Cyber-Related D&O Claims Expected to Rise
Last month at the Professional Liability Underwriting Society’s (PLUS) annual conference, one key takeaway highlighted included the world of cyber threats with companies expecting to see an increase in securities class action lawsuits when computer systems are compromised. The bottom line: Boards of directors should adapt their protocols to provide better oversight of cyber security.
While there have been a limited number of cyber-related D&O claims to date, “they are coming,” said Douglas W. Greene, a shareholder at law firm Lane Powell P.C. in Seattle, at the PLUS conference. As of yet, stock prices have not been affected long-term by cyber incidents, which has been an impediment to D&O litigation, “but that is bound to change; and when it changes, and stock prices start to drop upon disclosure of a breach … the plaintiffs lawyers will be there,” he said.
Contributing to the potential rise in cyber-related D&O claims, according to Greene, is that “companies are going to start competing on the basis of cyber security”. Another factor is the Securities and Exchange Commission’s (SEC) interest in this issue, which we discussed earlier this year.
And, although companies are gaining traction on the cyber security side, especially in light of high-profile breaches such as Target, Home Depot and Staples, there are still big challenges, including when it comes to D&O insurance. “Unlike other aspects of D&O underwriting, insurers cannot rely on public filings or use them as a resource because they do not contain detailed cyber security information, said Shanda Davis, Chicago-based D&O product manager of bond and financial products at The Travelers Cos. Inc. It is “difficult to get your arms around these issues,” she said.
This is a “rapidly developing area,” said John Black, executive principal at Skarzynski Black L.L.C., a business law firm specializing in insurance. Amazon Inc. was founded just 20 years ago and data breach notification laws are just 10 years old, he said.
While litigation to date has been dominated by consumer class actions, a future issue will be intellectual property theft and impairment of company assets. Those claims will start to come up as the SEC scrutinizes data breaches, and whistleblowers start to speak up, Greene said.
Guiding Principles for Boards of Directors
To address the increased exposure of cyber threats, the National Association of Corporate Directors (NACD), in conjunction with the American International Group (AIG) and the Internet Security Alliance (ISA), published a report this year outlining the five principles that all corporate boards should consider. The five principles are:
- Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
In addition to addressing cyber threats and establishing procedures and protocols, it’s essential that the right D&O and Cyber Liability insurance plan be in place. Our professionals at Caitlin Morgan can assist you with helping your insureds secure the proper insurance policies. Just give us a call at 877.226.1027 to find out what we can offer.