As I have noted in prior posts on this site, cybersecurity issues can lead to D&O claims. In the following guest post, Rachel Soich, FCAS, MAAA. Consulting Actuary at Milliman, considers steps that companies can take to avoid cyber-related D&O costs. A prior version of this article previously was published in Milliman Insight. I would like to thank Rachel for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Rachel’s article.
There is no doubt the COVID-19 pandemic generated new and altered existing insurance risks. The work-from-home landscape has sparked an alarming surge in cyber risk. In fact, the number of ransomware attacks in the first half of 2021 already exceeds all of 2020. According to the Allianz risk barometer, cyber incidents rank third in the list of top 10 major business risks for 2021. These cyber risks pose additional risks to a company’s directors and officers. Alphabet Inc. (parent of Google) and Marriott are two high-profile examples of firms subject to cyber-related directors and officers (D&O) lawsuits. It is unclear how these lawsuits will fare in court. While the Marriott lawsuit was dismissed, the Google lawsuit was reinstated after being dismissed, potentially leaving the company on the hook for a nuclear verdict. One need look no further than the $80 million settlement for the Yahoo! data breach in the 2010s, as an example. There are three simple ways firms can avoid or reduce cyber-related D&O costs.
- Purchase cyber insurance
Every company has cyber risk, regardless of size or industry. Purchasing cyber insurance will safeguard firms against the cost of a catastrophic cyber event. However, cyber insurance policies are not equal and vary between insurers. Therefore, it is important for a firm to purchase a policy that meets their unique needs. Cyber insurance can cover a variety of costs including direct costs associated with the incident, costs associated with restoring compromised data, business interruption costs due to the incident, and costs associated with not meeting contractual obligations (or errors and omissions coverage). Firms should actively work toward a tailored cyber policy that fits their specific needs.
Cyber insurance is becoming more costly in the market due to increased claim frequency and severity. Q2 2021 saw rate increases up 56% in the U.S. for cyber insurance. This is expected to continue in future quarters.
While cyber insurance is experiencing hefty commercial rate increases, the cost for coverage pales in comparison to the cost of an uninsured catastrophic cyber event. Such an incident could result in company ruin. A 2018 study done by the National Cyber Security Alliance found that 60% of small businesses close within six months of a cyberattack. By purchasing cyber insurance, directors are taking vital steps to protect the financial health of the firm. It would be easy to argue that directors breached their fiduciary duties by failing to purchase a cyber insurance policy to cover the high costs of a cyber incident. Not having cyber insurance in place could leave directors potentially vulnerable to easily avoidable lawsuits.
- Have a comprehensive understanding of D&O policy specific coverages and exclusions
D&O policies protect directors and officers from claims that arise out of their actions or behaviors. Public D&O policies also protect the entity from securities lawsuits. D&O policies may cover lawsuits against the directors or entity stemming from cyberattacks, but firms need to fully understand their policies, or any potential coverage gaps, before such an incident occurs. Some D&O policies could include a cyber exclusion that would preclude any coverage. These types of exclusions could be newly added to a policy as these risks grow, so it is important that firms review their policies at each renewal. Some D&O policies offer affirmative cover that would fill any cyber-related gaps in coverage. These types of policies would need to be discussed with the carrier.
In addition, the firm needs to ensure it has sufficient limits of D&O liability. A single securities claim could erode all available insurance limits, leaving no coverage for the individual directors. To address this situation, firms may want to consider purchasing Side A only coverage, ensuring directors have sufficient individual protections.
While there has been a high dismissal rate of cyber-related D&O claims, a case can only be dismissed after litigation has begun. Defense costs will have already been incurred. In other cases, firms choose to settle these lawsuits early simply to avoid the hassle and potential reputational harm. This could result in even higher losses. A proper D&O policy in place would ensure these costs are covered by the insurer and not the firm’s own pocket or the directors’ personal assets.
- Institute cyber risk prevention and mitigation strategies
A cyber risk management policy is a necessary step to protect the well-being of a firm. Some strategies could potentially help stop the cyberattack from occurring in the first place.
- Investing heavily in the firm’s security measures is an important step to preventing cyberattacks. This will help the firm to stay up to date on technologies and enhanced or new risks in the industry.
- Employee education and training programs are a simple step to improve awareness to phishing attempts and other cyberattacks firm wide.
- Including a cyber security expert on the board could also increase the awareness of cybersecurity risk management in the firm. This would ensure cybersecurity is considered among some of the most important decisions made by the firm.
However, cyber incidents still do occur and there are some mitigation strategies. Purchasing cyber insurance is one example and has been discussed as a crucial step to ensure the firm has financial backing in the event of an incident. Another mitigation strategy is ensuring proper and prompt communication if an incident occurs. D&O claims arise when shareholders accuse directors of withholding significant (usually detrimental) information from them. If directors are prompt and open about their ongoing investigations and their findings, then this could reduce the risk for a D&O claim.
By implementing these cyber risk management strategies, directors can practice their due diligence and ensure adequate measures are taken to protect the firm and its investors. If the risk management prevention strategies are not enough to protect the firm from a cyberattack, then the mitigation steps could help the directors’ case that they met their fiduciary duties to the firm and the shareholders.
Cyber risks are continuing to grow in the industry especially as the COVID-19 pandemic continues. No company is immune to cyber risk so directors must make cybersecurity a priority and ensure that proper coverage and risk management strategies are in place. These actions need to be implemented before a cyber incident occurs, because by then, it could be too late.
 Cognyte (August 8, 2021). Ransomware Attack Statistics 2021 – Growth and Analysis. Retrieved September 26, 2021, from https://www.cognyte.com/blog/ransomware_2021/.
 Allianz. Allianz Risk Barometer: Identifying the Major Business Risks for 2021. Retrieved September 26, 2021, from https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/reports/Allianz-Risk-Barometer-2021.pdf.
 LaCroix, K. (March 5, 2018). Yahoo settles data breach-related securities suit for $80 million. D&O Diary. Retrieved September 26, 2021, from https://www.dandodiary.com/2018/03/articles/securities-litigation/yahoo-settles-data-breach-related-securities-suit-80-million/.
 Lerner, M. (July 27, 2021). Commercial prices up average 15% globally in Q2: Marsh. Business Insurance. Retrieved September 26, 2021, from https://www.businessinsurance.com/article/20210727/NEWS06/912343506/Commercial-prices-up-average-15-globally-in-Q2-Marsh.
 Galvin, J. 60 percent of small businesses fold within 6 months of a cyber attack. Here’s how to protect yourself. Inc. Retrieved September 26, 2021, from https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html.
 AmWINS. Cyber Liability: The D&O Dilemma. Retrieved September 26, 2021, from https://www.amwins.com/docs/default-source/insights/clientadvisory_cyberliability-d-o-dilemma-3-17.pdf?sfvrsn=6653e85f_2#:~:text=Cyber%20Liability%20policies%20assist%20with,in%20response%20to%20a%20breach.&text=include%20coverage%20for%20services%20to,reputation%20recovery%20after%20a%20breach.