In recent years, the corporate world has witnessed a significant rise in the frequency of directors’ and officers’ (D&O) claims following major cyber incidents. This phenomenon underscores the intricate link between cyber risks and D&O liabilities, highlighting the need for a cohesive approach to managing these intertwined risks.
Understanding the phenomenon
A major cyber event can have far-reaching consequences beyond immediate financial losses and operational disruptions. One of the most notable repercussions is the increased likelihood of D&O events, such as shareholder class actions or derivative suits. Research indicates that approximately 43% to 50% of companies experiencing a significant cyber event are likely to face a D&O event as well. This correlation can be attributed to several factors:
- Regulatory scrutiny and legal actions: In the aftermath of a cyber incident, regulatory bodies often scrutinize the affected company's actions and responses. Any perceived negligence or failure to implement adequate cybersecurity measures can lead to legal actions against the company's directors and officers. In July of 2023, the SEC adopted rules to require all public companies to disclose all material cyber incidents within four days after a registrant determines that a cybersecurity incident is material. SEC requires all public companies to disclose cyber incidents.
- Shareholder expectations: Shareholders expect companies to safeguard their data and maintain robust cybersecurity protocols. A major cyber breach can erode shareholder trust, leading to class action lawsuits against the company's leadership for failing to protect their interests. In the past, cyber incidents did not often correlate with significant decreases in shareholder value. However, 2024 has brought with it notable securities claim settlements by Google, Zoom and Okta, who agreed to pay plaintiffs $350 million, $150 million and $60 million respectively to settle claims arising from market capitalization losses far in excess of those amounts. All these settlements arose from cyber security and privacy related allegations.
- Reputational damage: Cyber incidents can severely damage a company's reputation, affecting its market value and stakeholder confidence. Directors and officers may be held accountable for the resulting financial losses and reputational harm.
Recent examples of D&O events following cyber incidents
- CrowdStrike D&O event: The CrowdStrike cyber incident resulted in a securities fraud class action which alleges that the company made misrepresentations when it “repeatedly touted the efficacy of the Falcon platform while assuring investors that CrowdStrike’s technology was ‘validated, tested, and certified.’” The data mined by Claudia Piccirilli illustrated that companies with cyber events increased their D&O risk from 5% historically to 68% with a breach. The system failures caused by CrowdStrike’s software updates resulted in their share price declining by 30% over the next few days following the incident, resulting in the company’s market capitalization decreasing by nearly $12.5 biliion.
- Cyber claims data analysis: In a recent analysis of FINEX cyber claims data, it was found that D&O claims followed closely in time the date of a cyber event/incident. This data helps to predict the likelihood of a D&O claim after a cyber event.
- D&O considerations in the wake of a cyber event: A study performed by WTW Risk & Analytics highlighted evidence of a correlation between D&O events and the performance of a company’s cyber security controls as evidenced by a company’s security rating. The study emphasized that analyzing D&O exposure using a cyber incident as a lens can help predict increased exposure.
These examples illustrate the increased frequency of D&O events following major cyber incidents and underscore the importance of having a unified risk management strategy to address cyber risk as a D&O risk. This approach requires a close analysis of cyber and D&O insurance terms, and how they can effectively work together.
The benefits of a unified approach to cyber and D&O risk management
Given the intertwined nature of cyber and D&O risks, having a holistic approach to address these exposures offers the following compelling advantages:
- Holistic risk assessment: A unified approach provides a comprehensive risk assessment that considers the interplay between cyber and D&O exposures. This integrated approach enables companies to better understand their total risk profile and make informed decisions about coverage needs.
- Streamlined claims management: In the event a cyber incident triggers a D&O event, there are opportunities to improve synergies with claims management. Coordinated claims management ensures that both cyber and D&O claims are handled efficiently, minimizing delays and potential conflicts between insurers.
- Enhanced coverage synergy: A broker with expertise in both cyber and D&O insurance can design policies that complement each other. For instance, insights from cyber risk assessments can inform D&O coverage terms, ensuring that directors and officers are adequately protected against liabilities arising from cyber incidents. In an era where CISOs are increasingly exposed to personal liability, it’s imperative to maximize coverage certainty for their personal asset exposure
- Insurance efficiency opportunities: Given the interrelated aspects of cyber and D&O insurance, leveraging insurer relationships across both lines of coverage can bring forth coverage and pricing efficiencies.
Mitigating the risks
To mitigate the risks associated with D&O events following cyber incidents, companies can adopt several strategies:
- Enhanced cybersecurity measures: Implementing robust cybersecurity protocols and regularly updating them can help prevent cyber incidents. This includes employee training, regular security audits and investing in advanced security technologies. Of course, ensuring that the company has sufficient cyber coverage in the first place can be a great hedge against a D&O event following a cyber event.
- Comprehensive risk management: Companies should adopt a holistic approach to risk management that includes both cyber and D&O risks. This involves conducting regular risk assessments, developing incident response plans and ensuring that cyber and D&O insurance policies are aligned.
- Cyber and D&O risk quantification: Because D&O losses are increasingly driven as a consequence of cyber incidents, it’s imperative that companies stress-test the adequacy of D&O limits, taking into account the potential financial impact of material cyber losses. Relatedly, adequate broad cyber coverage can mitigate losses to the company and help to limit categories of loss alleged in D&O derivative suits.
- Regulatory compliance: Staying abreast of evolving cyber regulations and ensuring compliance can help mitigate legal risks. Companies should work closely with legal advisors to understand their obligations and implement necessary measures.
- Transparent communication: Maintaining transparent communication with shareholders and stakeholders about cybersecurity measures and incident response can help build trust and reduce the likelihood of legal actions.
- Incident response preparation and testing: It is essential for organizations to practice incident response planning and testing so that they can prepared when faced with a cyber incident, especially when it comes to necessary compliance with regulatory requirements.
Conclusion
The increased frequency of D&O events following major cyber incidents underscores the need for a unified approach to risk management. By leveraging the expertise of cyber and executive risk experts, companies can achieve a holistic understanding of their risk landscape, improve visibility through quantification of likely losses, streamline claims processes and enhance coverage synergy. In an era where cyber threats are ever-evolving, this integrated strategy is crucial for safeguarding the interests of both the company and its leadership.
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
