Three Ways To Reduce D&O Cyber Risk

Cyber risks, including the risk of ransomware attacks, are proving to be a direct threat to company officers and directors. D&O lawsuits targeting officials at Alphabet Inc. (parent of Google) and Marriott are just two high-profile examples.

There are three basic ways to reduce these risks, according a post from risk and actuarial consulting firm Milliman. The first is to purchase sufficient cyber insurance. The cost has increased dramatically – 56 percent during the second quarter of this year, according to a recent Marsh report. But that cost pales in comparison to the costs of an uninsured catastrophic cyber event, and failure to purchase cyber insurance, or sufficient cyber insurance, can be deemed a breach of fiduciary duty and become grounds for a lawsuit.

The writer’s second recommendation is to analyze and understand the terms of whatever D&O policies are in effect, with particular attention to exclusions, keeping in mind this is a volatile moment for cyber risk, and carriers may changed policy terms at renewal time. Also keep in mind that what qualifies as an appropriate coverage limit may well have increased since the last time policies were inventoried. While it is true that D&O claims are often dismissed, that typically will happen only after litigation has begun.

Risk prevention and mitigation make up the third recommendation. Prevention includes both operational security measures and employee training, and could also include having a security expert on the board. In terms of mitigation, one key measure, in addition to insurance, is having a clear policy mandating prompt communication of a breach incident, as failure in this regard may in itself be grounds for a D&O claim.