Known unknown: Severity of gross negligence charges against boards after cyber breaches

By Cate Chapman on September 17, 2015
Executive Risk insights Conference produced by Advisen on September 17, 2015 held at the Marriott Downtown in New York. (Photo: www.JeffreyHolmes.com)

Executive Risk insights Conference produced by Advisen on September 17, 2015 held at the Marriott Downtown in New York. (Photo: www.JeffreyHolmes.com)

NEW YORK—Directors and officers will face accusations of gross liability following a cyber breach, said Paul Brophy, senior vice president at Berkley Professional Liability, but he is “optimistic, perhaps naively so” that notable derivative suits will be dismissed.

Brophy was speaking on a panel at Advisen’s Executive Risk Insights Conference in New York Sept. 17, where members agreed that D&O policies would respond adequately to securities class actions and shareholder derivative lawsuits brought over the breaches.

Boards are currently facing cyber-breach-related derivative liability suits alleging gross negligence but boards should be able to present defenses against accusations they breached their duty-of-care to shareholders—and be able to use certain clauses that protect them from being sued.

Cases such as Wyndham Worldwide, in which a breach-related derivative suit was dismissed, showed that defendants were unlikely to be found negligent and had given corporate boards a template to follow.

RECOMMENDED READING: Important cyber D&O court precendent set in recent Wyndham ruling

“There’s a checklist, and if I go and do these things, I can’t be accused of gross negligence,” Brophy said.

The defendants in the Wyndham case argued last year that the board’s refusal to pursue the plaintiff’s demand that it sue the hotelier over three breaches between 2008 and 2010 had been a good-faith exercise of business judgment, made after a reasonable investigation, and the judge agreed.

The opinion also cited actions taken by the board after the breaches, including meeting with the audit committee multiple times to discuss the company’s cyber security, hiring a technology company to investigate the breaches and make recommendations, and beginning to implement the recommendations before the final breach.

“Will cyber breaches keep happening? Yes,” said Phil Norton, national managing director of Arthur J. Gallagher’s management liability practice, who moderated the panel. “But from a derivative liability standpoint,” directors and officers are likely to be protected.

William Passannante, shareholder at Anderson Kill, said that where coverage in the event of cyber breaches overlaps between two separate policies, including a D&O policy, for example, it is better to have one insurer, so insurers will not be “pointing fingers at each other,” when it comes to responsibility for coverage.

Some carriers are evaluating cyber aggregation exposures to cyber and D&O lines of business, noted Melissa Carmichael, managing director at Aon.