Cyber coverage is also having an effect on directors and officers (D&O) liability in the United States. Oversight and increased requirements for disclosure on cybersecurity are making D&O coverage more important than ever. With the rise of data breaches and other cyber-attacks, directors and officers are responsible for making sure that they are taking sufficient steps to protect their company’s digital assets. In the case of a data breach, directors can be hit with shareholder suits and shareholder derivative actions claiming that the directors breached their fiduciary duty to the company for failing to put adequate cyber security measures in place.
Legal experts predict that there will be more cyber-related D&O lawsuits resulting from increased regulatory oversight. In October 2011, the Securities and Exchange Commission (SEC) issued a disclosure guidance stating that previous disclosure requirements “may impose an obligation” on publicly traded companies “to disclose such risks and incidents.” The SEC noted that companies should “review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.” The SEC went on to state in the guidance that the company “may need to discuss the occurrence of the specific attacks and its known and potential costs and other consequences.” Among those costs would be reduced revenues, an increase in expense for cybersecurity protection, litigation or the effects of theft of material intellectual property. A company should disclose any substantial costs incurred to prevent cyber incidents as well, the SEC guidance stated.
In addition, the Federal Trade Commission (FTC) issued a regulation requiring many companies to adopt an identity theft protection program. Known as the “Red Flags Rule,” it requires many businesses and organizations to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent such incidents and mitigate the damage. The FTC rule requires that a company’s board of directors create reasonable policies and procedures to detect the red flags of identity theft that may occur in day-to-day operations.
The rule states that a company’s board – or an appropriate committee of the board or someone in senior management – must approve the initial plan and then oversee, develop, implement and administer the program.
Cyber insurance products are being broadened to include coverage that now addresses nearly all aspects of technology-based risk faced by today’s companies. Carriers are now adapting their policies to include a variety of loss prevention and risk mitigation tools, ranging from turnkey breach response teams to pre-emptive risk analytics. Opportunities for innovation exist within the cyber coverage market.
Insurers willing to offer more cyber capacity need to be aware of issues such as insured use of outsourced providers, definitions of computer systems, aggregations, first party breach response capabilities and business interruption event triggers, in their product development.
Cyber risks will continue to evolve with each new technological advance and cyber liability policies will in turn be adapted to meet the specific needs of the policyholder. Since companies everywhere, in all industries, from multinational giants to small operations are now exposed to cyber risk, the demand for comprehensive cyber risk insurance coverage will only continue to grow.