Why the pressure is on directors and officers over cyber
| Surina Nath | Insurance Business America
The pandemic, coupled with a hard market cycle, has forced brokers and insurers to prioritize risk differently. After waves of ransomware attacks and security breaches, it’s no surprise that cyber security and cyber education is top of mind in this equation.
Cyber risk has taken centre stage with the shift to remote working models last year, with cyber criminals taking advantage of the vulnerabilities that continue to grow within a business’s spaced-out digital infrastructure.
“Cyberattacks are now seen as one of the most serious economic and national security challenges that governments around the world are faced with,” said Tony McIntosh, president of MGA AuraRisk, and EVP for the Liberty Company.
“Companies that once felt like they have relatively little exposure are seeing attacks of all varieties,” he said. “From governments, utilities, individual, medical, academic institutions – cyber is top of mind for companies of all sizes.”
Due to the digital interconnectedness companies now have, the risk of cyberattacks and data breaches have only increased. It is now much easier for criminals to shut down a company’s network, steal personal or financial information, or put entire supply chains at risk.
This is where cyber coverage spills over into the liability space, as cyber insurance is also influencing the directors and officers (D&O) space, according to McIntosh.
“Oversight and increased requirements for disclosure on cyber security is making D&O coverage quite important with the rise of cyberattacks and breaches,” he explained.
D&Os are responsible for ensuring they’re taking the necessary steps to protect their company’s digital assets.
“In the case of a data breach, D&O’s can be hit with a shareholder’s suit or a shareholder derivative action claiming that directors breached their fiduciary duty as an example to the company for failing to put adequate cyber security measures in place,” he said.
“Many legal experts at this point are predicting that more cyber related D&O lawsuits from increased regulatory oversight are going to keep coming forwards. We have some challenges on our hands with cyber and D&O as the two are now connected.”
D&Os are expected to be informed about digital security and to have the necessary coverage in place to protect their firms from employees that are hit by an attack and subsequently pursue legal action.
Taking the lead on claims
When it comes to claims activity, ransomware has taken the cake, but there has also been an increase in business email compromise claims because of at-home workforces. With the prevalence of cyber-criminal activity, cyber insurance has gained more importance for businesses across the board.
“I think cyber insurance is here for the long-run,” McIntosh explained. “It’s not going anywhere and unfortunately it’s going to get more expensive for companies. Insurance rates in cyber are likely going to increase by 100%-200% over the next two years before they start flattening out.”
There’s not enough rate adequacy in the marketplace for SMEs with cyber, so it’s been tough for those companies or first-time buyers to obtain terms that are comprehensive enough with limits, while also proving cost-effective.
“Cyber underwriters are now paying much closer attention to insurance risk management policies and practices,” McIntosh said. “Nearly all insurers request supplemental underwriting questionnaires or additional questions about loss control policies, and the answers to those questions will positively or negatively impact the carriers’ terms and conditions.”
Unsatisfactory answers will likely lead to declinations, non-renewals, or unfavorable terms, so it’s vital to communicate with insureds about taking proactive cyber security measures.
Brokers can get in front of renewals and talk to their insureds about how they are reinforcing their cyber security measures in preparation for a potential breach, and McIntosh notes that brokers should also be educating insureds on the cost of a breach, and the cost of transferring that risk with a policy.
“Brokers need to have these conversations with their insureds, especially in this hard market,” he said.
Every business has a potential exposure whether it be construction or transportation. Taking a holistic approach to risk management and creating open methods of communication with clients about their security framework to protect an enterprise from potential breaches is key.
Carriers advise and require insureds to have certain protocols such as multi-factor authentication (MFA) and end point isolation in place to mitigate fraudulent activity.
“It’s not a matter of if, it’s a matter of when - and it’s important to be scanning the entire network for vulnerabilities to bolster security measures from the get-go,” said McIntosh.