Search
Close this search box.
Request a quote

D&O coverage issues arising from increased cyberattacks, shareholder suits

pexels-andrea-piacquadio-3772618

D&O coverage issues arising from increased cyberattacks, shareholder suits

As cyber risks only continue to worsen, these lawsuits spotlight potential cyber coverage issues for D&O policies.

n recent years, more than half a dozen securities and shareholder derivative lawsuits were brought against companies and/or their directors and officers arising out of an underlying data breach.

Following multiple cybersecurity incidents that allegedly affected millions of patients at LabCorp, which operates one of the country’s largest clinical laboratory networks, a shareholder filed a lawsuit against certain of the company’s directors and officers.

The lawsuit against LabCorp’s directors and officers is part of a growing trend of claims against directors and officers of companies arising out of data breaches or other cybersecurity incidents.

In recent years, more than half a dozen securities and shareholder derivative lawsuits were brought against companies and/or their directors and officers arising out of an underlying data breach. As cyberattacks become more frequent, the number of lawsuits brought by shareholders related to cyber incidents will likely increase as well.

Such lawsuits typically allege that the company’s management failed to implement adequate safeguards against such incidents, failed to adequately disclose the company’s cybersecurity protections and/or the impact of a data breach on the company’s business. While D&O liability insurance generally affords coverage for securities and shareholder derivative lawsuits, specific coverage issues may arise when coverage is sought under a D&O policy for a cyber-based claim.

This article will discuss the growing trend of securities and shareholder derivative lawsuits arising from cyber-related events. Next, we will discuss the potential coverage issues that could arise under D&O policies for such cases.  Finally, we will also provide recommendations for D&O insurers looking to manage the growing risk of shareholder lawsuits arising from cyber incidents.

Derivative and securities litigation arising from cyber incidents

Shareholder derivative or securities class-action lawsuits arising out of underlying cybersecurity incidents or data breaches are a relatively new phenomenon.

According to Stanford Law School’s Securities Class Action Clearinghouse (SCAC), the first known securities class action lawsuit against a company following a cyber incident was filed in 2015 against LifeLock Incorporated.  Since 2015, six (6) total securities class actions arising out of a data breach incident have been commenced, according to SCAC.

One high-profile example followed the 2016 reporting of two data breaches of Yahoo’s systems. After the report, Yahoo was named in a securities class action, and its management was sued in a shareholder derivative action.  The securities lawsuit which was brought against Yahoo alleged that Yahoo and certain of its directors and officers made materially false and/or misleading statements and failed to disclose certain material facts of the data breaches in its public filings. The securities class action was reportedly settled in March 2018 for $80 million.  In addition, a shareholder derivative lawsuit filed against certain of Yahoo’s directors and officers was settled for $29 million. The stipulation of settlement in the derivative action called for the settlement to be paid for by the defendants’ insurers.

Conversely, a shareholder derivative lawsuit was commenced against Target’s management following a data breach that occurred in 2013. The breach allegedly affected as many as 110 million customers, who had credit/debit information compromised.  A shareholder derivative lawsuit was commenced against Target’s directors and officers, alleging that the defendants failed to provide for and oversee an information security program properly and failed to provide customers prompt and accurate information in disclosing the breach. In July 2016, District Court Judge in the U.S. District Court for the District of Minnesota dismissed the lawsuit.

As noted above, most recently, a shareholder lawsuit was filed against certain LabCorp directors and officers. This lawsuit appears to be novel in that the allegations are based not only on LabCorp’s own purportedly inadequate cybersecurity protections but also are based on a breach of a third-party vendor’s systems.

It is alleged in the derivative lawsuit that the third-party debt collection company, American Medical Collection Agency (AMCA), had suffered a breach of its payment portal, which affected more than 10.2 million LabCorp patients. It is further alleged that LabCorp’s management breached their fiduciary duties to the company by, among other things, providing personally identifiable information and private health information to a “business associate” with deficient cybersecurity and data breach detection and safeguards.

Coverage implications and exclusions to consider

While directors and officers of publicly traded corporations are the named defendants in securities and shareholder derivative actions, as the Yahoo example illustrates, it is the company’s D&O insurers that may be called upon to fund a settlement or an award of damages.

Although the terms of the specific policies will control, some exclusions that are common in many D&O policies may be relevant to securities and derivative lawsuits arising from a cyber incident. It should also be noted that since such claims are relatively new, there does not appear to be any insurance coverage litigation in which courts considered issues of coverage for D&O claims arising from cyber-incidents.

However, given that this claim trend is still developing, D&O insurers may consider adding a specific exclusion for claims arising out of data breaches or other cyber incidents if it wants to be protected from such claims.

An exclusion that is common to many D&O policies, which may apply to a claim arising from a cyber incident, excludes coverage for lawsuits alleging bodily injury, property damage, and a number of torts, including publication of material which violates a person’s right of privacy.  Given that a data breach may result in the release of private information online, such breach may constitute an excluded publication of material that violates a person’s right of privacy.

Here, the wording of the D&O policy’s exclusion, particularly the specific “lead-in” language, will control. Some D&O policies will contain broad “lead-in” language providing that coverage will be excluded for a claim “based upon, arising out of, or attributable to” invasion of privacy.  Other policies, conversely, have narrower lead-in language, which excludes coverage only for claims “for” or “alleging” invasion of privacy.

The wording of this lead-in language is significant because the derivative lawsuit is unlikely to contain a direct allegation of invasion of privacy; however the broad “based upon, arising out of or attributable to” lead-in may allow the privacy invasion that caused the loss to trigger the exclusion absent such a direct allegation.

Other exclusion options for D&O insurers to note

Other exclusions that may be implicated are the “war” or “terrorism” exclusions, which typically excludes losses arising out of acts of war or terrorism. These types of exclusions may be implicated where the cyber incident is attributed to a hostile government.

For example, previous cyberattacks have been attributed to the Russian military, including the NotPetya malware attack in 2017. Currently, Mondelez International, a company impacted by the attack, was denied coverage for its losses by Zurich, which had issued a property insurance policy to Mondelez. Zurich’s denial relied upon a war exclusion in the policy, and Mondelez subsequently commenced coverage litigation against Zurich. The result of the Mondelez will be instructive in the use of such exclusions.

Lastly, the “professional services” exclusion may be implicated in cases where the company is a tech or cyber-security firm.  A “professional services” exclusion will typically exclude coverage for claims that would instead be covered by a professional liability or E&O policy, alleging that the company committed a wrongful act in the rendering of or failure to render “professional services.”  Where the company itself is a cyber-security firm, allegations that the company failed to implement adequate safeguards could implicate the professional services exclusion.

Advice to D&O insurers

As cybersecurity incidents and data breaches become increasingly common, D&O insurers need to be aware of the recent trend of securities and shareholder derivative lawsuits brought against public companies and their directors and officers for failing to implement adequate protections against cyber-related risks, and/or to engage in a sufficient oversight of such protections. While some exclusions may limit exposure to these claims, D&O insurers who wish to exclude coverage for such claims fully should consider including cyber-specific exclusions in their policies.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts
Commercial P&C Insurance

Commercial Office Space Set for a Strong Comeback

The sustained increase in demand for office space across the nation since late 2022 suggests that the market has moved past its lowest point, according to insights from the real estate technology platform, VTS. Demand for office space began to rise in late 2022 and continued into early 2023. Since then, the office market has experienced a period of stability and growth, supported by favorable economic factors, indicating a market rebound. This conclusion is drawn from the VTS Office Demand Index (VODI), which tracks unique new tenant tour requests for office properties in key U.S. markets. The VODI serves as an early indicator of future office leasing activity. According to the index, demand for office space has grown consistently over the past 12 months, closing the second quarter with a 17% year-over-year increase and a 34% rise from the VODI’s lowest point in December 2022. A significant shift in office-based employment patterns further supports the belief that demand for office space has stabilized. After reaching its peak in August 2022, office-based employment declined by 3.9% in early 2024. However, this trend has since stabilized, and employment growth has remained steady. Additionally, a recent decrease in work-from-home rates has fueled the renewed demand for office space. “They say you can only recognize a market bottom after it has passed, and the office space market is no exception. Following what we now see as the bottom, the national demand has gradually increased, though it remains susceptible to economic challenges,” said Nick Romito, CEO of VTS. “However, the growth observed in VODI over the past 18 months, coupled with positive trends in the office-using workforce, suggests that the market has reset, and the worst is behind us.” It’s important to note that this national trend does not impact all local markets equally. Cities like Los Angeles and New York City have seen healthy growth in office space demand, while markets such as San Francisco and Washington, D.C., have experienced prolonged stagnation. In Los Angeles, office space demand surged in the second quarter, briefly surpassing pre-COVID levels, driven by an increase in the average size of office spaces sought by tenants. New York City followed a similar overall pattern, though with some softness in the second quarter. Conversely, San Francisco’s demand for office space remains unpredictable, largely due to its tech-focused workforce, which continues to favor remote work more than other industries. “Markets heavily dependent on the tech sector, like San Francisco and Seattle, are on a markedly different post-COVID recovery path compared to more diversified markets like Los Angeles and New York City. It may take some time before we see office demand in San Francisco and Seattle return to pre-COVID levels,” added Ryan Masiello, Chief Strategy Officer at VTS.

Read More
Cyber Liability

Global IT Outage Puts Business Interruption Insurance in the Spotlight

In July, a global IT outage had a significant impact on business interruption insurance policies, overshadowing the effects on cyber insurance coverages. “This incident wasn’t a result of a malicious attack, which is why typical cyber insurance policies may not have been activated,” explained Peter McMurtrie, a partner in West Monroe’s insurance sector, in an interview with PropertyCasualty360.com. “Where coverage was applicable, factors like deductible amounts, waiting periods, and coverage limits played a critical role in determining the extent of exposure,” McMurtrie noted. “Standard policies for small businesses were less likely to offer coverage, while more complex policies for mid-sized companies and Fortune 500 corporations may have included broader triggers for non-malicious outages caused by third-party software issues.” The outage was triggered by a software update on July 19, 2024, by cybersecurity firm CrowdStrike, which affected organizations worldwide using Microsoft Windows. This interruption had far-reaching consequences, including disrupting hospital systems, media outlets, financial institutions, delaying thousands of flights, and halting daily business operations. McMurtrie emphasized that while the initial impact of the outage was similar for both large and small businesses, the ability to recover operations and whether insurance covered the loss of business income varied. “Larger companies are more likely to have advanced disaster recovery plans that ensure service redundancy following unexpected outages,” he added. “Their insurance programs also tend to cover a wider range of incidents.” According to Microsoft, the CrowdStrike update error affected over 8.5 million Windows devices globally. The incident highlighted the interconnected nature of our global ecosystem, including cloud providers, software platforms, security services, and their clients. “It’s a stark reminder of the importance of prioritizing safe deployment and disaster recovery across the tech industry,” the company said in a blog post. McMurtrie pointed out that the outage’s widespread impact was largely due to its effect on organizations that are critical to societal infrastructure—sectors like agriculture, airlines, banking, energy, government, healthcare, manufacturing, and retail. “Insurance companies base their risk appetite on their ability to understand and price risks appropriately. This becomes increasingly challenging with emerging threats,” he said. “However, I anticipate that insurers will respond by clarifying policy language, refining risk selection criteria, and possibly developing new products specifically designed for this evolving exposure.”

Read More
Categories
Try your instant quote
Click here to proceed