D&O and Cyber Liability: A Complex Relationship
In 2024, every industry was under siege from cyberattacks, according to Forbes. The only constant in the cyber environment is that threats continue to change, the report said, and every company has to be prepared.
Being unprepared for a cyberattack can lead not only to a company’s financial ruin, it can also lead to exposure for the company’s directors and officers.
“Directors & officers exposure from cyber events can take many forms, but it all stems from allegations that the directors and officers breached their fiduciary duty to adequately maintain and monitor security infrastructure and cybersecurity controls, leading to a cyber vulnerability,” says Ziad Kubursi, head of financial institutions, executive liability and transactional risk, The Hartford.
While D&O and cyber liability policies offer distinct coverage differences, many companies mistakenly believe they do not require separate policies. “Understanding how these policies work, including what triggers coverage under each, is the key to managing a coordinated response across different types of policies,” Kubursi says. “D&O coverage focuses more on defending the organization or its directors and officers against claims that they failed to implement appropriate security controls or failed to adequately disclose information.”
Empower your agency with smart, strategic technology insights.
“Cyber insurance, on the other hand, focuses more on responding to the event itself, helping to identify the extent of the breach, getting systems back online, and managing and mitigating the exposure to minimize further operational, reputational and financial exposure,” Kubursi explains.
The aftermath of a cyberattack can leave the leadership of any company personally vulnerable. Agents can ensure clients have the coverage they need to protect themselves from a D&O claim that stems from a cyber event.
“One thing our clients understand is that insurance products are one piece of the puzzle,” says Tim Foody, executive lines practice leader, Risk Placement Services (RPS). “For cyber, an insurance policy is best paired with an overall commitment to robust cyber hygiene. D&O coverage is a key part of risk management, along with solid indemnification agreements and a healthy balance sheet.”
A lack of a cyber liability policy not only leaves a company exposed to an incident, it can also “leave the company in the dark without a partner that can inform them of best practices and help manage them through these complex things,” says Jim Rizzo, product leader, U.S. D&O, executive risk, Beazley. “If a client isn’t properly prepared for a cyber event, it can result in a complex series of matters that potentially involve property, business interruption, D&O, general liability and employment practices liability insurance (EPLI). All matters may come with a variety of considerations and may ultimately lead to event-driven litigation.”
Expert support is a key component of cyber coverage, echoes Patricia Kocsondy, head of global cyber digital risks at Beazley. “One of the main reasons agents recommend that clients buy separate cyber insurance coverage, regardless of whether they’re a public company or not, is so that they can get access to the incident response capability that the insurance community has to offer,” Kocsondy says. “There are many companies that don’t have the capability to respond to a cyber event—it’s something that you don’t want to have to worry about in that pressure-cooker situation.”
With separate cyber coverage, “the chances are that a client will have a better shot at standing up to any kind of scrutiny in terms of how they handled cyber advice if they get access to that extra expert advice in the moment,” Kocsondy says.
While not every cyber event leads to a D&O claim, “close to 50% of companies experience a D&O claim after a significant cyber event,” says Michael Theberge, professional lines producer at Jencap. “They are very closely correlated, so much so that some carriers are starting to implement cyber controls and policies that a company has to have in place in developing the rating and underwriting of D&O risks.”
More on D&O
Agents can warn clients of the most common types of D&O claims from a cyber event, such as “a breach of fiduciary duty or a breach of oversight duty because they didn’t maintain proper cyber policies and procedures like they should have,” Theberge says, “as well as claims resulting from negligence and misrepresentations in financial statements or criminal actions when directors or officers are committing fraud.”
Additionally, when it comes to who is covered under a D&O policy, “some policies have a difference in how they determine who their directors and officers are,” Rizzo says.
However, a key role agents should seek to include in the D&O policy is the chief information security officer (CISO).
“On the cyber side, we hear a lot from CISOs that they are concerned about their liability,” Kocsondy says. “It’s a very challenging role to do—one that agents and brokers can help educate their clients about and make sure the CISOs get the protection they’re looking for under a D&O policy for allegations or claims.”
Olivia Overman is IA content editor.
Agency Management Solutions
Insurance Markets
Big I Programs
This month’s issue
The August issue is out now!
