Declining rates and rising risks of D&O cyber liability could impact insurer margins


Underwriters are scrutinising their clients’ policies and procedures to assess and stave off the impact that any cyber-related claims might have on their margins.

A report released today by Marsh says directors could be held personally liable for a cyber attack against their firm, and declining rates for director and officer liability (D&O) may be too low to reflect the exposure to cyber-related claims that insurers might face.

In the last 12 months rates for D&O insurance have declined by 0-10%, except for within financial institutions. And, as a result, clients are increasingly using the cost savings to purchase larger limits of D&O insurance.

Marsh financial and professional practice (FINPRO) senior vice president Eleni Petros added: “Although the UK D&O insurance market is still highly competitive, insurers are acutely aware of the impact cyber-related claims can have on their margins.

“As a result, underwriters are scrutinising their clients’ policies and procedures to establish a clearer picture of the understanding and management of cyber risk at board level.”

Typical D&O policies are very broad and cover directors for all their actions as directors, which could include matters relating to a cyber incident, she said. 

“Directors and officers should take a proactive approach to managing their insurance arrangements. By ensuring that they have adequate cover in place, they can personally protect themselves from the impact of regulatory investigations or shareholder litigation following a cyber incident,” she said. 

Under many regulatory regimes, directors and officers have extensive responsibilities to implement systems and controls to manage their company’s data usage. If they are found to have neglected or breached these duties, directors and officers could be personally exposed to lawsuits, shareholder class actions and regulatory sanction.

FINPRO head of management liability Beth Thurston said: “Management boards should develop cyber strategies that take these legal obligations into account.

“However, it is clear from recent high-profile cases that such strategies must be more than a box-ticking exercise – the management of cyber risk now needs to be an intrinsic part of day-to-day life for management boards.”