Part of the problem is that it's difficult for directors to claim ignorance of cyber threats these days, given all the publicity surrounding the theft of personal data and high-profile incidents of hackers holding a company's tech systems hostage. However, there is apparently far less clarity about whether corporate board members may be individually exposed to lawsuits in the aftermath of a cyberattack, and if so whether standard directors and officers (D&O) insurance covers emerging cyber-related liabilities.

(Photo: Shutterstock)

Perhaps the most prominent potential “nightmare” scenario keeping directors up at night is the likelihood of shareholder lawsuits if a cyberattack negatively impacts a company's stock price. But those at the RIMS conference cited a number of other possible exposures involving claims of negligence, with directors being held accountable for overseeing the adequacy of their company's cyber risk management efforts.

For example, litigation could conceivably result if a company:

Neglects to notify affected stakeholders about a cyber breach in a timely manner — including customers, business partners and regulatory authorities.

Lacks robust risk management and training programs to prevent and mitigate cyber losses — or if they do have a plan in place, doesn't follow or enforce their own loss control protocols, resulting in a breach.

Fails to live up to regulatory certifications about their cyber security and recovery capabilities.

Declines to purchase cyber insurance — or even if the company did buy such coverage, either the policy lacked adequate limits or left a key liability exposed.

Related: Company cyberinsurance — the supply chain dilemma

Carefully review policies

Risk managers and their brokers should therefore be going over D&O policies with a fine-tooth comb, presenting multiple threat scenarios and asking how their insurers would respond to a claim. Companies might consider buying wrap-around coverage adding cyber risks to an existing policy that is otherwise “silent” on such exposures.

(As an aside, during the RIMS conference I heard that even if D&O carriers are willing to name cyber as a covered contingency, they may still exclude those risks unless a company also purchases specific cyber insurance for their other property and general liability exposures.)

Related: Liability claims: Emerging technological influences to watch

(Photo: Shutterstock)

In any case, corporate risk managers should be working closely with their compliance department to help respond to the likelihood of growing (and sometimes conflicting) regulatory demands when it comes to cyber exposures. One example cited was marketing material and documents prepared for investors. If such publications cite a company's cyber risk management as “state of the art” or some similarly reassuring characterization, that high standard had better be easily documented and demonstrable — especially with regulators starting to require certifications about the adequacy of cyber risk management programs.

At the conference I heard that risk managers should pay particularly close attention to potential cyber exposures during mergers and acquisitions, both in terms of security gaps that could emerge while integrating an acquired company's systems, as well as during the due diligence phase, when confidential data is being shared by multiple parties.

Desperately seeking cyber expertise

One positive trend is that more boards are reportedly looking to add members with cyber expertise — although the talent shortage in the information technology field in general, and cyber security in particular, could make such a laudable goal difficult to fulfill. In the interim, a lack of internal know-how puts additional pressure on a company's risk manager, insurance broker, and legal department to anticipate and close any potential coverage gaps that could leave D&Os vulnerable.

Related: Protecting Suits from Losing Their Shirts

These concerns are likely to become more acute over time thanks to a variety of contributing factors, such as the rise of geopolitically-motivated hacking as well as the rapid expansion of the Internet of Things. Increased connectivity means more potential cyberattack entry points to worry about.

Complicating matters is the fact that cyber coverage in D&O and other standard policies remains a work in progress. Insurers are still testing the waters in this promising but problematic growth market, grappling to come to grips with a constantly evolving exposure. That means neither buyers nor brokers can afford to take anything for granted on cyber risks. The broader and more specific coverage a risk manager and broker can negotiate, the better—at least until there is more standardization in how insurers write cyber, and both sides gain experience and confidence in recognizing and accounting for such exposures.

Related: InsurTech: 3 misconceptions and 1 call to collaborate

(For more on how insurers and corporate buyers might go about overcoming these and other obstacles hindering the cyber market's development, see the research report I recently published on Deloitte University Press, “Demystifying Cyber Insurance,” co-authored by my colleague, Adam Thomas, a principal in Deloitte's Cyber Risk Services team.)

Sam J. Friedman ([email protected] is insurance research leader with Deloitte's Center for Financial Services in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.