3 Key Takeaways on Directors and Officers Insurance and Cyber Liability
- Cyber risk is on the fast track to becoming a board issue—potentially the top board issue of our time.
- Boards must be aware of what cyber risk means for their businesses, and should take necessary and reasonably informed steps to mitigate risk.
- Underwriting must evolve as directors and officers insurance policies start to assume risks previously covered by cyber insurance policies that haven’t been continued because of rising costs.
In this continuing series of industry expert interviews, NetDiligence® President Mark Greisiger and Axio Global, Inc. CEO Scott Kannry discuss these takeaways and other aspects of liability, directors and officers insurance, and cybersecurity risks for businesses. Read the synopsis below, and watch the full interview in the video above.
Why Directors and Officers Must Understand Cybersecurity Risks for Businesses
MG: More and more, we find D&O exposure that stems from cyber. I know no one better to speak about this exposure than you, Scott. Axio recently released a Cybersecurity Guide for Boards of Directors. Can you give me a little bit of background on board exposure?
SK: I’ve had two tours of duty in the insurance industry, before and after grad school.
The first cyber insurance wave was at the beginning of my career, 2003-2009, about privacy breaches and all the data regulations in the United States and abroad.
I took a couple of years off for grad school, then the Stuxnet virus drew me back to the insurance industry. With Stuxnet, I realized cybersecurity events had the potential to be a risk far beyond data breaches the industry had gotten used to earlier.
Thinking about this [virus], especially knowing the core purpose of Stuxnet was to impact Iran’s ability to enrich uranium, made me believe [it] put cyber on an incredibly different level from a risk standpoint. If you think about the massive operational impacts a cyber event can cause, cyber as a risk is on a fast track to becoming a board issue, potentially the top board issue of our time.
MG: I went to a football game not long ago with a CEO from the area who knew my background and wanted to talk about where we saw cyber risk trends going. He’s worried about board-level liability. It keeps him up at night, and most of his senior people are asking about it. Do you think the legal climate and case law are lining up to support this trend? Should D&Os be concerned?
SK: Yes, I would say everything is nearly there. It’s just a matter of the next piece of litigation that succeeds relative to a cybersecurity event. There are a couple of things we’re watching make their way through the legal system after last year’s cybersecurity events.
It’s reminiscent of the mid-to-late-90s with Caremark, a piece of litigation in the Delaware courts. The Caremark litigation and decision opened a greater avenue of liability against directors and officers for oversight failures, including decisions that had to do with risks that should have been understood and acted on to prevent the harm ultimately caused.
After Caremark, there’s been litigation that’s pushed it further, such as Boeing and the 737 MAX disasters. The board was alleged to have not acted or understood the problems as quickly as they should have.
That view, transposed to the world of cybersecurity, could suggest boards should be expected to be aware of the risk their businesses face from cyber. They should take necessary and reasonably informed steps to mitigate the risk to the greatest extent possible. If they fail to act accordingly and something happens, they may be found at fault.
MG: What [do all these developments] mean from a coverage standpoint? How do you think D&O underwriting is going to evolve, relative to cyber risk?
SK: I think boards need to understand the risk as they do any other risk: Look at it in terms of the business, from a financial standpoint, and in terms of business impact.
They need a translation of the cybersecurity program’s technical viewpoints on which the cyber insurance product is underwritten. Unless the security leaders can provide that translated viewpoint, the board is not going to get the perspective they actually need to carry out their duties. They’ll fail to understand where the risks really are and not focus the enterprise accordingly, leaving them open to the ramifications mentioned before.
MG: Let’s talk a little bit about D&O impact. It’s not surprising we’re seeing challenging times and conditions in cyber risk insurance markets. Is there an impact potentially facing a D&O front because of what’s happening in cyber?
SK: First and foremost, I would anticipate last year’s market conditions from a cyber insurance standpoint are probably having a trickle-down or trickle-up effect. Some companies are electing to self-insure the risk, or cut down on limits because they don’t want to continue to bear the larger costs hitting them.
How could that [choice] play forward? If that company makes that decision internally for budget purposes and subsequently has an event, now they own that risk. It’s on their own balance sheet.
That [event] could create a pretty unfavorable situation with shareholders, who could say in retrospect, “You let a little bit more of an increase than you wanted keep you from purchasing cyber insurance. Now there’s been a big event. It’s coming out of my pocket.” In that situation, the directors and officers insurance has taken on the risk previously on the cyber liability insurance coverage in place. It’s not hard to see that [situation] potentially happening.
For more information, be sure to watch Mark and Scott’s full discussion in the video above.
If you have any questions for Mark, he can be reached here.
Lastly, if you’re looking for a turnkey solution to help guide and coordinate your organization’s response to a cyber incident, click here to find out more about Breach Plan Connect® from NetDiligence.