For many D&O insurers, the risk of exposure posed by cybersecurity incidents involving their insureds has been unclear at best. Cybersecurity incidents, and the corresponding shareholder claims that follow, pose unique and challenging coverage issues under D&O insurance policies. Over the past several years, shareholder claimants have had only limited success with derivative lawsuits and securities class actions against companies’ directors and officers after cybersecurity incidents, such as a data breach. These defense-friendly case decisions have shielded D&O insurers from potentially hefty jury verdicts and damages – to date.

However, D&O insurers should not get too comfortable. New developments have imposed additional responsibilities on company directors and officers in the cybersecurity area – most recently in sweeping regulations promulgated by the New York State Department of Financial Services. These new responsibilities suggest an evolving standard of care for a corporation’s board and/or C-Suite officers with respect to preventing, developing, implementing, and maintaining cybersecurity policies and programs to mitigate, detect, and respond to cyber risks. Armed with an ever-evolving standard of care, corporate shareholders may be able to hold corporations and their management responsible for flawed or inadequate cybersecurity decision-making, which would inevitably lead to heightened exposure risks for D&O insurers in this volatile area...

Originally published in the PLUS Journal - Fourth Quarter 2017.

Laura Schmidt is no longer an attorney at White & Williams.