July 25, 2023
Cyber incidents are growing in frequency and severity. Enforcement, too, is ramping up. The DOJ, FTC, and SEC are all involved in investigating potential violations of law following cyber incidents and prosecuting companies who fail to protect data. Executives are right to worry about these risks, particularly because agencies, and shareholders, have shown willingness to pursue individual directors following an incident. Insurance policies providing cyber and directors and officers (“D&O”) liability coverage can reduce corporate and individual exposure in the event of a cyber incident. But these policies are not one-size-fits-all, and companies would be well-served by reading their policies carefully to determine, and proactively address, potential weaknesses or gaps that could mean the difference between the insurer accepting or rejecting a claim for coverage.
I. Why Cybersecurity Should Matter to Executives and Boards
In 2023, nearly every organization, in every industry, is at risk of cyber incidents. Cisco found that nearly two-thirds of reporting organizations experienced major security incidents that jeopardized business operations. These incidents have significant financial ramifications—IBM Security and the Ponemon Institute’s 2022 cost of a data breach report found that the average cost of a data breach in the United States is $9.44 million—significantly higher than the global average cost of a data breach, at $4.82 million. The effects of a cyber incident can linger. Bitglass found that following a data breach, stock prices for publicly traded companies dropped an average of 7.5% and took an average of 45 days to recover to pre-breach levels. Further, incidents like ransomware attacks can encrypt some or all of a company’s systems, resulting in companies facing lost profits in the several millions of dollars because of system outages and ramp-up time when systems begin to be restored.
Recently, regulators have begun cracking down on companies who fail to secure data and/or fail to promptly disclose cyber incidents. In October 2021, Deputy Attorney General Lisa Monaco announced the launch of the Civil Cyber-Fraud Initiative, led by the Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch. The Civil Cyber-Fraud Initiative was created to “utilize the False Claims Act (‘FCA’) to pursue cybersecurity related fraud by government contractors and grant recipients.” Since the program was announced, the DOJ has done as promised. Just last month, it announced a settlement with Jelly Bean Communication Design LLC and manager Jeremy Spinks, individually, for failing to secure data on HealthyKids.org.
Other federal agencies have also taken action. The FTC, for example, has ramped up enforcement of data privacy standards under Section 5 of the FTC Act, coming after large companies like BetterHelp ($7.8 million) for failing to safeguard data. In addition to civil penalties, many of these companies will be subject to FTC oversight for an extended period of time (BetterHelp will be monitored for twenty years) and may have to comply with additional requirements. The FTC and SEC have also engaged in rulemaking on cybersecurity issues. In March 2023, the SEC proposed three new cybersecurity rules, which would require covered entities and systems to undertake certain cybersecurity-related actions such as reforming security programs and procedures and providing notice of cyber incidents. As of June 13, 2023, three sets of proposed SEC cybersecurity rules are in the Final Rule Stage.
Not just companies, but individual executives, may be vulnerable. Recently, Uber’s former Chief Information Security Officer Joe Sullivan became the first executive to be criminally prosecuted, and then convicted, for failing to disclose a data breach. At the time, Uber was being investigated by the FTC for an earlier data breach. Rather than reporting the breach, Sullivan and his team paid the hackers’ ransom and had them sign a nondisclosure agreement; the FTC was not informed of the breach until 2017. Sullivan was subsequently convicted on federal charges of obstructing an FTC investigation and misprision (concealing a felony); in May 2023, he was sentenced to three years’ probation and ordered to pay a $50,000 fine. Executives may also be held liable under state law. Delaware recently ruled that in addition to directors, officers owe a duty of oversight, opening the door for civil breach of oversight claims to be brought against both directors and officers.
II. Cyber vs. D&O Insurance: Distinct and Complementary Protections
Companies worried about these risks can reduce exposure with cyber and D&O insurance. These two types of policies provide distinct, but sometimes overlapping, protections for the types of liability arising out of cyber incidents discussed above.
Cyber insurance protects an organization against many different risks associated with cyber incidents. Cyber policies typically include both “first-party” and “third-party” coverages:
D&O insurance protects an organization’s directors and officers, and sometimes the organization itself, from claims arising out of alleged wrongful conduct by directors, officers, or employees in making decisions and otherwise managing the company. Common D&O exposures include alleged breach of fiduciary duties by the board, securities class actions or claims alleging regulatory violations, reporting errors, and inaccurate disclosures. In addition to defense costs, private company D&O insurance may also cover costs arising out of regulatory investigations.
III. Evaluating the Strength of Cyber and D&O Insurance Programs
Adding both cyber and D&O insurance to an insurance program may protect an organization and its officers and directors from common costs arising out of cyber incidents. But simply purchasing both types of coverage is not enough, as not all policies are created equal. To the contrary, insurance forms can have material differences that determine whether a cyber-related insurance claim will be accepted or rejected.
Moreover, even the best standard-form language can often by modified by endorsement to further expand coverage, narrow exclusions, or strengthen terms in significant ways to help guard against uncovered exposures (or, the opposite – endorsements can materially limit coverage that was otherwise available in the main policy form).
Dozens of provisions can help or hurt the chance of recovery in the event of a claim. For organizations evaluating their current program, some provisions to look out for are:
Organizations should carefully review existing policies to determine which coverages exist and whether additional or modified terms are warranted. Each line of coverage should be carefully analyzed and, if needed, modified before a claim arises.