Watch for Cyber Exclusions in Your D&O Policy

By John W. Barker, Esq.

Partner, The CISO Law Firm

D&O is the acronym for directors and officers insurance.  Previously we alerted CISOs to verify with their boards and their c-suites that they are covered by D&O policies.  Generally, coverage exists when the CISO is a duly appointed corporate officer.  An additional step is to verify the language of the policy, specifically, whether cyber exclusions exist.  Possible exclusion types include the following: 

If your employer is a privately held business or a non-profit organization, there is a possibility that the applicable policy covers cyber liability only for the organization but excludes coverage for CISOs. There might be an exclusion for expenses associated with investigations of individually insured persons. Virtual CISOs who work as an independent contractor might be excluded from coverage by their clients’ D&O policies. 

These exclusions can leave CISOs personally liable for costly legal fees and settlements stemming from cyber incidents. In today's increasingly complex threat landscape, understanding your D&O coverage is more crucial than ever. Let's delve deeper into why these exclusions exist and how CISOs can protect themselves. 

Why Cyber Exclusions Exist in D&O Policies 

D&O insurance was traditionally designed to protect directors and officers from lawsuits alleging wrongful acts in their management roles, such as breaches of fiduciary duty, misrepresentation, or shareholder lawsuits. Cyber risks, with their unique challenges and potentially massive financial consequences, were not initially contemplated in these policies. 

As cyberattacks became more prevalent and sophisticated, insurers became wary of the potential for significant payouts related to cyber incidents. To mitigate their risk, they started incorporating cyber exclusions into D&O policies. This allows them to limit their exposure to cyber-related claims while still providing coverage for traditional D&O risks. 

Types of Cyber Exclusions in D&O Policies 

• Entity vs. Individual Coverage: Some policies might cover the organization for cyber liabilities but exclude individual directors and officers, including CISOs. This is more common in privately held companies and non-profits where the perceived risk to individuals is lower. 

• Investigation Costs: Policies may exclude coverage for the costs associated with internal or regulatory investigations into the actions of individual insureds following a cyber incident. This can leave CISOs bearing the financial burden of legal representation during inquiries. 

• Independent Contractor Exclusion: This exclusion is particularly relevant for virtual CISOs who operate as independent contractors. Their client's D&O policy may not extend coverage to them, leaving them vulnerable in the event of a cyber incident. 

• Bodily Injury/Property Damage: While less common, some policies may exclude coverage for claims arising from bodily injury or property damage linked to a cyber incident. This could be problematic if a data breach leads to physical harm or property damage. 

How CISOs Can Protect Themselves 

• Review Your Policy: Don't assume you're covered. Carefully review your organization's D&O policy, paying close attention to any clauses related to cyber incidents or exclusions. 

• Seek Clarification: If you find any ambiguous language or potential exclusions, don't hesitate to seek clarification from your broker, legal counsel, or the insurance carrier directly. 

• Negotiate Coverage: If your current policy has broad cyber exclusions, try to negotiate for better terms. This might involve removing specific exclusions, adding endorsements for cyber coverage, or even securing a separate cyber liability policy. 

• Stay Informed: The cyber insurance landscape is constantly evolving. Keep abreast of the latest trends, policy changes, and legal developments to ensure your coverage remains adequate. 

• Document Everything: Maintain thorough documentation of your cybersecurity practices, incident response plans, and any decisions related to cybersecurity. This can be invaluable in demonstrating due diligence and mitigating potential liability. 

The Importance of Adequate Coverage 

Cyberattacks can have devastating consequences for organizations and individuals. The costs associated with data breaches, regulatory fines, lawsuits, and reputational damage can be staggering. For CISOs, who are often on the front lines of cyber defense, having adequate D&O coverage is not just a financial safeguard; it's a career necessity. 

Without proper coverage, CISOs could face personal financial ruin in the event of a major cyber incident. Legal defense costs alone can be exorbitant, not to mention potential settlements or judgments. This can lead to significant stress, reputational damage, and even career derailment. 

Conclusion 

In today's interconnected world, cyber risk is an ever-present threat. CISOs must be proactive in understanding their D&O coverage and ensuring they have adequate protection against potential liabilities. By carefully reviewing policies, seeking clarification, negotiating for better terms, and staying informed, CISOs can mitigate their personal risk and focus on their critical role in safeguarding their organizations.