The directors and officers (D&O) liability insurance market was not left unharmed after 2018’s cyber breaches and the ongoing fallout from the #MeToo movement. For one, D&O insurers will feel the repercussions from a rising number of sexual discrimination and harassment claims in 2019, which, according to one expert, can have long-term reverberations for companies.
“It can have quite a significant effect on share value and reputational damage. That can manifest itself in a couple of ways – under a D&O policy, you may have a situation where shareholders, [if] there’s been a significant dip in share value, may bring a claim in the company’s name against the perpetrator or potentially against members of the board for breaches of fiduciary duty for turning a blind eye to what has happened, or not investigating matters fully,” said Mark Sutton, senior equity partner in the Professional & Financial Disputes (PFD) group at the global law firm Clyde & Co. “There are reputational and crisis management, PR expense-type costs, which can also come into play here.”
Insureds may want to invoke parts of their policies that respond to these crisis management and PR costs, which has not been used often, but may now be an area that’s called upon more frequently in light of the past year’s events. Investigation costs could also be significant, based on the size of the organization and the type of claim being filed.
“There’s a question for coverage around the scope of cover that you purchased and whether or not those type of investigation costs would be covered before a claim has actually been made,” said Sutton. “It’s certainly something that I think the insurance market wants to keep one eye on.”
#MeToo isn’t the only issue keeping directors and officers up at night, as organizations continue to be pelted with small and largescale cyberattacks. The danger for companies lies in their managements’ responses, or lack thereof, to cyber breaches of sensitive data.
“Many of the recent incidents have involved breaches that initially occurred some time ago, and we’re starting to see the typical shareholder plaintiffs’ firms begin to bring actions or consider bringing actions related to management response to those claims. That’s a different type of claim than we’ve seen so far relating to cyber breaches and to cyber incidents,” said Brendan W. Hogan, attorney at Bradley Arant Boult Cummings LLP. “No-one’s been successful in those actions yet, but from a D&O insurance perspective, the fact that they're starting to bring them is almost as concerning because of the high defense costs that are often associated with those types of actions.”
Companies that have a presence in the European Union are particularly on their toes, with the General Data Protection Regulation (GDPR) coming into effect in 2018 and putting into place the strongest data protection regime in the world.
“We haven’t seen public regulatory action to a large degree yet in response to GDPR, but I think that it’s just a matter of time before that happens, especially with recent events in the news,” said Hogan. “It’s an evolving area and I think that the regulatory action is certainly not going to go away. We expect that it’ll continue to expand in the coming years, and obviously making sure that your D&O policy is, as a policyholder, appropriately structured to provide coverage for regulatory investigations is important.”
A common point of concern that comes up when Hogan works with clients is also important for brokers and agents to note as they help insureds understand their D&O policies.
“One thing that we often are asked about and help our clients with is how the term ‘claim’ is defined in their D&O policy because, as a policyholder, you have to make sure that the first time one of your employees or board members receives a subpoena relating to an investigation, that that’s covered under your policy,” explained Hogan. “You don’t want to have to wait until the formal charges are filed – that’s likely many months after the investigation begins and many months of defense fees and attorney costs that haven’t been picked up by insurance if your policy is structured the wrong way.”
As regulatory actions move from areas that have traditionally been heavily regulated to other less regulated sectors, some organizations will need to re-examine their own readiness, as well as that of their policies, for cyber-related incidents.
“Almost every company has some sort of cyber exposure now, so companies in areas that are not as highly regulated need to start thinking more clearly about how those terms are defined in their policies, and their agents and brokers should do so as well,” Hogan told Insurance Business. “That’s something that can be done fairly easy in the renewal process or in the placement process.”