Responding to Cyber Attacks: How Directors and Officers and Cyber Policies Differ
Cyber incidents continue to grow in frequency and severity, especially as new technology emerges. While D&O and cyber liability policies offer distinct coverage differences, terms need to be carefully structured to avoid potential gaps.
Technology advancements, including generative artificial intelligence (AI), require directors and officers to remain vigilant as threat actors harness applications to drive new exposures. Directors’ and officers’ (D&O) policyholders must have a clear grasp of how their policies will respond in the event of a cyber incident. This includes understanding the differences between how their D&O policy coverage differs from their cyber liability policy.
What is Directors and Officers insurance?
The policy provides protection for the Directors and Officers (D&O) if they are sued for a wrongful act in their personal capacity in relation to their performance of their duties for unintentionally making an error or omission as it relates to the Company. Although the cover is purchased by the company, the primary coverage is for and on behalf of the Directors & Officers themselves.
The cover advances defence costs in the event of a claim made by shareholders and third parties, subject to final non-appealable adjudication or written admission.
A D&O policy would provide cover for:
- Side A – Individuals in executive positions: Individuals that hold a position of power within an organisation can be held personally liable for acts of negligence or failure in their fiduciary duties. Example: The shareholders of a company launch a lawsuit against its directors, alleging that they had breached their fiduciary duties by authorising the acquisition of another organisation at an exorbitant cost. The parties reach a settlement in which the organisation is to be compensated by the defendants. From a legal perspective, the law prohibits indemnification of amounts paid to corporations in settlement of derivative lawsuits such as these as payments would be circular in nature, which is where D&O insurance comes into play.
- Side B – Corporate reimbursement: A D&O insurance policy would reimburse the losses incurred by a company if the company had to pay costs related to a D&O claim. An example would be if a company practice is claimed against and suffers a loss, D&O cover would reimburse the organisation for the expenses, ultimately protecting its balance sheet.
- Side C – Indemnity for an entity: Security Entity Coverage is the only section of the D&O policy that extends to the Company as an Insured. This section is limited to claims against the company for security claims, securities in the context refers to the shares on the Companies.
The link between Directors and Officers Insurance and Cyber Risk
While it may seem unrelated, there has been an uptick in cyber-attacks that have led to directors being sued in their personal capacity. Although a standard D&O policy covers individual directors for all acts, errors and omissions, which could include matters relating to a cyber incident, cyber exclusions are being introduced relating to losses resulting from cyber incidents. D&O exclusions related to contractual violations or certain unlawful conduct could limit or negate coverage for cyber-related losses.
“Effective management of a company entails a list of duties, and of those, keeping shareholders satisfied is one. A D&O policy would be triggered if shareholders are not satisfied and take legal action against the directors of the company for mismanagement or failure to act in the company’s best interest. Mismanagement may bring about a drop in the company’s share price, which could lead to a derivative lawsuit and/or a breach of fiduciary duty that is covered by a D&O insurance policy,” explains Kamohelo Mokoena at Aon South Africa’s cyber solutions and professional indemnity division.
“Reputational damage is a significant risk for Directors and Officers, as negative publicity can lead to loss of investor confidence, regulatory scrutiny and financial decline. In context, reputational harm can arise from Cyber breaches, corporate scandals or executive misconduct,” Kamohelo describes.
However, if a claim is made as a result of a cyber incident, where cyber risk is excluded from the D&O policy, the directors would not be covered. Cyber insurance offers cover for loss of data, IT specialists to investigate breaches, notification costs and regulatory investigations due to a cyber-attack and/or data breach, amongst other things.
“When cyber insurance is combined with well-structured D&O cover, it provides the full spectrum of risk transfer when it comes to a possible cyber incident. Both policies, along with optimal wording to capture the exposures attenuated by cyber incidents, are crucial for optimal risk mitigation.” Kamohelo explains.
Legislation
South Africa has introduced three key pieces of legislation related to IT governance in the form of The King IV report[1], the POPI act[2] and the Financial Sector Regulation Act, Joint Standard[3]. These pieces of legislation have been simmering in the background, but a recent intervention by the Information Regulator of South Africa made headlines when it demanded of a credit bureau to implement remedial measures to address various failings found in a major 2022 data breach[4].
A D&O policy generally does not cover fines and penalties, as they are often considered punitive rather that compensatory. Some policies may cover civil penalties if they are insurable by law.
“In varying degrees, each of these pieces of legislation holds management accountable for compliance with the effective management and mitigation of IT-related risks. While many organisations leave IT-related processes and work to their IT department, it often separates IT requirements from the whole entity even though ultimately, the directors and officers can be held liable by regulatory bodies. It once again highlights the delicate link between cyber risk and its implications for directors and officers within an organisation,” Kamohelo explains.
It is crucial to engage with a specialist broker and risk advisor about your organisation’s exposure from a cyber risk perspective and its implications for its directors and officers. “In an increasingly digitised world, a cyber breach can have dire consequences for an organisation’s reputation, its share price, its bottom line and operations. Being informed of the risk, being prepared for its eventuality and having the necessary mitigative strategies in place is crucial for optimal risk mitigation.,” Kamohelo concludes.
[1] https://www.pwc.co.za/en/publications/king4.html
[3] https://jutacomplinews.co.za/media/filestore/2024/07/Joint_Standard_2_of_2024__Cybersecurity__Cyber_resilience_Requirements_1.pdf
[4] https://businesstech.co.za/news/business/763503/information-regulator-nails-transunion-for-massive-data-breach-in-south-africa/
