How Cyber Insurance Can Prevent Attacks from Spiraling into D&O Claims
It may seem like a long time ago, but cyber attacks were once something of a rarity: events only experienced by organizations of a specific size, in a specific industry, for a specific reason. However, now that cyber attacks increasingly impact businesses of all shapes and sizes, cyber risk has become an essential topic among board members and business executives.
Alongside the traditional risks associated with cyber attacks, many businesses face greater scrutiny over their preparedness and response to these incidents. Cyber attacks are often public events, and leaders who do not take steps to safeguard their organizations can face potential liability following an attack.
More and more, executives recognize that cybersecurity threats are a persistent risk that must be addressed for the long-term health of their businesses, as well as their own personal liability. A Directors and Officers (D&O) Liability insurance policy is the tried-and-true way to protect business leaders from exposure, but a Cyber Liability policy can enhance D&O protections by demonstrating that cyber risk is a top priority — and providing more comprehensive protection for the organization overall.
The rise of D&O risk in cybersecurity
Historically, D&O liabilities have focused largely on alleged financial mismanagement, questionable business decisions and breach of fiduciary duties. But cyber attacks have transformed the risk landscape, pushing D&O responsibilities to new heights and expanding the risk of potential liability to include regulatory actions, civil lawsuits, and even criminal proceedings.
Legal and regulatory implications
A business’ actions, or lack thereof, are often scrutinized after a cyber attack. If leadership is proven to have failed to implement proper cybersecurity measures or did not monitor the controls already in place, they may be found in breach of their fiduciary responsibilities.
Equally important are the ways in which businesses handle the immediate aftermath of a cyber attack, especially as it relates to notifying authorities, customers, vendors, and other affected parties.
If leadership is proven to have failed to implement proper cybersecurity measures or did not monitor the controls already in place, they may be found in breach of their fiduciary responsibilities.
In recent years, high-profile legal cases against security executives at both Uber and SolarWinds have spotlighted the liabilities that pertain to the handling of corporate cyber events. Regardless of business size, these instances underscore the importance of establishing and implementing controls for managing cyber risk prior to an attack.
Board-level accountability and cybersecurity governance
Effective D&O risk mitigation often requires robust cybersecurity governance at the board level. Board members should consider actively engaging in oversight and adopting a comprehensive approach to cybersecurity.
This includes understanding the organization's risk profile, ensuring proactive risk assessments are conducted regularly, staying informed about emerging cyber threats, and allocating sufficient resources to address security gaps. Moreover, boards should encourage transparency and accountability by sharing information and learning from past cyber incidents.
Board members should consider actively engaging in oversight and adopting a comprehensive approach to cybersecurity.
Some boards accomplish this by appointing a director with a security background, someone who can help make difficult risk management decisions and increase the level of cybersecurity knowledge and awareness on the board. Some boards also form separate committees dedicated specifically to cyber risk management.
Safeguarding reputations and trust
A cyber attack can wreak havoc on a business’ reputation and stakeholder trust. A board of directors’ ability to effectively manage the fallout plays a critical role in rebuilding and safeguarding the organization's brand image.
Proactive D&O risk mitigation strategies should include comprehensive crisis communication plans that align with the organization's values, demonstrating transparency, empathy, and resilience. By doing so, organizations can foster a sense of trust among stakeholders and mitigate losses in consumer confidence, thus leading to quicker recovery.
Ensuring adequate coverage across cyber and D&O policies
As cyber risks continue to escalate, cyber insurance has become an essential part of an organization's risk management strategy, especially when coupled with D&O coverage or other Executive Risks insurance lines.
First and foremost, cyber insurance helps protect businesses against financial and reputational damages — an essential aspect of modern business. But the knock-on effect a cyber policy has on D&O liability makes it a must-have for executives at businesses of all sizes. Many carriers will specifically exclude D&O claims arising out of a cyber breach. Others, like Coalition, have policies that do not contain a cyber exclusion or provide a specific carve-back to an exclusion for certain scenarios.
When considering executive risks, businesses should look for D&O insurance that is complemented by cyber coverage. Coalition recently expanded its D&O appetite to include not-for-profit organizations. Best of all, D&O insurance can be purchased on a standalone basis or packaged with our other Executive Risks products.