The cyber Trojan horse - how D&O claims ride out of data breaches

In Greek mythology, the heavily fortified city of Troy was physically breached using a Trojan horse, which has become a byword for cunning and deception. Cyber attacks and their subsequent claims are arguably the Trojan horses of modern times, with the damage caused by breaches now spreading beyond cyber insurance and into director and officer (D&O) policies. Recent cyber attacks across a number of sectors, including manufacturing and retail have caused significant disruption to business and has the potential to undermine confidence in companies that are not adequately prepared and well as cause material business interruption losses. 

Although this is still an emerging trend, it is becoming clearer how these claims can occur.  Therefore, the steps that companies take to prevent or mitigate cyber claims can potentially escalate into scrutiny of directors and officers (D&Os) and possible D&O claims.  Even with robust cybersecurity measures and strong, effective governance acting as the frontline of defence, there are still several ways a cyber event can lead to a D&O claim. Common triggers include lack of cybersecurity expertise, insufficient resources, inadequate risk management and poor stakeholder communication.

It is essential for D&Os to have a comprehensive understanding of their organisation’s cybersecurity protocols and procedures. D&O Underwriters will often look to understand how much focus is given to cyber risk in board meetings.  Failure to implement the procedures or respond to an event effectively could result in accusation of a breach of fiduciary duties. Poor reaction to a cyber event or not procuring cyber insurance to protect the business could lead to claims of mismanagement. The likelihood is increased if the breach has had a significant impact on the business, which is most likely to be a follow-on impact of business interruption losses, which can often be more significant than any potential ransom demand. However, there is also recognition that despite a robust control framework, that the weakest link in the chain can still offer threat actors a way in. D&Os should be able to demonstrate that to the best of their ability they have given their businesses the capability to fend off most threat vectors.

If a breach is caused by outdated software, lack of investment in security measures or insufficient oversight, shareholders may hold the D&Os accountable, claiming that they failed to prioritise cyber risks resulting in financial losses. Having delayed or overly optimistic financial market updates following a cyber attack may be viewed with suspicion, further increasing the likelihood of a D&O claim if it transpires there has been an alleged misstatement. Additionally, D&Os should disclose all breaches to markets and relevant regulatory bodies and ensure they are compliant with all data protection guidelines. Not doing so can quickly escalate to regulatory actions and investigations. 

D&Os should also give careful consideration to public statements, disclosures or marketing that discuss their organisation’s cyber resilience, controls or preparedness. An emerging cyber-related risk, often described as “cyber washing “arises where shareholders allege that such communications materially overstate an organisation’s cybersecurity posture. These allegations can trigger securities litigation, regulatory investigations and potential reputational damage if statements are found to be misleading or inaccurate. To mitigate the risk or severity of a D&O claim raised following a cyber event, there are several preventative measures companies can consider. Investing in cyber insurance is essential, providing a critical layer of balance sheet protection against security and privacy breaches. This not only minimises financial impact but also facilitates a faster recovery. At Liberty Specialty Markets, we understand the interconnected nature of cyber and D&O risks. Our strong expertise in these sectors helps clients address overlapping exposures. 

Equally important are proactive steps such as implementing robust cybersecurity measures, developing and testing an incident response plan, conducting frequent employee training on cyber attack vectors, regular third party vendor management, frequent reporting to the board and disclosing events in a timely manner in accordance with regulatory requirements or laws. As cyber threats continue to grow, D&Os are increasingly vulnerable to litigation stemming from perceived failures in governance, disclosure, or risk oversight. To effectively mitigate through cyber security issues, addressing both D&O and cyber risks is crucial. D&Os should also ensure that their policies are fit for purpose and engage with both their broker and insurer partners to ensure that understanding of the coverage in advance of any event is clear.

In summary, D&Os may consider the following key points:

• Ensure cyber security frameworks are reviewed regularly and knowledge is shared throughout their business.
• Have either appropriate insurance coverage, or 3rd party providers who can help mitigate the impact of an event
• If the worst does occur, engage with stakeholders proactively, both regulatory and insurance related to mitigate exposure and response.

Our team of leading D&O underwriters works closely with our panel of brokers. Our underwriters have the in-depth knowledge to provide creative solutions which meet the specific needs of organisations and the key individuals they employ. Our integrated approach means insureds benefit from coordinated underwriting, and a claims team experienced in defending complex cyber-driven D&O litigation — giving directors and officers confidence that Liberty can respond effectively. For any specific discussions reach out to your broker partner and we will be happy to discuss.