Rising CIO lawsuits could mean a hit for D&O, not cyber

Rising CIO lawsuits could mean a hit for D&O, not cyber | Insurance Business

Rising CIO lawsuits could mean a hit for D&O, not cyber
A recent rash of lawsuits against corporate chief information officers have sent legal costs for data breaches soaring. For insurance agents, the trend sends an important message: not all damages related to a data breach will fall under the cyber policy.

According to Matthew Karlyn, a partner at Foley & Lardner LLP, the lawsuit against US Office of Personnel Management CIO Donna Seymour is likely to set a precedent for pointed legal action in future data breaches.

“We are absolutely going to see more CIOs taking the fall and ultimately being named in lawsuits,” Karlyn told the Wall Street Journal.

Seymour, who was accused of negligence and privacy violations relating to the April breach that compromised the personal data of 21.5 million government employees and contractors, was made to undergo questioning by Congress.

That leads to an assumed fiduciary duty for CIOs, which may include the conception, installation, monitoring and adaptation of cybersecurity measures, Karlyn said.

That could mean the transference of some data breach-related risk from the cyber insurance product to a directors and officers policy. Cyber liability does not cover litigation as a result of negligence, said Ian Cavalier, head of claims for cybersecurity broker Safeonline LLP.

"What we have seen in the market is D&O coverage taking a hit due to breaches; especially in light of large scale hacks at Target, Sony and Adobe which have resulted in lawsuits against both company and directors, which are still ongoing," Cavalier told Insurance Business America. "But there is plenty of scope for growth, particularly as the cyber market is still in relative infancy with regard to premium."

An insurance broker's job, then, is to aid in corporate risk management, with a particular focus on CIOs, Cavalier added.

"As the scope and size of policies and claims increase, personal responsibility is now being called into question and individuals will need to be better educated and receive the full backing of colleagues to implement the necessary initiates to safeguard their data against cyber threats,” he said.