How underwriters are tackling cyber exposure in D&O policies

D&O trends in the cyber market

Underwriters are starting to address cyber exposure in directors and officers (D&O) policies, an insurtech told delegates at the NetDiligence Cyber Risk Summit in Toronto.

“What we’re seeing is mandatory cybersecurity exposure questions on D&O submissions,” said Ben Davis, team leader of digital assets with London, U.K.-based Superscript. “If the underwriters aren’t happy with it, sometimes we’ve seen a broadside of exclusions from the D&O policy, which is just interesting.

“So, underwriters are waking up that there is exposure under the D&O policy and if they’re not happy with the answers they’re getting, they’re carving out liability for it and trying to make sure it sticks under this cyber liability section.”

Davis was part of the conference’s Cyber and Other Lines panel, which included discussions on trends in cyber and how it affects other lines such as D&O, kidnap and ransom and property policies. Davis was discussing trends D&O underwriters are seeing in 2022-23 as they relate to cyber.

In general, claims trends in the D&O space resulting from cybersecurity incidents fall into two buckets: pre-breach and post-breach, Davis said. Pre-breach claims trends have revolved around breach of oversight, with chief information security officers (CISOs) personally named in lawsuits for how they handled an incident pre-breach.

(L-R) Ben Davis (Superscript), Karen Continenza (Marsh), Andres Hinojosa (Beazley Canada) and Yvonne Kitkarska (MDD Forensic Accountants) at the NetDiligence Cyber Risk Summit.

“So, what we saw there was actually the D&O policy needs to name or extend coverage to the CISOs,” Davis said in reference to two cases in which CISOs were named. “Because sometimes the definition might not be broad enough to actually extend cover to the CSIO directly. And what we’ve actually seen is the breach of oversight claim actually stick on those D&O policies for the derivative shareholder class action lawsuits that were levied against those companies.”

See also  N.S. threatens court action over dike system upgrade

So, if a company’s board of directors knows there’s cybersecurity deficiencies and they don’t do anything to remedy that, resulting in exposure and a cyberattack, “then that is a liability for the directors in their management of the company,” Davis said.

Post-breach trends come down to how a company handled a breach, with notification to investors a key concern. “So, if they are disclosing the breach appropriately to their investors or if they’re just skirting around it; if they’re kind of brushing it under the rug,” Davis said.

“We’ve seen claims from investors that say…‘Well, when we were on the quarterly call [for a company  we’ve invested in] we felt…you didn’t really tell us that the breach was that material to the business, so we kept investing. And it was, and you didn’t handle it very well.’ And so that’s a loss of the share price.”

Cyber insurers are also now deliberately addressing ‘silent cyber’ (where cyber coverage is neither expressly confirmed nor excluded) in other policies, added Karen Continenza, senior vice president at Marsh. This includes kidnap and ransom as well as property policies, which are now sometimes applying absolute cyber exclusions or removing cyber in totality.

 

Feature image by iStock.com/ConceptCafe