How D&O insurance can help protect against cyber related liability

The consistent evolution in the risk, breadth, and nature of cyber-attacks has solidified cyber risks as a key topic in many boardrooms. Beyond businesses suffering immediate financial losses and operational disruption, directors and officers may face shareholder litigation alleging negligence – potentially exposing them to personal liability.

Cybersecurity responsibilities of a board

The liabilities and duties regarding a company’s cyber-related protocols are increasingly becoming blurred between those of the company and the board of directors. Regulators are seeking to hold the board accountable for data, privacy, or network security governance failures and, subsequently, cyber events regularly rank highly in board surveys of directors’ risk.

Typically, the board is responsible for overseeing accurate and timely reporting of cyber risks, appropriate cybersecurity policies, and data protection controls. In the event of a cyber-attack, senior management must notify the relevant authorities and people and businesses who may be affected. Under GDPR, for example, organisations must notify a relevant supervisory authority within 72 hours of becoming aware of certain personal data breaches. If the breach poses a high risk to individuals, they must notify those individuals without undue delay.

Potential D&O fallout from a cyber-attack

The consequences of a cyber event could be exacerbated by the following actions from directors:

• Poor preparation and risk management
• Slow or ineffective response
• Legal and regulatory non-compliance
• Poor stakeholder communication
• Inadequate recovery planning
• Cultural and leadership failures

If a cybersecurity event occurs, the board may be scrutinised for failures, errors, or weaknesses in its response, or its assessment of cyber-related risk and insurance purchasing decisions beforehand. This can stem from:

• Breach of duty
• Negligence and mismanagement
• Failure to comply with regulatory requirements
• Drop in share price and lost revenues
• Insolvency and financial losses
• Securing inappropriate cyber insurance or insufficient review

Insurance considerations

A comprehensive insurance programme, addressing both D&O and cyber risks, is crucial for optimal mitigation. Transferring risk via cyber insurance offers an effective tool to safeguard against catastrophic losses, and the costs associated with a cyber event. Policies must be habitually reviewed to ensure coverage meets evolving threats and risk exposure.

Event-driven D&O claims are not new. However, recent high-profile breaches have highlighted the potential for cyber events to result in regulatory actions, civil lawsuits, and criminal proceedings – arguably transforming the scope of D&O-related responsibilities and liabilities.

For mismanagement claims arising out of a cyber incident, D&O insurance may provide coverage for:

• Costs associated with regulatory investigations
• Costs associated with shareholder litigation
• Potential civil fines from regulators

Insurance recommendations

It is critical that organisations pay close attention to how both their D&O and cyber policies are structured and correlate. Both forms of coverage have distinct differences, and terms and wordings need to be carefully reviewed to avoid potential gaps and overlaps.

Cyber risks involve technical complexities that require specialised knowledge and robust controls. In contrast, D&O insurance primarily offers protection for board members from liability related to managerial decisions and should be reflective of the current legal environment. Board members may also face legal challenges alleging their cyber insurance programme is not fit for purpose.

D&O policyholders must gain a clear understanding of how their policy will respond in the event of a cyber incident, as D&O policies can contain cyber exclusions. Both policies should include clear wording, and these should be stress tested in anticipation of an incident.

Taking the following steps can help boards strengthen resilience and turn cybersecurity into a competitive advantage:

• Make cybersecurity a strategic priority, embedding it within governance structures and routinely assessing security policies and compliance frameworks.
• For sensitive data, implement robust data loss protection (DLP) and data classification protocols.
• Regularly refresh employee training and awareness of cyber threats.
• Allocate sufficient financial and technological resources to cybersecurity initiatives.
• Highlight the steps that senior management has taken to prevent an attack/data breach.
• Maintain a centralised register of third parties in the supply chain and partners – ensuring their cybersecurity protocols are continuously vetted.
• Establish and rehearse thorough contingency, crisis, and business interruption plans.
• Consider appointing a director with a cyber background or forming a separate committee dedicated to cyber risk management.
• Liaise with brokers and other insurance professionals regarding cyber and D&O coverage, and how they interact.

For further advice on how we can help your business secure appropriate D&O insurance, visit our Management Liability page. For more information, please contact:

Jo Newman, Senior Vice President, Lockton

E: jo.newman@lockton.com

Lucy Scott, Partner, Lockton

E: Lucy.Scott@lockton.com

Michael Lea, Partner, Head of Management Liability

E: michael.lea@lockton.com