NEW YORK–Directors and officers aren’t likely to face liability in the event of a cyber breach, said Paul Brophy, senior vice president at Berkley Professional Liability, adding that it may be “naively optimistic” to say so.
Brophy was speaking on a panel at Advisen’s Executive Risk Insights Conference in New York Sept. 17, where members agreed that D&O policies would respond adequately to securities class actions and shareholder derivative lawsuits brought over the breaches.
Cases such as Wyndham Worldwide, in which a breach-related derivative suit was dismissed, showed that defendants were unlikely to be found negligent and had given corporate boards a template to follow.
RECOMMENDED READING: Important cyber D&O court precendent set in recent Wyndham ruling
“There’s a checklist, and if I go and do these things, I can’t be accused of gross negligence,” Brophy said.
The defendants in the Wyndham case argued last year that the board’s refusal to pursue the plaintiff’s demand that it sue the hotelier over three breaches between 2008 and 2010 had been a good-faith exercise of business judgment, made after a reasonable investigation, and the judge agreed.
The opinion also cited actions taken by the board after the breaches, including meeting with the audit committee multiple times to discuss the company’s cyber security, hiring a technology company to investigate the breaches and make recommendations, and beginning to implement the recommendations before the final breach.
“Will cyber breaches keep happening? Yes,” said Phil Norton, national managing director of Arthur J. Gallagher’s management liability practice, who moderated the panel. “But from a derivative liability standpoint,” directors and officers are likely to be protected.
William Passannante, shareholder at Anderson Kill, said that where coverage in the event of cyber breaches overlaps between two separate policies, including a D&O policy, for example, it is better to have one insurer, so insurers will not be “pointing fingers at each other,” when it comes to responsibility for coverage.
Some carriers are evaluating cyber aggregation exposures to cyber and D&O lines of business, noted Melissa Carmichael, managing director at Aon.