TechTalk: Directors face ‘real risk’ of liability in wake of cyber attacks

The legal and reputational fallout for boards of directors following a major cyber attack on their firm is rising, influencing a potential uptick in related directors’ and officers’ (D&O) claims as insurance professionals fear that many UK businesses remain dangerously underprepared to tackle the ever-growing and increasingly far-reaching tentacles of a cyber incident.

The global cyber insurance market is expected to grow from $16.66bn (£13.05bn) gross written premium (GWP) in 2023 to $120.47bn (£94.37bn) by 2032, according to broker Gallagher’s Cyber market update 2025 - Financial services report, published in August 2025.

While premium pricing remains competitive in today’s softer market conditions – down 5% to 15% on most renewal programmes after double digit falls in recent years – Gallagher warned that 2026 and beyond could see price hardening for cyber cover in certain sectors, alongside reduced flexibility in policy customisation.

Retail could be one of these affected sectors following headline grabbing cyber attacks that took place back in April and May 2025, affecting firms such as Marks and Spencer, the Co-op and Harrods.

As cyber attacks grow in sophistication, volume and severity, the ramifications of this type of corporate targeted crime are also expanding, with the insurance sector increasingly seeing a crossover between organisations’ cyber incident response and possible D&O exposure – especially as cyber cover penetration remains low across the market.

Scott Bailey, head of global cyber underwriting at CFC Underwriting, confirmed that cyber and D&O are “more intertwined than any other [classes] of business”.

He added: “Almost one in two businesses that have a significant cyber event will get a D&O event as well.

“If I’m looking at a publicly traded business that said ‘no, we don’t buy any cyber cover’, I really would like to know why.

”Without any financial indemnity from a cyber policy, a big, messy cyber event is probably going to result in a D&O lawsuit – not least because [the company] chose not to buy cyber cover in the first place.”

Sam Cheshire, head of cyber for Gallagher’s UK and Ireland retail division, told Insurance Times that D&O and cyber covers should, therefore, “work in tandem to provide protection for a business and its directors” – particularly as shareholder scrutiny often increases after a cyber event, with any resultant poor handling of a cyber incident potentially triggering rapid share price drops.

Cheshire continued: “Looking to the future as businesses become ever more reliant on technology, D&O and cyber policies will need to work closely together to protect [businesses] and directors from financial loss.”

Legal duties

There is a raft of UK regulation that ties directors’ responsibilities to good cyber risk management, reinforcing the link between cyber and D&O covers.

For example, Arran Roberts, partner in the cyber and data risk team at law firm Kennedys, said that directors’ fiduciary duties under sections 171 to 177 of the Companies Act 2006 encompass “good cyber security risk management”, which includes compliance with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.

Roberts’ colleague, Jennifer Boldon, also a partner at Kennedys, added that the FCA described cyber resilience as a “top priority” within its latest five-year strategy, published in March 2025, and was therefore increasing its scrutiny of boards under the Senior Managers and Certification Regime (SMCR). This regulation came into force in 2018 and 2019 for the insurance sector, aiming to increase directors’ personal responsibility and accountability for firm actions.

Falling short of SMCR rules could lead to fines or the withdrawal of regulatory permissions.

Boldon continued: “Failure to manage cyber risk can be a breach of directors’ duties and could lead to derivative claims or regulatory enforcement against individual directors for breach of duty.”

The government’s new Cyber Governance Code of Practice, published in April 2025, is intended to help boards manage cyber risks. While offering  voluntary measures, Boldon said it was “an important tool for regulators” and could lead to a “comply or explain” regime.

The insurance gap

The evolving nature of cyber risk and how it is increasingly interacting with D&O policies means there are many customer misconceptions that the market must work to investigate and correct.

Charlie Hassell, account handler and D&O product lead at Servca, told Insurance Times: “Many boards still believe their D&O policy will cover them for any cyber related problem. In reality, D&O is mainly designed to protect directors against claims about their decisions or actions – and it won’t automatically cover the wider costs or operational impact of a cyber incident unless this has been specifically added.”

Hassell warned that tech, finance, healthcare and energy remain the most exposed sectors to cyber attacks due to the volume of sensitive data they typically hold, the critical nature of their operations and the high level of regulatory oversight in these marketplaces.

Bronwen Horn, head of management liability portfolio, financial institutions and regulated fintech at Hiscox, agreed that D&O and cyber are “core covers that businesses should be buying”. She cited the “wake-up call” of the Target data breach in the US in 2013, which saw directors face intense scrutiny. “They couldn’t just blame it on the information technology person or the outside contractor,” she said.

Horn stressed that cyber governance is “not good enough to do once and then think ’I’ve got my cyber plan, I’ve bought some insurance’”. Instead, boards should engage in “horizon scanning” and monitoring to keep pace with an ever-changing threat landscape.

The reputational damage from a poorly handled breach can be severe too.

Serena France-Hayhurst, cyber placement leader, managing director at Marsh and McLennan told Insurance Times: “Loss of confidence impacts brand value, it impacts investor confidence and it can put off staff from working for your business and customers from coming to your company. That immediate reputational impact can snowball into something much more significant from a board perspective.”

France-Hayhurst also highlighted the risk of shareholder class actions if a cyber incident triggers a stock drop – a trend already seen in the US. However, the broker noted that standalone cyber policy uptake – which could help mitigate the detrimental impact of this activity – among SMEs remained “relatively low”.

For example, 35% of the 104 SMEs surveyed by the UK’s Department for Science, Innovation and Technology for its August 2025 Insuring resilience - adoption of cyber insurance by UK small and medium sized enterprises report said they did not have cyber insurance.

Of these respondents, 28% did not think cyber insurance was necessary, 31% were deterred by unclear or limited advice from brokers, 36% cited cost as a prohibitive factor and 28% said they did not know enough about cyber insurance to form an opinion. 

Future direction

While significant litigation against directors personally has yet to become widespread in the UK, Roberts said this environment was “shifting and moving towards greater individual accountability”, with US style claims against directors likely to emerge over time. “There should be no assumption that cyber risks are covered under a D&O policy,” she added.

The direction of travel on the relationship between cyber and D&O insurances is clear, with industry voices agreeing that boards can no longer treat cyber risk as a purely operational concern – the reputational and legal implications are real and must be addressed in policy terms.

“Cyber has to be one of the top risks to have on their agenda at every single meeting,” France-Hayhurst said.

Cheshire added: “Larger organisations are most likely to have shareholders and the actions of the directors are therefore more likely to get scrutinised, so it is important to ensure they have the cover in place.”

However, the partner of risk is always opportunity. 

Bailey noted that although poor cyber incident handling can trigger rapid share price drops, swift, transparent and well managed responses can sometimes strengthen a company’s long-term brand. “There are known incidents where share prices have recovered to more than their pre-incident levels,” he explained.