With the cyber insurance market showing no signs of easing while the D&O market is returning to equilibrium, now is a good time to assess the quality and breadth of cover available to directors for the cyber related exposures which they face.
Directors have a non-delegable duty to supervise a company’s activities. In the context of cyber security this means they need to understand enough of the relevant risks and of the measures taken by the company to protect against them. If directors fail to discharge this duty they can be subjected to extensive regulatory investigation and even civil proceedings although the company itself (assuming it remains solvent) is the more likely target. Perhaps for this reason, D&O insurers tend to seek only a small fraction (if any) of the information which insurers of cyber exposures would require to underwrite the company risk.
So how good is the protection generally afforded under D&O policies to directors for their potential cyber related liabilities? In the UK, the risk of a civil claim against directors of a solvent company as result of a cyber breach or data loss suffered either by it or third parties is relatively remote. That said, if the damage suffered by the company (including as to its reputation or share price) is especially severe, such claims cannot be ruled out. Costs, settlements and awards in any such actions would be covered by most policies.
The more important question is what the coverage position would be with respect to the less unlikely scenario of regulatory investigations and the possibility of fines and penalties. Taking fines and penalties first, the gold standard in terms of coverage which few D&O insurers volunteer is protection under the contract for fines and penalties “to the extent insurable under the law governing the policy.” Many polices instead exclude cover for all criminal fines and penalties and only provide restricted cover for any other type.
That leaves the position in relation to the legal costs of defending regulatory investigations or proceedings for data breach under the Data Protection Act or other cyber security breaches. Whereas the company’s own legal costs in relation to such investigations will rarely be covered, those of individual directors should be, at least from the point at which they are a target of the investigation or their attendance at interview is legally required. But policies vary widely in respect of this key coverage. Indeed, counter-intuitively, it is those D&O policies which seem to offer specific cyber extensions which may well provide less protection for the directors since the extensions tend to be written on a more restrictive basis and may even be subject to specific sub-limits.
Assessing your level of maturity and benchmark your board practices: cyber survey
NEDonBoard and McGill and Partners are running a cyber survey for boards and non-executive directors. The survey will help you assess the level of maturity of your organisation and across NEDs.
This blog is written by McGill & Partners, who have partnered with NEDonBoard to provide educational and insightful content to our community of influential board members. In addition to blogs, more in-depth resources are included in the NED Accelerator® Programme or available within the member area of the NEDonBoard platform.
Not a member yet? To access the learning resources of the platform, including our NED Library (which contains tens of webinars and presentations from subject matter experts and experienced board members), join our organisation as a member.