Canadian property and casualty insurers writing directors and officers (D&O) policies are seeing a convergence between mounting cyber claim losses and lawsuits against companies’ directors for failing to implement cyber security controls.
Canada has seen more than 150,000 reported cases of fraud since January 2021, leading to roughly $600 million in losses, according to the Canadian Anti-Fraud Centre. In 2023 alone, the Centre received 63,519 reports from 41,988 victims, resulting in losses of $569 million.
These claims don’t just impact cyber policies, they’re affecting D&O policies as well, says Andre Linsky, senior manager of professional and management liability at Sovereign Insurance.
For example, in a typical data breach lawsuit, customers might go after a company for failing to protect their personal information. Or they may have to deal with increasing numbers of phishing attacks, or change their credit card or identity details because thieves defrauded them.
In a D&O version of that lawsuit, class actions launched by customers or shareholders may accuse the corporation’s directors and officers of failing to adopt adequate cybersecurity measures to protect them.
“It could be customers who say, “Hey, you, Mr. Director, you were supposed to put procedures and controls in place to protect my personal information. You didn’t do it, and now I suffered,’” says Linsky.
“Or a shareholder could say, ‘Mr. Director, you didn’t put the right procedures in place. We got cyberattacked, and now all the shareholders lost X amount of money.’
“And even employees might sue the company’s directors. They might say, ‘You didn’t protect the company, and now the company is going bankrupt, and I’m losing my job.’”
Related: Why D&O price cuts may not be justified
Linsky cites the example of a medical services company that suffered a data breach in 2019. The company approved up to $9.8 million in settlement payments, which the company initially believed would be $50 to $150 per claimant, depending on how many claimants came forward. More than 900,000 valid claims were made, bringing that total down to $7.86 per claimant.
But what if a breached company did not have a cyber insurance policy? That’s a lot of uninsured settlement money to be paid, which directly affects the company’s bottom line. And what if the payouts bankrupted the company, or significantly decreased its share value? In either scenario, shareholders could launch a class action against the company’s directors.
And so D&O underwriters, like cyber underwriters, want to know about the company’s cybersecurity posture when considering how to underwrite the D&O policy.
As an underwriter, “I would want [company boards] to deal with a specialized firm in cybersecurity to create a breach response,” says Linsky. “Because we know, unfortunately, it’s not if it will happen, it’s when it happens. So, how are you going to respond when it happens?”
Related: Shareholder activism: An emerging risk for D&O insurers
Notification requirements need to be a part of any organization’s breach response plan, and D&O underwriters will be asking about the process for notifying regulators and people whose information has been breached.
Also, the thrust of several cyber-related D&O claims is that company boards do not do enough to prevent cyber losses before they happen. And so, underwriters will want to see directors do their due diligence in establishing basic controls to protect companies against cyber losses.
They will want to know, for example, if the company has a cyber policy. If not, an underwriter may opt to write exclusions for cyber claims into the D&O policy. Exclusions in a D&O policy for not having a cyber policy are particularly likely when client organizations — such as hospitals — handle large amounts of sensitive personal data.
This article is excerpted from one appearing in the August-September 2024 print edition of Canadian Underwriter. Feature image courtesy of iStock.com/Moor Studio