Last week, we published a client alert discussing the importance of cyber and directors and officers liability insurance for companies and their executives to guard against cyber-related exposures. In today’s ever-changing threat landscape, all organizations are at risk of damaging cyber incidents, and resulting investigations and lawsuits, underscoring the importance of utilizing all tools in a company’s risk mitigation toolkit, including insurance, to address these exposures.
Since we published the alert, the SEC has adopted new final rules about cyber risk management and incident disclosure. These rules only emphasize that companies have significant exposure from cyber incidents, particularly since regulators are increasing their scrutiny. Cyber and D&O policies can help mitigate these risks, but companies should carefully evaluate their policies to determine what coverages—and gaps in coverage—exist.
- More Cyber Incidents, and Greater Scrutiny
Cyber incidents are growing in frequency and severity. Enforcement, too, is ramping up. By adopting its new final rules, the SEC has shown that it will take an active role in evaluating companies’ risk management and responses to cyber incidents. Among other requirements, the SEC’s new rules require that registered companies:
- Disclose on Form 8-K any cybersecurity incident the company determines to be “material” within four days of determining that it is material, and
- Describe on Form 10-K the company’s processes for assessing, identifying, and managing material risks from cyber threats and whether those risks have or will materially affect the company.
The SEC is not the only government agency policing this arena. The DOJ and FTC investigate potential violations of law following cyber incidents and prosecute companies—and executives—who fail to protect data. Just last month, pursuant to its Civil Cyber-Fraud Initiative, the DOJ settled with Jelly Bean Communication Design LLC and manager Jeremy Spinks, individually, for failing to secure data on HealthyKids.org. Similarly, the FTC has ramped up enforcement of data privacy standards under Section 5 of the FTC Act, coming after large companies like BetterHelp (which settled for $7.8 million) for failing to safeguard data.
In some cases, executives may be pursued for their conduct related to cyber incidents. Recently, Uber’s former Chief Information Security Officer Joe Sullivan became the first executive to be criminally prosecuted—and convicted—for failing to disclose a data breach at Uber to the FTC. Sullivan was convicted on federal charges of obstructing an FTC investigation and misprision (concealing a felony). In May 2023, Sullivan was sentenced to three years’ probation and ordered to pay a $50,000 fine. On the civil side, Delaware recently ruled that along with directors, officers owe a duty of oversight, opening the door for civil breach of oversight claims to be brought against both directors and officers.
- Cyber vs. D&O Insurance: Distinct, Key Tools to Mitigate Exposure
Cyber and D&O insurance policies provide distinct, but sometimes overlapping, protections for the types of liability arising out of the cyber incidents discussed above. Cyber insurance protects companies against many different risks associated with cyber incidents. D&O insurance protects corporate directors and officers, and sometimes the company itself, from claims arising out of alleged wrongful conduct by directors, officers, or employees in making decisions and otherwise managing the company.
But these policies are not one-size-fits-all. Even the best standard-form language can often be modified by endorsement to expand coverage, narrow exclusions, or strengthen terms in significant ways to fill gaps in coverage. The opposite is also true: endorsements can materially limit coverage that was otherwise available in the main policy form.
Dozens of provisions can help or hurt the chances of recovery if a claim occurs. For companies evaluating their current insurance program, some provisions to look out for include:
- Cyber exclusions. With cyber incidents on the rise, some insurers have added broad “cyber” exclusions to D&O policies. While the alleged purpose of these exclusions is to shift true cyber exposures to cyber policies, in practice, these exclusions are often too broad and limit or negate large swaths of coverage for D&O claims based on remote connections to a cyber incident. Narrowing these exclusions, especially broad lead-in and causation language, can minimize these risks.
- Pre-approval of key vendors. In the event of a cyber incident, companies will need to quickly retain many key vendors, including legal counsel, IT forensics, public relations, and even extortion specialists. Some policies require insureds to use the insurer’s panel vendors. If the cyber policy contains such a requirement, companies should ensure they are comfortable using the vendors on the insurer’s panel or obtain an alternate policy that allows selection of independent vendors. For the latter, policyholders should still seek pre-approval of their preferred vendors by endorsement onto the policy to ensure there is no dispute in the critical hours following discovery of a cyber incident.
- Conduct exclusions. In data privacy actions, public and private plaintiffs commonly allege misconduct by the company or its executives (for example, in the BetterHelp and Uber/John Sullivan cases mentioned above). Conduct exclusions in D&O policies may bar coverage for claims arising out of fraudulent or criminal conduct, or willful or deliberate violations of the law. These exclusions can be narrowed by inserting final adjudication requirements, which ensure coverage is not barred until there is a final, nonappealable adjudication that the insured’s conduct was wrongful.
- Insured vs. insured exclusions. These exclusions, commonly found in D&O policies, bar claims by one insured (e.g., a company) against another insured (e.g., the company’s director). Companies should ensure the exclusion contains a carveout for whistleblower claims: for example, if a director reveals that their organization improperly covered up a cyber incident.
- Exclusions for violations of securities laws, or unfair trade practices. Exclusions for securities law violations in technology errors and omissions or cyber policies should carve out otherwise-covered privacy claims. Exclusions for unfair trade practices claims in D&O policies should carve out claims arising out of data breaches and failures to disclose cyber incidents in violation of applicable law, particularly given the new SEC rules.
- Contractual liability exclusions. Many companies, when contracting with clients or vendors, must make representations and warranties about their security systems or ability to protect data. Exclusions for contractual liability should carve out liability that would exist without a contract.
- Other exclusions. The above list is by no means exhaustive. We have seen insurers invoke many additional exclusions to deny coverage: professional services, terrorism, intellectual property, and war, to name a few.
Before a claim arises, companies should carefully analyze each of their policies to determine what coverages exist and whether additional or modified terms are needed. Each policy form and endorsement should be scrutinized to fully understand not only how a particular policy may respond to a claim, but also how a particular coverage grant (or exclusion) operates within the insurance program as a whole.