Cyber Events: an Evolving Exposure for D&O Underwriters

Cyber events are increasingly in the news, contributing to the booming growth of cyber liability insurance products. But what about the impact of cyber events on other insurance coverages, and more specifically, on Directors & Officers (D&O) insurance? How can a cyber event impact the directors and officers of a company, and therefore its D&O policy? Here are a few examples:

  • Members of the C-suite are becoming more accountable for cyber events. Last summer, the CIO of the U.S. Office of Personnel Management was subject to tough questioning by Congress regarding a breach earlier that year, which included a call for the CIO’s resignation. The CIO also faces a lawsuit for failing to protect employee information. Holding corporate officers to account following a cyber event leads to the assumption that they have a fiduciary duty – potentially impacting a D&O policy.
  • As settlement amounts increase for derivative lawsuits, these actions are becoming more attractive to the plaintiff’s bar. As data breaches continue to make headlines, there is a continuous stream of opportunities to sue directors and officers for breach of fiduciary duty. So far there has been limited success as suits against Heartland Payment Systems and the hotel group, Wyndham, have been dismissed by the courts. However, Target still has a suit pending, and in September, 2015, a shareholder derivative lawsuit was filed against the directors and officers of Home Depot for breach of their fiduciary duties. In Kevin LaCroix’s blog dated September 9, 2015, he noted that one of the interesting things about this complaint is that the plaintiff contends that prior large breaches should have provided “fair warning that Home Depot could expect much the same.”

In response to the heightened awareness of cyber-related D&O exposure, some boards are actively seeking to add members with cyber security knowledge. It is becoming clear that it is in the best interest of boards to put cyber security at the forefront of their concerns.

So how do D&O underwriters consider this emerging exposure in their risk analysis? In the absence of any meaningful recoveries on a D&O policy as a result of a cyber-event, most D&O underwriters are aware of the exposure to some degree, but not necessarily evaluating or pricing for the risk.

Given the current levels of competition in the D&O market and in the absence of any significant cyber-related D&O losses, we are unlikely to see any proactive measures of substance. However, underwriters are well advised to consider cyber security in their underwriting analysis. At a minimum there should be questions on the application that determine whether the directors and officers are aware of their companies’ cyber exposure and are proactive in their approach to cyber security. Where possible, the D&O underwriter should work in conjunction with cyber liability underwriters to gauge the amount and type of cyber exposure, and to ascertain what will be covered under the D&O policy, as well as to address any potential aggregation across both coverages.

To quote Miguel de Cervantes: “To be prepared is half the victory.”

To contact the author of this article, Catherine Rudow, click here.

The views and opinions expressed above are those of the author alone and do not necessarily reflect those of PartnerRe nor do they constitute legal or professional advice.

Recent Articles

View More
Find a Contact