cybersecurity practices and disclosures is becoming ever more apparent. On November 2023, the New York State Department of Financial Services (DFS) adopted amendments (Amendments) to the DFS’s landmark Cybersecurity Requirements for Financial Services Companies (Regulation). In the most significant expansion of the Regulation since it became effective in March 2017, the Amendments substantially augment the cyber requirements with which covered financial services entities such as banks and insurers must comply.

Among others, the Amendments impose the following obligations on covered entities:

• Mandatory reporting to the DFS of cybersecurity events at covered entities’ service providers; the deployment of ransomware within company systems; the payment of cyber ransoms; and detailed descriptions concerning such ransom payments, including all diligence performed to find alternatives and to ensure compliance with applicable rules and regulations, e.g., of the Office of Foreign Assets Control (OFAC).
  
  
• Numerous internal governance requirements, including heightened upward reporting obligations imposed on CISOs, and mandatory cybersecurity oversight by a “senior governing body” (generally, a board of directors or committee thereof) that must: (i) have a sufficient understanding of cybersecurity-related matters to exercise such oversight, (ii) ensure that management develops, implements, and maintains the company’s cybersecurity program, (iii) regularly review management’s cybersecurity reports, and (iv) confirm that management has allocated sufficient resources to the cybersecurity program.
  
  
• Independent cyber audits and other enhanced obligations with which large “Class A” companies must comply.
  
  
• The development of various cyber-related written plans, policies, and procedures concerning, e.g., passwords; multi-factor authentication; asset inventorying; data encryption; system user monitoring and filtering designed to block malicious content; incident response plans and business continuity and disaster recovery plans; mandatory employee trainings; and vulnerability management, including regular cyber penetration testing.
  
  
• The company’s CISO’s and most senior executive’s annual certification of material compliance with the Regulation.
  
  

D&O Insurance Implications: Much like the new SEC cyber disclosure requirements noted above, the Amendments similarly provide a foundation from which D&O claims might arise. These potential claims could involve regulatory investigations and penalties, as well as shareholder derivative claims in the event that, for example, a given entity’s non-compliance with the Regulation results in penalties levied by the DFS, or an entity’s ransom payment to threat actors violates OFAC regulations (as OFAC has suggested) and results in OFAC-levied penalties. The risks surrounding such claims are particularly acute given the recent surge in cyber-related D&O claims alluded to above, recent case law in Delaware confirming that corporate officers (not solely directors) have a duty to implement and monitor controls, which would include those required by the Amendments, and DFS penalties levied to date. To better mitigate these risks, financial institution insureds subject to the Regulation – just like all insureds – should regularly audit their D&O liability policies, understand the indemnification and officer-related provisions of their foundational documents and D&O policy language, consider dedicated Side A D&O coverage, and be prepared to discuss their cyber-related internal controls during the D&O underwriting process.

Overlapping coverage with a cyber policy and D&O: Depending on the facts and circumstances, a company may find that it is looking to both its cyber and D&O programs for potential coverage. There is no one size fits all approach for potentially overlapping coverage, necessitating a detailed review of policy language against the facts and circumstances. Given the differences in the breadth of coverages in both cyber and D&O insurance policies, the overlap between these types of policies will vary. In the event there is potential overlap (e.g., because the cyber policy does not exclude securities claims and the D&O policy does not exclude cyber-related claims), the “Other Insurance” provisions could be important.

Implications for cyber policy coverage for fines and penalties: Cyber policy language varies from form to form as to what constitutes a regulatory proceeding and a fine, and such language often contains caveats around the insurability of fines/penalties. Inclusion of fines/penalties within the definition of “Loss” varies from form to form: some policies do not provide such coverage at all, while others do, but often with certain caveats or exceptions on breadth of coverage.

An experienced broker can help navigate these issues and aid in optimizing coverage for cyber-related D&O claims, determine if there is potential overlap with cyber coverage, and determine whether language concerning priority of either type of insurance program should be inserted into applicable “Other Insurance” provisions. A discussion about these issues with can assist in determining the best language for a particular company’s needs.

Related Insights

• SEC’s Enforcement Action Further Underscores Cyber Risks
  
• Risk Management Considerations in the Wake of the SEC's Cybersecurity Disclosure Rules
  
• SEC Sharpens Focus on Cybersecurity with New Disclosure Rule