Between 2008 and 2010, inadequate security procedures at Wyndham Worldwide led to the compromise of more than 500,000 payment card accounts. Last December, Target announced that hackers had stolen credit and debit card information for 70 million customers.
Besides global notoriety, what do these two data breaches have in common?
Both resulted in shareholder lawsuits—which have been picking up steam in recent years alongside large data breaches that “are on the rise and have been for some time,” says Tim Francis, Enterprise cyber lead at Travelers. “A few years ago, data breaches were considered an anomaly—companies could argue right or wrong that ‘Hey, it wasn’t my fault, I didn’t expect this to happen,’ and then it’s over.”
Today, cyber and security issues have “really become part of standard business operations and procedures and therefore part of the natural conversation about risk managers and insurance products,” Francis explains. “Companies and their shareholders are much more invested in not considering these things to be one-off, ‘nobody could see it coming’ kind of events, but rather something a company should have a plan for.”
And if they don’t? “That’s the kind of scenario where you’re more likely to end up not only paying for the data breach itself, but potentially facing derivative action as well,” Francis says.
Considering data breaches have not only increased in frequency but also severity, “it’s becoming more expensive to handle these breaches and you’re seeing larger impacts on the companies themselves to investigate, remediate and then deal with the follow-up lawsuits,” says Shanda Davis, D&O product manager at Travelers. “Once you’re suffering a loss at the company level or taking a large charge for these, you have basis for derivative action.”
For directors and officers at both private and public companies, it’s a trend that presents a new opportunity for independent agents to make a case for cyber liability insurance. “Directors and officers are coming under fire for lack of preparedness and for not having any type of post-breach response plan in place,” says David Derigiotis, who leads the Professional Liability Center of Excellence at Burns & Wilcox. “They have a fiduciary duty to act with care, loyalty and goodwill on behalf of the company. And if they’re not including technology and cyber and privacy liability issues, you could argue that’s a breach of that duty.”
For publicly traded companies, that means “there’s potential for a stock drop and then a securities class action lawsuit as well,” Davis says. But don’t think because your client is a private company the exposure is minimal. While public companies face different rules and regulations from the Federal Trade Commission and therefore risk coming under fire about publicly traded stocks, private companies have their own cyber-related D&O concerns to address.
“You do have a broader exposure if you are a large publicly traded company with a number of shareholders you’re responsible for—at this level, organizations must be compliant with the SEC,” Derigiotis explains. “But if you’re a private company, you still have plenty of regulatory laws to abide by. You may still have shareholders and you can still have claims brought against you from other clients or from private equity firms that have a financial interest in your organization. The exposure is still there—the claims just may come from a different angle.”
“A private company wouldn’t have the risk of a securities class action lawsuit or a stock drop, but you still have exposure from a D&O perspective from shareholders if it’s causing a large enough impact to the company’s financials,” Davis agrees. “The cost of these breaches can be so expensive, and if you’re a smaller company that can be a very impactful event on a balance sheet.”
In fact, a private company might be more likely to sustain serious losses in the event of a breach, since it might be less adequately prepared to deal with the consequences. “If you look at the statistical data, smaller companies are actually more likely to have an event—and that event is more likely to be a higher percentage of their overall revenue than larger companies,” Francis says. “So it’s more significant when it happens.”
The best way to approach the exposure as an agent? Use your client’s D&O coverage needs as leverage to present a cyber liability option, too. “Add-ons for cyber are available in the D&O marketplace, but the most prudent decision would be to have a form that fully addresses your exposure as either a director or officer and then a form that fully addresses your cyber liability exposures,” Derigiotis advises.
“You really should have two independent coverages, because really they’re doing two different things,” Francis agrees: While the D&O policy responds to shareholder suits regarding the assets and the financial situation of a company, the cyber policy directly pays for both the defense and the first-party costs to deal with the event itself. “Those two things go together in the sense that having the cyber policy to mitigate some of the expenses and costs to deal with a breach can actually go a long way toward defending the situation in the event of a stock drop, because the company did as much as they could have done to deal with the event.”
So think of D&O and cyber as “two different coverage angles closely related at the same nexus,” Francis says. “It isn’t about having really good D&O insurance or having really good cyber insurance—it’s making sure you have both and understanding that they’ll work together in concert in the event of a data breach.”
“The key takeaway is that these conversations have to be had in the boardroom,” Derigiotis adds. “They have to move out of the IT department. It’s the director and officer’s responsibility to make sure organizations are up to date and taking every possible measure to safeguard digital assets, add value to the shareholders and protect the organization’s financial well-being.”
Jacquelyn Connelly is IA senior editor.