When I was the editor of National Underwriter at the dawn of this decade, the notion of cyber risk was not even on the radar of most board directors and even some company officers. Yet less than seven years later, I can’t cite an exposure causing a greater degree of anxiety among those at the top of the corporate pyramid.
Indeed, a sense of dread about how far up the ladder such liabilities could rise was palpable throughout the Risk and Insurance Management Society’s recent annual conference, where one of the many cyber sessions I attended was ominously entitled: "Protecting your board directors and executives from a cyber nightmare."
D&O coverage scrutiny increasing
Board members and the officers they are entrusted to oversee are becoming increasingly agitated and inquisitive about cyber risk management efforts at their companies — particularly when it comes to insuring them against derivative lawsuits that could be prompted by a major event. As a result, those charged with buying commercial insurance, along with their brokers and insurance carriers, should expect intense scrutiny about the adequacy of cyber coverage, since data breaches, ransomware attacks, and other technology-related exposures may put directors in the crosshairs of plaintiff attorneys.
Part of the problem is that it’s difficult for directors to claim ignorance of cyber threats these days, given all the publicity surrounding the theft of personal data and high-profile incidents of hackers holding a company’s tech systems hostage. However, there is apparently far less clarity about whether corporate board members may be individually exposed to lawsuits in the aftermath of a cyberattack, and if so whether standard directors and officers (D&O) insurance covers emerging cyber-related liabilities.
Perhaps the most prominent potential “nightmare” scenario keeping directors up at night is the likelihood of shareholder lawsuits if a cyberattack negatively impacts a company’s stock price. But those at the RIMS conference cited a number of other possible exposures involving claims of negligence, with directors being held accountable for overseeing the adequacy of their company’s cyber risk management efforts.
For example, litigation could conceivably result if a company:
▪ Neglects to notify affected stakeholders about a cyber breach in a timely manner — including customers, business partners and regulatory authorities.
▪ Lacks robust risk management and training programs to prevent and mitigate cyber losses — or if they do have a plan in place, doesn’t follow or enforce their own loss control protocols, resulting in a breach.
▪ Fails to live up to regulatory certifications about their cyber security and recovery capabilities.
▪ Declines to purchase cyber insurance — or even if the company did buy such coverage, either the policy lacked adequate limits or left a key liability exposed.
Carefully review policies
Risk managers and their brokers should therefore be going over D&O policies with a fine-tooth comb, presenting multiple threat scenarios and asking how their insurers would respond to a claim. Companies might consider buying wrap-around coverage adding cyber risks to an existing policy that is otherwise “silent” on such exposures.
(As an aside, during the RIMS conference I heard that even if D&O carriers are willing to name cyber as a covered contingency, they may still exclude those risks unless a company also purchases specific cyber insurance for their other property and general liability exposures.)
In any case, corporate risk managers should be working closely with their compliance department to help respond to the likelihood of growing (and sometimes conflicting) regulatory demands when it comes to cyber exposures. One example cited was marketing material and documents prepared for investors. If such publications cite a company’s cyber risk management as "state of the art" or some similarly reassuring characterization, that high standard had better be easily documented and demonstrable — especially with regulators starting to require certifications about the adequacy of cyber risk management programs.
At the conference I heard that risk managers should pay particularly close attention to potential cyber exposures during mergers and acquisitions, both in terms of security gaps that could emerge while integrating an acquired company’s systems, as well as during the due diligence phase, when confidential data is being shared by multiple parties.
Desperately seeking cyber expertise
One positive trend is that more boards are reportedly looking to add members with cyber expertise — although the talent shortage in the information technology field in general, and cyber security in particular, could make such a laudable goal difficult to fulfill. In the interim, a lack of internal know-how puts additional pressure on a company’s risk manager, insurance broker, and legal department to anticipate and close any potential coverage gaps that could leave D&Os vulnerable.
These concerns are likely to become more acute over time thanks to a variety of contributing factors, such as the rise of geopolitically-motivated hacking as well as the rapid expansion of the Internet of Things. Increased connectivity means more potential cyberattack entry points to worry about.
Complicating matters is the fact that cyber coverage in D&O and other standard policies remains a work in progress. Insurers are still testing the waters in this promising but problematic growth market, grappling to come to grips with a constantly evolving exposure. That means neither buyers nor brokers can afford to take anything for granted on cyber risks. The broader and more specific coverage a risk manager and broker can negotiate, the better—at least until there is more standardization in how insurers write cyber, and both sides gain experience and confidence in recognizing and accounting for such exposures.
(For more on how insurers and corporate buyers might go about overcoming these and other obstacles hindering the cyber market’s development, see the research report I recently published on Deloitte University Press, "Demystifying Cyber Insurance," co-authored by my colleague, Adam Thomas, a principal in Deloitte’s Cyber Risk Services team.)
Sam J. Friedman (email@example.com is insurance research leader with Deloitte’s Center for Financial Services in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.
Got questions about your Directors and Officers coverage? Ask a DDM Advisor today.