Cyber Exposure Risk Works its Way to C-Suite - Capstone Brokerage

By: Judy Greenwald, Business Insurance, March 2018

Cyber-related claims against directors and officers have been largely unsuccessful to date, but given the plaintiff bar’s creativity and persistence, it is too soon for companies to relax and consider themselves off the hook, say experts.

Cyber D&O cases have generally been dismissed on the basis the breaches have not caused companies any material harm.

But plaintiff law firms continue their efforts, and market participants say it is premature to dismiss them as a threat.

While a cyber policy is the most likely coverage for a cyber breach, corporate directors and officers have also been targeted in litigation.

“A cyber event could potentially trigger two policies,” but in different ways, said Adam Cottini, managing director of insurance and risk management in North America at Arthur J. Gallagher & Co. in New York.

Cyber policies are “clearly responding to a failure to protect a computer system,” while D&O policies reflect an operational concern on the management liability side, said Mr. Cottini.

Cyber exposure is “absolutely”’ an emerging issue in terms of D&O exposure, said Chris Rafferty, Chicago-based managing director with Aon’s Aon Risk Solutions’ financial services group.

“Five years ago, D&O underwriters would often ask the question of insureds, ‘How are your cyber security procedures?’ and insureds could provide a fairly abbreviated, simplistic answer, and underwriters would check the box and move on.” Now, though, there is “a growing wariness by D&O underwriters” of the cyber issue, he said. They are exploring firms’ enterprise risk management, including cyber security, much more carefully.

Some experts said they had expected more such suits.

“I thought we’d see a lot more cyberrelated D&O litigation,” said Kevin LaCroix, executive vice president of RT ProExec, a division of R-T Specialty L.L.C., in Beachwood, Ohio, adding he was surprised “we haven’t seen more.” He said part of the reason is “several highprofile cases” in 2014 and 2015 “didn’t go far” and resulted in dismissals.

“We have seen a bounce-back” on stock prices, said Mr. Cottini. When an event happens, there may be an initial downturn, but they have not been sustainable, and there is no long-term impact on shareholder value, he said.

However, “It’s always risky to underestimate the creativity of the plaintiffs bar,” said William Boeck, senior vice president at Lockton Cos. L.L.C. in Kansas City, Missouri. “They are continuing to bring lawsuits, primarily shareholder derivative lawsuits, and they are learning from past decisions,” he said.

“I expect they’ll eventually succeed,” but “maybe not across the board” he said. A favorable ruling “may not open the floodgates, but if they find a way to plead the allegations in the complaint in a way that prevents courts from dismissing them, that is likely to generate interest in bringing more suits,” Mr. Boeck said.

Mr. LaCroix said while earlier cases that were dismissed were shareholder derivative lawsuits, cyber-related securities class action lawsuits filed last year against Sunnyvale, California-based Yahoo Inc., Atlanta-based Equifax Inc. and San Jose, California-based PayPal Holdings Inc. are taking a different approach.

In both the Yahoo and Equifax lawsuits, “the plaintiff lawyers are trying to capitalize on the delay between the discovery of the breach and the disclosure,” he said.

There has also been the issue of Equifax executives who sold company stock during this period. Equifax said in a statement that none of the executives had been aware of the breach when their trades were made.

“I think the Equifax lawsuit will be particularly interesting to watch, because I think the potential for plaintiff attorneys to be able to exploit this as a new product line, so to speak, might turn on their ability to show the delay harmed investors,” said Mr. LaCroix.

D&O underwriters are aware of the issue.

“It’s already started to impact the questions that are being asked at the underwriting stage,” said Sarah Downey, New Yorkbased FINPRO and D&O product leader for Marsh USA Inc.

Mr. Rafferty noted that in its dismissal of the D&O suit filed by shareholders against Parsippany, New Jersey-based Wyndham Worldwide Corp. in 2014, the U.S. District Court in Newark, New Jersey, said the company had taken prudent steps with regard to cyber security and had discussed the issue during multiple board meetings.

Mr. Rafferty said if a board can establish in the context of a D&O claim that it was diligent about assessing risk, tested its vulnerabilities, quantified and mitigated the risk, insured it to the extent feasible, had a post-breach response plan in place and relied on qualified consultants and counsel, “it’s going to be that much more difficult” for plaintiff firms to successfully file a lawsuit that survives a motion to dismiss.

Business Insurance