In response to a security breach in 2000 at the State Department, then Secretary of State Madeleine Albright told her staff, “I don’t care how skilled you are as a diplomat, how brilliant you may be at meetings, or how creative you are as an administrator – if you are not professional about security, you are a failure.”
Albright’s remarks might as well have been directed at every company’s directors and officers. Among a host of other requirements, directors and officers are tasked with acting in good faith and using all available information to make the best decisions for the company. Gone are the days of invoking the business judgment rule as a defense and assuming that courts will not second-guess management decisions – including those related to cyber security and preparedness.
Private company executives face many of the same potential cyber claim scenarios as their public company counterparts, often without the resources to defend the claim or maintain operations after judgment. These suits can come from a variety of sources: regulatory agencies, shareholders claiming mismanagement (i.e., security breaches affect the company’s financials), clients/PE firms with a financial interest, etc.
Preparation is key in mitigating the exposures from a cyber-related D&O suit. Purchasing security products merely to satisfy a checklist will not be defensible in court. Directors, officers, board members, and others in key leadership positions should:
- Have a detailed understanding of the technology and system architecture of the company’s security
- Play a role in the development of customer-facing terms, conditions, and privacy policies
- Engage in vendor negotiations and breach planning
- Be involved in the training, testing, and rehearsal of system defenses
- Provide an adequate workforce dedicated to cyber security
- Invest not only company resources, but also company time.
A properly underwritten directors’ & officers’ policy can be just as valuable as a cyber policy in the event of a security breach. Historically (and by design), D&O policies were intended to cover the executives for claims alleging mismanagement of their company, with very few restrictions as to the type of mismanagement involved.
However, with the uptick in security breaches over the past ten years, many carriers have discreetly added a new exclusion to their policies removing coverage “based upon, arising out of, relating to, directly or indirectly resulting from, or in any way involving” cyber/security claims. This clause essentially removes coverage for management decisions related to the implementation and supervision of security protocols even when measures have been taken to protect the company (duty of care).
Sounds crazy, right? The exact exposure meant to be addressed by a D&O policy is no longer covered. While underwriters might occasionally have genuine concern pulling perceived cyber exposure into the D&O policy, most of these decisions are due to the lack of experience with cyber breaches.
There is good news though. A few markets will immediately remove this exclusion upon confirmation that the insured purchases a cyber liability policy. Others are agreeable to modifying the exclusion. This can be accomplished through alternate intro wording, by providing a carveback for individual directors/officers (Side A), or by removing the exclusion altogether. The standard exclusion noted in the paragraph above should only be accepted as a last resort.
Just as a company’s directors, officers and employees work together to prevent a security breach, the Cyber and D&O policies must work together in response to a breach. Understanding the exposures and having the proper policy language in place certainly helps.