Skip to main content

Cyber Risks for the Boardroom Part 3: Top Questions Directors Should be Asking about D&O Coverage

Our series "Cyber Risks - Director Liability and Potential Gaps in D&O Coverage" continues --

Part 3 of 5:  Top Questions Directors Should Be Asking About D&O Coverage

Written by Heidi Lawson and Danny Harary

Directors never want to be in the unenviable position of having to seek coverage under their D&O policy. Nevertheless the D&O policy is an indispensable corporate expense, particularly in the case of public companies, where exposures can be much higher. Especially today, when companies are experiencing a meteoric rise in cyber attacks and unauthorized attempts to access data, directors must ensure that that they are covered in the event of a cyber attack, or any other exposure.

The need for a D&O policy is clear: directors and officers potentially face personal liability for lawsuits filed against them, even for alleged acts undertaken on behalf of the company. Although the company may be required or permitted to indemnify the directors depending on the circumstances, in some situations, the company may be prohibited from offering indemnification, or may not have sufficient resources to extend permissive indemnification. Thus, the D&O policy is a director’s last resort before personal assets may be invaded. As such, directors should take the time to carefully consider the scope of coverage offered by their D&O policy. The breadth of coverage and policy wording differs significantly from policy to policy and from carrier to carrier.

So, with apologies to David Letterman, here is our "top 10 list" of the questions directors should be asking  about their D&O coverage:

  1.  What is typically covered under a D&O Policy?
  2. What are the exclusions that directors should be concerned about?
  3. What kinds of situations should be reported to the insurer to trigger coverage and when?
  4. Who controls the defense of the director in the event of a claim?
  5. Are the policy limits appropriate for the company's risk profile?
  6. Does the policy exclude data breaches?
  7. Does the policy provide coverage for derivative shareholder claims?
  8. How broad is the coverage afforded for regulatory investigations?
  9. What is the priority of payments under the policy?
  10. What are the potential coverage gaps and how can they be bridged?

If a director really wants to know how the policy will respond in a claim, an independent legal review is always advised.  Often policy terms appear to be favorable, but the practical application of that language in the context of an investigation or derivative lawsuit often yields a different result.

Tomorrow:  Coverage for Investigations

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.