Specialty Podcast: Best Practices for Communicating Cybersecurity With Stakeholders

Intro (00:00):
You're listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

David Finz (00:09):
Well, welcome everyone to another Alliant Specialty Podcast. I'm your host, David Finz, and with me today we have two of our thought leaders, Matia Marks, our Financial Lines and Product Council, and Tim Crowley, our Senior Vice President of Management and Professional Solutions. And today we're going to be talking about the intersection, if you will, of cybersecurity and the boardroom. Let's start off with you, Matia. What are some of the challenges that companies are facing with respect to claims of investor loss, resulting from mismanagement of cybersecurity? Like, are there examples that you can provide of some cases that have been in the news that people might be familiar with?

Matia Marks (00:49):
Yeah, thanks, David. There have been several cases in the news in the last few months that have dealt with D&O exposure from cyber events. One that we actually recently wrote about in our Executive Liability Insights Newsletter involved a derivative suit in which the shareholders of a software company alleged that the directors failed to oversee a cyber monitoring system and failed to adequately manage cybersecurity risk. As a software developer, the company required access to its client's IT systems, which, as you can imagine, makes the company an attractive target for cyber-attacks. The board of the company charged two independent committees with overseeing the company's cybersecurity risks. And after the company announced that Russian hackers had compromised the data of almost 18,000 of its clients, the company suffered a significant stock drought. Nevertheless, plaintiffs brought a derivative suit alleging that the directors ignored red flags and failed to conduct a reasonable oversight concerning the company's cybersecurity risks.

And although oversight liability claims are frequent, they're actually quite challenging to prove. They require plaintiffs to establish a strong link between the corporate trauma that has suffered and the alleged intentional actions or inactions. The board's ability or inability to prevent corporate trauma is actually immaterial. A successful duty of oversight claim must actually show that the board acted in bad faith while exercising those duties. And in this particular case, the court held that the plaintiffs failed to plead sufficient facts to demonstrate bad faith on the part of the directors by delegating the cybersecurity oversight risk to the committees. And although these types of claims against directors for oversight failure were once rare, they're becoming more and more frequent. There have also been a number of securities class action cases as of late stemming from data breaches, including the case I just mentioned. We have seen some of them get tossed out on motions to dismiss, but there are still too many that are too new and haven't worked their way through the process yet.

For example, a securities class action complaint was filed a few weeks ago in the southern district of New York against a payment technology firm as well as its CEO and CFO. Prior to the action being filed, the company had announced that a former employee had improperly accessed and downloaded the company's customer data, which contained names and brokerage account numbers, portfolio value and holdings, as well as trading activity. And in the company's AK that was released shortly thereafter, they emphasized that the reports didn't contain usernames or passwords, social security numbers, dates of birth, or other sensitive information. However, as a result of the announcement, the share price declined significantly on this news. The complaint alleged that the defendants failed to disclose that the company lacked adequate protocols restricting access to customer-sensitive information, and as a result, the former employee was able to download it. Therefore, the plaintiffs alleged that positive statements that the company had made about its business, operations, and prospects, were materially false and misleading and in violation of the securities laws. And lastly, we have to keep in mind that the SEC recently proposed new rules relative to cybersecurity for public companies. So, there may be more regulatory requirements surrounding these issues in the months to come.

David Finz (04:05):
Wow. So, there's definitely been a lot of attention around this issue. Tim, can you offer some suggestions as to the best practices for communicating with stakeholders around cybersecurity incidents?

Tim Crowley (04:17):
Yeah, I think the issue of cybersecurity issues have certainly penetrated directors' and officers’ liability arena, and most notably in the form of what has been classified as an event-driven litigation over the last two or three years, which ultimately results in derivative litigation. So, what directors’ and officers’ liability insurance has been focusing on is a little bit different than what you might imagine has been a center of cybersecurity analysis. And by that, I mean that the directors’ and officers' liability insurance underwriters, they really want to hear about the focus at the board level. They want to know that there's been some focus, a quarterly report, an annual report, a further update to the board directors, specifically on this topic of investments in privacy, an attention on privacy at the contractual level, at the level with their customers, at the level with their other vendors, that everyone is focused on the issue to the point of that they're taking care of it. And directors’ and officers’ liability insurance underwriters, they are not cyber underwriters. So, they are not doing the dots and codes of this. They are really looking at this from a due diligence perspective to know the board is focused on it and it is given the proper attention that in the event of a derivative lawsuit or securities class action, that there are notes in the records that say that we've talked about this several times, we are focusing on it, we're investing in it, and we are paying the proper attention to it, to mitigate their exposure.

David Finz (05:55):
Well, the stakes are pretty high here, though. I mean, you know, know, just if you take a look at the case of Joe Sullivan, the former CSO who was actually just sentenced to jail time in a criminal case that, you know, arose out of his suppression of information relating to a data breach at Uber. I mean, this raises some interesting questions about coverage for these individuals. So, you know, one thing that dawned on me is, is a CSO necessarily an officer as defined by a D&O liability policy? Right? And how should businesses go about determining that, you know, what's the kind of language that we're looking for?

Matia Marks (06:30):
David, I'll give you the lawyer's answer here, and that really depends. This really isn't an issue that has traditionally been at the forefront for CSOs, but it's definitely important for the corporate governance documents, including bylaws and indemnification agreements, as well as the D&O policy itself to reflect that CSOs qualify as directors or officers and therefore are insureds under the policy. Specifically, attention should be paid to the definition of Executive and Insured Person and even perhaps a specific endorsement amending these definitions may be necessary. Do you have anything to add to that, Tim?

Tim Crowley (07:04):
Yeah, I think that's a great point, Matia. In most cases, articles of incorporation bylaws sometimes haven't been updated in quite a long time, right? In most cases, even before the term CSO was ever heard by anyone on this call. So, it is important, one, for that CSO to really reflect internally and ask their own company, do I qualify as an officer? Do I get indemnification from the company? And therefore, if I do, I'll get the insurance. If not, I should first look at the company before you look to a third-party risk transfer solution like insurance. And if not, especially if you're in a high-tech area, you should certainly ask your internal general counsel and ultimately the insurance broker and insurer whether or not you're insured in that D&O policy. And it's probably best to ask the question definitively before assuming the answer is yes, because sometimes the answer is no.

David Finz (07:59):
Yeah, I mean, so with that in mind, what is the exclusionary wording that we should be looking out for? What could apply in a D&O policy for this sort of loss?

Matia Marks (08:11):
Yeah, in the last few years, we've been seeing D&O underwriters add what they call clarifying exclusions to D&O policies, which purport to preclude coverage not only for breaches, but electronic publication, invasion of privacy, and consumer protection-type statutes. The scope of these exclusions needs to be drafted as narrowly as possible. The broad-based upon arising out of or in any way related to language, just isn't going to fly here. And these exclusions should in no way apply to A Side coverage. It's also important to check the bodily injury, property damage exclusion in a D&O policy, to make sure that it doesn't extend to privacy matters. We've definitely seen some carriers trying to sneak that into some of their new policy forms that have been issued as of late.

Tim Crowley (08:55):
Great point, Matia. I think a lot of the newer forms that are out there certainly incorporate a lot of newer provisions that we've developed with council, clients, underwriters, brokers, et cetera, over the last even decade. And with a lot of those enhancements, sometimes come trap doors. And one of the trapdoors that we have identified in the newer policies is that the bodily injury and property damage exclusion of certain D&O insurance policies include the word privacy. And in today's world, every company is a technology company in some capacity. And so, the privacy component of that exclusion is extremely troublesome. And most insurers will work with you on that, especially, and minimally, to include some kind of exception for a Side A or non-indemnity loss, which frankly, if you are the individual CSO to shield your personal assets is what you most care about. We all care about the balance sheet of our employers and our companies, but ultimately people sitting on boards and in these positions want to make sure that their wallet is protected.

David Finz (10:00):
Right. I mean, that's a powerful incentive to serve on a board is knowing that you can sleep easy at night and know that that coverage is in place. Any parting thoughts from the two of you, Matia?

Matia Marks (10:10):
Yeah, I would just end by saying that given that cybersecurity is a boardroom issue, it's imperative that the board's D&O policy is drafted to ensure that there's coverage for this involving risk. And it's more important than ever for CSOs to take an interest in the company's overall D&O program and ensure that there's broad protection for them, including, as Tim mentioned, perhaps, a Side A carved back, or even a Side A separate program with a difference in conditions wording. And finally, it's important for the D&O and the cyber program to work in tandem to make sure that there are no inadvertent gaps in coverage.

Tim Crowley (10:45):
I would say that, you know, in communicating and articulating your risk profile to D&O Insurance underwriters, it's very appropriate to highlight the advances and investments and encouragement that you're doing within your companies to the D&O Insurance underwriters. And again, they're not going to want to know about all the alphabet soup. Maybe they know MFA, maybe they even don't, but they want to hear that the board is focused on it, they're adding skill sets to their team. The next board member may or may not even have a specific skill set in this privacy arena, and that's what they want to hear. It's a separate conversation from cyber, but it's certainly important and certainly, one that we would suggest that you make to your D&O insurers each and every year, and certainly on a consistent basis.

David Finz (11:32):
All great points. Well, I want to thank both of our guests for joining us today here at Alliant. We are all about helping our clients find the more rewarding way to manage risk, and to read more about this issue and other timely topics like the SEC's recent clawback provisions, please visit our website at www.alliant.com/financial. Until next time, thanks for listening.