Risk managers should review D&O policy for cyber liability coverage

Problems in the company’s server room can easily spread like a virus into the boardroom, and companies should make sure a proper risk management strategy for cyber risk is in place for a company’s directors and officers, BFL observes in the Spring 2009 version of its online publication, The Cover Note.
“With the tightening of laws and regulations concerning information technology, a greater strain could be placed on directors’ liability and this should be one more reason for organizations to either purchase D&O insurance or review the scope of their existing coverage,” BFL Canada notes in its newsletter.
A risk management strategy will likely include D&O insurance, but it would be wise to review whether or not the company’s D&O policy should be supplemented with policy coverage specifically related to risks associated with cyber liability.
“It is essential to note that a D&O policy will NOT provide automatic coverage for cyber claims,” the newsletter says.
In fact, BFL Canada adds, “the wording of the allegations [in a lawsuit] against [directors and officers] will determine if the policy responds to provide defence costs and the nature of the alleged damages will need to fall under the scope of coverage or not be excluded.”
In preparation for claims arising from cyber risks (data breaches, data theft, etc.), BFL advises directors and officers to ensure the following points are taken into account in their D&O insurance policies:
* removal of the professional services exclusion, since cyber claims often stem from performance of professional services;
* removal of any clause imputing the knowledge of one insured onto another. This would help to offer protection to innocent parties that did not misrepresent on the application;
* worldwide jurisdiction, since cyberspace knows no borders;
* deletion of any punitive exemplary damage exclusion; and
* clarification of the priority of payments clause: if the policy covers both the directors and officers of the company, there should be an endorsement stipulating that priority will go to the individuals over the company with respect to payments.