Cyber-crime and its impact on D&O insurance
Cybercrime has risen in recent years, perhaps more than anybody ever expected. For a long time, the focus was on defending businesses against such crimes. Now, with more people aware of cybercrime and the risks, insurers are becoming increasingly aware of the impact such crime may have on D&O policies.
Directors and officers liability insurance has often been seen as one of the broader policies that provides protection for a variety of alleged wrongful acts. It is therefore entirely predictable that it will be targeted by shareholders who wish to bring a claim against directors when a cybercrime occurs. When organisations are the victim of such crimes it can lead to arguments that directors and officers will have acted wrongly in some capacity by failing to protect the business against the crime.
Recent developments in the US have seen members of Yahoo's senior management make payouts totalling $80 million dollars to shareholders following a class action, after Yahoo fell victim to a series of cybercrime attacks between 2014 and 2016. The case will have repercussions for D&O insurers, both in the US and across the pond as it was the first substantial data breach-related shareholder lawsuit recovery.
The decision by shareholders to now challenge directors and officers over their cybercrime concerns highlights just how much the problem has grown in recent years.
Directors have always been tasked with acting reasonably and in the best interests of the company. However, in order to sufficiently protect themselves from claims, they need to ensure that policies, controls and procedures are in place to defend the company against cybercrime. Insurance policies will also need to be adjusted to ensure they adequately deal with the new wave of crimes. Underwriters are therefore likely to begin to question insureds about the level of their cybercrime protection, or indeed whether they have ever been a victim before. Equally, directors and officers will want to check that their policies do not exclude cybercrime claims.
Strong defences against cybercrimes are vital to any organisation, but directors and officers should pay particularly close attention to the measures they are taking to protect the organisation against these crimes. Recent examples, such as the Yahoo case, would suggest that failure to act appropriately will leave them open to claims from shareholders.