Printer Friendly

Reaching new heights: corporate leaders may become targets in class action suits for allegedly failing to protect their organizations from cyberbreaches.


When the 2013 winter holidays rolled around, it was business as usual for Target Corp.'s board of directors. But after hackers launched one of the largest data breaches on record during the busy retail season, it wasn't just the 40 million customer credit and debit card records, along with 70 million individuals' personal information, that were lost. The attack also rattled the mega-retailer's uppermost corporate layers.

Fallout from the hack not only prompted the ousting of Target's chief executive officer, Gregg Steinhafel, but it also spawned at least two shareholder derivative suits against the company and its directors and officers, and prompted proxy firm Institutional Shareholders Services to recommend that investors remove seven board members for allegedly breaching their fiduciary duties by failing to protect the company from the breach.

Cases like that are becoming more commonplace. And experts anticipate the rampant growth of cyberattacks will likely drive up that trend.

While Target's board members were eventually able to convince shareholders to re-elect them, the costly breach forced company leaders across all sectors to re-examine what responsibility and potential exposures they could face if hackers compromised their organizations' computer systems.

Many companies remain lax when it comes to cybersecurity measures. In fact, 37% of global organizations surveyed in EY's 2014 Global Information Security Survey said they were unprepared for a cyberattack.

That's a costly misstep, experts say. Loss of data, productivity, intellectual property, reputation and finances can all stem from a cybercrime. The average consolidated total cost of a data breach is $3.8 million--a 23% increase since 2013, according to the 10th annual Cost of Data Breach Study sponsored by IBM and conducted by the Ponemon Institute. In Target's case, not only did sales plummet immediately following the 2013 attack, profits for the quarter fell 46% and the organization had to pay out $10 million to settle a lawsuit brought by shoppers affected by the breach.

Corporate leaders may increasingly find themselves targets in shareholder class action suits for alleged exposures such as breach of duty, negligence, gross mismanagement, abuse of control--to name a few, said Tom Kang, cyber product manager at Hartford Financial Services Group.

Taking Cover

Recent high-profile attacks on big-name brands like Sony, Home Depot, Staples, eBay and others are triggering greater awareness for the need for cyber-related D&O coverage protection, said Eric Marier, assistant vice president of specialty claims for The Hanover Insurance Group.

"Today, shareholders, consumers, clients, vendors and others aren't shy about pursuing legal recourse against companies and their executives for breaches," he said.

That's not surprising, added Helen Savaiano, Hanover's president of management liability. "The purpose of D&O coverage was to protect boards and officers from a breach of fiduciary duty. But now that cyber is yet another source for exposure into their D&O coverage that's a new component companies have to address."

There are really two coverages at play here, Kang said. D&O policies respond to shareholder suits involving financial assets of a corporation, while cyber policies pay for costs to handle the actual breach.

"Many aspects of cyberbreach expense and loss would not be covered under a traditional D&O policy," Savaiano said. "The most prudent way for a private company to protect itself is to purchase D&O and cyber coverage to more fully ensure robust risk transfer and protection."

For public companies with D&O liability insurance, "more than 95% of D&O policies will cover companies from the breaches that directors and officers have," said Chris Keegan, the head of Beecher Carlson's national cyber practice. "However, in some D&O policies there have been a few quirky exclusions related to breaches of privacy that have yet to be interpreted by courts. But most policies on the D&O side don't make any reference to privacy, network security, data breaches, so it comes in as just part of the overall breach of care or breach of duty of loyalty to a company that you would expect to be covered under a D&O policy."


Cyber events have yet to translate into material security class action or material derivative exposures, said Steve Boughal, Hartford's chief underwriting officer for management and professional liability. "However, as case law and exposures evolve, we anticipate that will soon change. So a D&O policy that can respond to a shareholder suit that may arise from a cybersecurity event is very important to have in place."

Step by Step

What can boards do to protect themselves from a cyber backlash?


First, it's important for directors and officers to get educated and ask the right questions, Kang said. "Also, create a factual record of the board's involvement in cybersecurity issues and document that rationale. That doesn't mean [boards] need to create a perfect security system; anyone can be breached. But it is important to be able to show the board is actively engaged in the cyber-related risk management decision process."

Companies also need to understand that it's "when, not if" a breach will occur, he added. "Then focus on incident preparedness, such as business continuity and disaster recovery plans. Think about how to respond to those issues. Finally, decide how to allocate resources and designate which risks to retain and which can be transferred to a third party like an insurer."

"There's no question that boards of directors have a fiduciary duty to ensure their organizations have adequate security measures in place," Kang said. "Cyber and information security has and continues to be a daunting challenge. It's a relatively new topic for directors and officers who are used to dealing with compliance and financial reporting issues. Cybersecurity can be intimidating because of the technical language and the sheer breadth of challenging issues."

Also taxing is the shortage of individuals available to provide appropriate board-level advice, Kang added. "A board's role is to think about cybersecurity from an overall risk management perspective versus getting too deep into the specific controls an organization needs to adopt. That's something board members have to keep in mind while still understanding their role and accessing information at the right level."

Corporate leaders also need to have a full understanding of regulations in place, such as the Securities and Exchange Commission guidelines (issued in 2011) for public companies regarding proper disclosures for cyberattack incidents.

More recently, the Seventh Circuit, in what some dub the "Neiman Marcus case," (in 2014, thieves stole customers' payment card information and made unauthorized charges from the retailer) the court ruled that victims of data breaches have standing to litigate class actions." That rule changed the dynamic by saying maybe there are damages you can assess as a result of loss or disclosure that you may be held liable for in a class action," Keegan said. "However, the rule is being appealed at another level. I think the way the law is developing class action lawyers are losing most cases but they're also getting smarter and finding laws they can use to base successful actions on. As time goes by we'll see more of those actions becoming successful."


Directors' and officers' involvement in breaches remains "very much an evolving area of law," Marier said. "There is still no set of standards at the state or national level that would give us a consistent framework to work with. However, there is a patchwork of different statutes that impose various obligations on companies depending on where they conduct business and what kind of information they handle."

A Helping Hand

Cyber-related D&O liability needs to be at the heart of boardroom discussions, Marier said. "All companies should be alert to this problem because of recent, very public data breaches and the resulting fall out."

As for smaller private companies and nonprofits, "I'm not sure the message has gotten all the way down to some of them yet," he added. "But it's certainly on the radar for many, and we're hearing from agents that people are interested in this coverage. It's only a matter of time before everyone has this front and center in their minds, and that's why we're making sure our agent and broker partners really understand the facets of the coverage."

Carriers and producers play a valuable role in helping companies "get their head around cybersecurity," Kang said. "From an application and underwriting process, we have a holistic approach to underwriting cyberrisk. It's not enough to focus just on particular controls companies are leveraging. Underwriters need to view the whole picture." Hartford recently developed a service that will help to map out a company's cyber landscape. "We can also take a leadership role in developing relationships with breach response partners who help companies through that process when there is an incident."

Beecher Carlson helps organizations put hard numbers around possible exposures. Its Cyber In-Site Probable Maximum Loss Calculator assesses and models 17 different components to examine "the types of information a company has and works through what the cost is for forensics, notification and liability if private information is lost or stolen," Keegan said.

"We place cyber insurance and D&O liability policies for companies looking at these issues and for those wanting to insure themselves," he said. "Today, cyber is becoming a necessity for companies reliant on technology; it's not a matter of should they buy it, but how much and what coverages."

Gearing Up

The threat of cyberbreaches isn't fading anytime soon. In fact, the World Economic Forum's Global Risks report ranks cyberattacks as one of the top 10 risks most likely to cause a global crisis.

Will those hacks generate future cyber-related D&O lawsuits? Most likely, Kang said. "That's why companies need to continue broadening their cyber policies to include loss prevention and risk mitigation tools. What separates cyber from other professional liability coverages is that it pervades every area of risk within an organization."

Already, growth in cyber insurance "has become tremendous and will continue to be very high over the next five to 10 years as risks grow," Keegan said. "Many companies are beginning to increase coverage limits. For example, those who may have dipped their toe in the water a few years ago with $10 million to $20 million in coverage are now raising those limits as they see losses occur."

"Companies are likely right in their predictions, 'The worst is yet to come,'" he said. "There will be some big breaches in the future, and well see some stock impacts from that, along with some companies being forced out of business because of new malware attacks. Insurers are looking at that closely and trying to work out what potential exposures are."

As for company directors and officers, "the best thing they can do is understand their potential exposures and develop a plan for dealing with them," Marier said. "We all know Home Depot and Target had very robust cybersecurity systems in place; however, it didn't stop hackers from finding an entry point. Company leaders of all sized businesses need to get their arms around the reality that everyone is vulnerable and focus on what they'll do when it happens."

Learn More

Hanover Insurance Group

A.M. Best #04861

Hartford Financial Services Group

A.M. Best #018217

For ratings and other financial strength information visit

Lori Chordas is a senior associate editor. She can be reached at
COPYRIGHT 2016 A.M. Best Company, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2016 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Cyber: Directors and Officers
Author:Chordas, Lori
Publication:Best's Review
Date:Feb 1, 2016
Previous Article:Held hostage.
Next Article:In the crosshairs: coming off 'the year of the health-care-related attack,' health plans are ramping up their cybersecurity protocols.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters