As we previously noted, recent SEC actions on the topic of cybersecurity indicates increased SEC focus and likely heralds the coming of enforcement actions against public companies for cyber breaches. On the front end, companies can mitigate their risk by ensuring their cyber preparednessin the event of an attack, which, increasingly, appear to be all but inevitable. In the event that a company does suffer a data breach, it will quickly look to its insurance policy to help defray the costs. In theory, litigation arising out of a data breach should be covered under a D&O policy. However, given the rise in hacking and cyber breaches, cyber liability policies have grown in popularity. As a result, D&O policies are increasingly drafted with a standard exclusion for privacy violations and data breaches, some of which has recently changed. Thus companies cannot simply assume that their D&O policy will respond to a cyber breach. Also, the board of directors cannot assume a cyber policy will protect them. Cyber policies may provide some protections, but certainly not for derivative suits or shareholder class actions.
A board should therefore evaluate its insurance program to determine whether adequate coverage is available to respond to a data breach. If the board concludes that its current insurance program is inadequate, there are three available options: first, consider a stand-alone cyber liability policy. Many of these policies offer multiple coverages to respond to a cyber risk, including: security and privacy liability insurance, event management insurance, business interruption insurance, cyber extortion and cyber media insurance. Also, consider an endorsement to D&O policy specifically including coverage for cyber liability risks for the board of directors for oversight liability.
Finally, the company may also consider other insurance that may provide some coverage including fiduciary or professional services liability. Again, if the company is unsure of how to interpret its coverage, the company should not hazard an educated guess. Instead, the company should retain counsel to evaluate its risk profile, potential exposure, and adequacy of coverage.
To see part 1 - please click here.
To see part 2 - please click here.