Skip to main content

Cyber Risks for the Boardroom Part 4: Coverage for Investigations

Part 4 in our continuing series:  "Cyber Risks - Director Liability and Potential Gaps in D&O Coverage":  Coverage For Investigations

Written by Heidi Lawson and Danny Harary

One of the biggest gaps in coverage in D&O coverage today is the lack of meaningful coverage for investigations.  Although at first glance the policy language may look like it provides sufficient coverage, the reality is that the way most policies are written, it is almost impossible to trigger coverage in an SEC or Department of Justice investigation simply because the policy language does not match up to the reality of how those investigations are conducted. In the case of a subpoena, one of the costliest components of an investigation, coverage is often only extended for “targets” that are specifically identified on the face of the subpoena. As a matter of course, however, the subpoena target is rarely identified in this manner, rendering coverage illusory, or in everyday parlance, useless. As regulatory oversight has increased generally in the wake of the financial crisis, and the SEC cybersecurity initiative promises even greater scrutiny, broad coverage for regulatory investigations is a necessity. This is especially true for public companies, as the scope, protocols and frequency of cyber investigations by the SEC and other regulatory agencies remains to be seen.

Companies should look to maximize the availability of coverage for investigations, including costs associated with responding to a subpoena if there is a formal investigation underway. It should be noted that, in addition to arguing that a director or officer is not identified as a target, carriers will typically challenge coverage on the grounds that a subpoena is not a “Claim” under the policy, and/or the policy does not respond to an “informal” information request by regulators. These same challenges are to be expected in the event of an investigation arising out of a data breach. At the most basic level, D&O policies provide coverage for “Claims” made against the company and its directors during the policy period. The amount of coverage provided is therefore reflected in how broadly the policy defines the term “Claim.” Companies can therefore guard against insurer challenges and maximize coverage for investigations by ensuring that their D&O policies define a “Claim” in broad terms.

Tomorrow: Coverage for Privacy Violations

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.