Understanding the Differences and Overlaps of Cyber and D&O Insurance
Cyber and Directors & Officers (D&O) insurance are essential tools for mitigating liability, each offering unique and sometimes intersecting protections. Cyber insurance safeguards businesses from various cyber-related risks, while D&O insurance shields corporate leaders and, at times, the company itself, from claims linked to alleged misconduct indecision-making and management. However, these policies aren't universally applicable. Standard policy language can often be tailored through endorsements to either broaden coverage, limit exclusions, or enhance terms to bridge coverage gaps. Conversely, endorsements can also significantly restrict coverage that was originally available in the policy.
Several key provisions can influence the likelihood of a claim being covered. For businesses assessing their insurance portfolio, these provisions are particularly important:
Cyber Exclusions in D&O Policies
With rising cyber incidents, many D&O policies now include broad cyber exclusions. These exclusions, intended to transfer cyber risks to cyber policies, can be overly broad, significantly reducing coverage for D&O claims indirectly related to cyber incidents. Refining these exclusions is critical.
Pre-Approval of Key Vendors in Cyber Policies
Post-cyber incident, businesses need to swiftly hire essential services like legal, IT forensics, and crisis management. Some policies mandate using insurers’ approved vendors. Companies should either be comfortable with these vendors or seek policies allowing independent vendor choice, ensuring pre-approval of preferred vendors to avoid disputes after an incident.
Conduct Exclusions in D&O Policies
These exclusions can prevent coverage for claims involving alleged fraudulent or criminal acts by company executives. Narrowing these exclusions by adding final adjudication clauses ensures coverage isn't denied prematurely.
Insured vs. Insured Exclusions in D&O Policies
Common in D&O policies, these exclusions block claims between insured parties (e.g., a company against its director). It’s vital to include exceptions for whistleblower claims, like uncovering mishandled cyber incidents.
Exclusions for Securities Law and Unfair Trade Practices
Exclusions for securities law violations in cyber policies should exempt privacy claims.Similarly, exclusions in D&O policies for unfair trade practices should not apply to claims from data breaches or undisclosed cyber incidents, especially under new SEC regulations.
Contractual Liability Exclusions
Many businesses must assure clients or vendors about their data security capabilities. Exclusions for contractual liabilities should not apply where liability would exist independently of a contract.
Additional Exclusions
Beyond the above, insurers may use various other exclusions to deny coverage, including professional services, terrorism, intellectual property, and war.
Before facing a claim, it's imperative for companies to meticulously examine each policy to understand existing coverages and the need for additional or altered terms. Each policy and endorsement should be closely analyzed to grasp how they might respond to a claim and how they function within the broader insurance framework.
