Beware cyber extensions in a D&O Policy

While cyber risks continue to expand and the cyber insurance market shows no signs of easing, the D&O market is returning to equilibrium. So how good is the protection generally afforded under D&O policies to directors for their potential cyber-related liabilities?

Directors have a non-delegable duty to supervise a company’s activities. In the context of cyber security, this means they need to understand enough about the relevant risks and the measures taken by the company against them. If directors fail to discharge this duty, they can be subject to extensive regulatory investigation, and even civil proceedings, although the company itself (assuming it remains solvent) is the more likely target.

In the UK, the risk of a civil claim against directors of a solvent company as result of a cyber breach or data loss suffered either by it or third parties is relatively remote. There have been a number of unsuccessful attempts to establish this type of civil liability in the US.

Perhaps for this reason, D&O insurers tend to seek only a small fraction (if any) of the information which insurers of cyber exposures would require to underwrite the company risk.

That said, such claims are not impossible if the damage suffered by the company (including to its reputation or share price) is especially severe. Costs, settlements and awards in any such actions would be covered by most policies.

The less unlikely scenario

The more important question is what the coverage position is with respect to the less unlikely scenario of regulatory investigations and the possibility of fines and penalties.

Taking fines and penalties first, the gold standard in terms of coverage, which few D&O insurers volunteer, is protection under the contract for fines and penalties “to the extent insurable under the law governing the policy”. Instead, many polices exclude cover for all criminal fines and penalties, and only provide restricted cover for any other type.

That leaves us to consider the position in relation to the legal costs of defending  regulatory investigations or proceedings for data breach under the Data Protection Act or other cyber security breaches.

Although the company’s own legal costs in relation to such investigations will rarely be covered, those of individual directors should be, at least from the point at which they are a target of the investigation or their attendance at interview is legally required. But policies vary widely in respect of this key coverage. Indeed, counterintuitively, those D&O policies that seem to offer specific cyber extensions may well provide less protection for the directors since the extensions tend to be written on a more restrictive basis and may even be subject to specific sub-limits.    

Protection for directors against the threat of personal liability for cyber risk – not least in respect of legal representation expenses – has never been more important. Yet, identifying the key elements of cover in a D&O policy is not that straightforward, not least because no two such policies are the same. A better approach might be to start with a good understanding of the relevant coverage priorities and seek advice from brokers or other appropriate insurance experts.

This article highlights general issues and benefits relating to its subject matter and does not take into account individual circumstances or requirements of individual readers.

Francis Kean is a Partner in the financial lines team of specialist brokers McGill and Partners.