Expert says new rules put more liability on D&O in cyber risk management

Expert says new rules put more liability on D&O in cyber risk management

Expert says new rules put more liability on D&O in cyber risk management
Insurance veteran Bill Cosgrove answers some D&O questions relating to cyber risk. Cosgrove has 30 years of experience under his belt and currently serves as managing principal & practice leader for financial risk solutions at New York’s EPIC firm.

IB: New York recently adopted cyber security rules and Fitch Ratings said this presents an opportunity for D&O insurance because executives have a role to play in implementing these measures. How is the adoption of such laws an opportunity for insurers? What on the other hand, are the risks for insurers in such a scenario?

BC: It puts more pressure on the board and senior management to address risk mitigation and timely reporting of material incidents. It makes it tougher to simply apply the cost-benefit approach to cyber security and process management. The increased focus gives insurers the chance to sell higher limits on the D&O side, while attracting new buyers in the cyber market.

The opportunity for insurance companies is to focus the greater need to sell this type of coverage and potentially guide if it is covered under D&O insurance, cyber insurance or both—and potentially charge accordingly. The risk for insurance companies could include multiple limits of liability exposed, greater regulatory claims generating greater defense costs, and loss.

Another risk to insurers is aggregation. A large scale cyber-attack affecting multiple insureds will certainly prove challenging. Most of the insurers are aware and taking steps to manage their exposure.

Consider that the new regulations include “SOX 404-type” annual compliance certifications – which if inaccurate/false may expose the potential for regulatory action against individuals and licensing issues for the entity.

IB: Cyber risk is still in evolution. How do you compute for D&O risk given that there are still a lot of unknowns in this equation?

BC: The key word is unknown. We try to impress upon our clients that the cyber risk is real, its growing and much more sophisticated than in years past. Also, no amount of security infrastructure can completely eliminate the risk.

We can better guide clients due to our ability to better quantify the impact of a cyber risk event and the correlation to D&O risk.

Want the latest insurance industry news first? Sign up for our completely free newsletter service now.

IB: How do you see the D&O role evolving as cyber security evolves? What are the key requirements that will be demanded of D&Os to adequately meet the needs of the organizations that hire them? How does this affect the risk that attends their role in the overall scheme of things?

BC: The board and senior management need to understand the risk to their business, not just rely on a 10-minute IT briefing in a board meeting. That means learning the terminology and functionality associated with cyber risk mitigation.

While cyber and privacy issues have been raised to board levels of public and otherwise SEC-regulated companies for the past several years, the NY regulation focused on financial institutions, with a non-one size fits all approach, heightens cyber and privacy issues to the broad financial institution industry. It is but one issue that boards need to consider, act and be compliant – but it is an incredibly important issue potentially affecting the soundness of FI’s.

IB: Do you see other states following New York’s lead in adopting cyber security measures? How will this change the delivery of D&O coverage in the future?

BC: Yes. As risk recognition develops, we will certainly see more measures like New York’s.
The increased scrutiny and compliance will certainly be tested by regulatory enforcement divisions and plaintiff counsel in D&O lawsuits.

IB: AI and machine learning are taking over jobs formerly performed by humans. How will these technologies figure in providing D&O coverage, especially when part of their jobs will be performed by machines?

BC: Whether you employ humans or artificial intelligence systems, you have to live with the consequences when they fail. Artificial intelligence and automation are certainly attractive from a cost perspective, but not without risk. Systems connected to open networks can be hacked, and I expect that we will see more malicious attacks directed against AI in the future.


Related stories:
Pitcher out of WBC after being denied insurance
Socius Insurance makes new hire in its professional liability practice