Risk managers need to check D&O policies as cyber exposure multiplies

Following the massive data breach at US retailer Target in 2013, one of the biggest in US history, the company faced over 100 class action suits, according to a Department of Justice investigation and a Senate committee hearing. The breach also saw at least two shareholder derivative suits filed against Target's board and senior executives. The company's CEO resigned in 2014. The suits alleged that they failed to take adequate steps to protect against a cyber attack and prepare a response. Target is not the only company to be hit by a derivative lawsuit following a breach. Just months after Target was sued, shareholders in Wyndham Worldwide Corp brought a derivative lawsuit against certain directors and officers of the company, based upon three data breaches between 2008 and 2010.hideSome believe that these cyber-related shareholder derivative actions may be the start of a new wave of shareholder litigation in the US. In addition to the costs associated with handling a breach, companies may also suffer reputational damage as well as a knock-on effect of lower revenues or a fall in share price, potentially sparking shareholder litigation, explained James Tuplin, TMT Portfolio Manager at Australia-based insurer QBE. Companies and their directors are therefore open to potential shareholder lawsuits in the event of a data breach if it can be shown that they failed to take sufficient steps to protect the company from a security breach and its consequences. "So far derivative class actions have been the main method for bringing action against a company and its directors following a cyber breach, however it is only a matter of time before the plaintiff bar brings a class action," said Charles Boorman, Head of Financial Lines at QBE. "Shareholders seem to have been asleep to the potential downside risk of a data breach, but this won't continue. I would expect to see bigger payouts around data breaches on the back of class actions," he said. Such actions are likely to be covered under D&O policies. Specialist cyber and other insurances are likely to respond in the first instance, although D&O insurance should pick up secondary litigation brought by investors against a company and/or its directors, explained Mr Tuplin. "Cyber risk is a hot topic in the D&O market with large data breaches at firms like Home Depot, Sony, Target and JP Morgan," he explained. "Cyber is an emerging exposure for directors and officers and one that is growing, especially in the US where we are beginning to see claims for data breaches" added Mr Tuplin. D&O insurance is silent on cyber risk. Historically, policies do not specifically include or exclude it. However, there is always a potential for more explicit language on cyber as brokers and clients seek reassurance that cover is in place. Growing interest in cyber exposures means that risk managers may have to provide more information when arranging D&O insurance. "Risk managers should be prepared for the possibility of more questions from the D&O market around what a company and its directors are doing on cyber," said Mr Tuplin. "Underwriters may ask if there is a specific cyber response plan, how cyber risks are reported to the board and links between IT security and the board," he said. Risk managers should check exclusions in D&O policies carefully for unintended consequences, advises Francis Kean, Executive Director in Willis' FINEX Global operation. For example exclusions for professional services, property damage, prior claims and circumstances and fines and penalties all have the potential to remove useful and legitimate cyber cover. He also suggests that buyers examine sub limits, which can be disguised as 'adds-ons' while companies should also check that regulatory investigation protection is suitable. Cyber exposures, and how the boards and directors respond to the risk, are also of growing interest to regulators. In the US, the Securities and Exchange Commission (SEC) issued guidance in 2011 to public companies about their disclosure obligations for cyber security risks and cyber-incidents. In a June 2014 speech SEC Commissioner Luis Aguilar clearly stated that cyber risk should be part of a board's overall risk oversight. "Ensuring the adequacy of a company's cyber security measures needs to be a critical part of a board of director's risk oversight responsibilities," he said. Regulators outside the US have followed the SEC example. This week the UK regulator elevated its focus on financial crime in the financial services industry after writing to firms in 2013 requesting details of their approach to cyber risk. The regulator is also working with HM Treasury on 'visibility of IT resilience and risks at board level' and on addressing cyber risk. Directors need to apply their minds to the problem of cyber risk in a diligent and appropriate manner, according to Mr Kean. "The steps directors take to inform themselves of the risks posed to their companies and to mitigate these risks will form the main planks of both their individual and their collective defences when-rather than if-something bad happens. If they do nothing, they will have little or no defence or excuse," he said. Mr Kean advises directors and risk managers to look at recently updated guidance published by HM Government-Cyber security skills: a guide for business. "It is a useful summary of good practice and also contains some links to a variety of helpful resources," he said. Cyber risk in the D&O context is not limited to data breaches, warned Mr Kean. "For most companies cyber risk poses an almost infinite variety of risks and threats. Data theft is but one obvious example," he said. "Whenever there is a major problem with attendant financial and reputational damage to say nothing of physical damage, computer systems may well be involved. Whether these are all characterised as cyber threats problems or incidents is not really the point," he said. "From a director responsibility perspective, the key is to have oversight of all the major risks facing the company. Cyber risk in all its many guises is likely to be a vital element of that overall risk for almost any company," said Mr Kean.

Risk managers need to check D&O policies as cyber exposure multiplies

Want to read this article?

Read Next

AXA P&C increases premiums by 7% as rates rise at AXA XL

Hong Kong and Shanghai to cooperate on captives and ILS

Swiss broker Kessler names head of special risks

Supply chain cyber risk concentrated in 15 top vendors with ‘below average’ cybersecurity

US insurers expected to increase casualty pricing as social inflation rises

AXA P&C increases premiums by 7% as rates rise at AXA XL

Hong Kong and Shanghai to cooperate on captives and ILS

Swiss broker Kessler names head of special risks

Supply chain cyber risk concentrated in 15 top vendors with ‘below average’ cybersecurity

US insurers expected to increase casualty pricing as social inflation rises

Want to read this article?

Read Next

AXA P&C increases premiums by 7% as rates rise at AXA XL

Hong Kong and Shanghai to cooperate on captives and ILS

Swiss broker Kessler names head of special risks

Supply chain cyber risk concentrated in 15 top vendors with ‘below average’ cybersecurity

US insurers expected to increase casualty pricing as social inflation rises

Related Articles