THE C/EO
PERSPECTIVE:
WHAT YOU DON’T
KNOW WILL HURT YOU
Cyber Liability in the Boardroom
What you don’t know will hurt you.
ABOUT JLT SPECIALTY
JLT Specialty Insurance Services is the U.S. platform of JLT Group, the leading specialty business
advisory firm. Our experts have deep industry and product experience serving the leading U.S. and
global firms. Our client proposition is built upon our specialist knowledge, client advocacy, tailored
advice and service excellence. Our culture reinforces the value of our people with teamwork and
collaboration. Together, we place our clients first, champion independent thinking and expect to be
judged on the results we deliver.
ABOUT C/EO
A key component of JLT Specialty’s recent expansion of its US operations has been the formation
of the Cyber and E&O Practice (C/EO), a team of motivated and skilled people who bring a wealth
of experience in complex cyber and E&O placements and a proven track record of success in
working with clients of all sizes. They are committed to growing a specialty business in the US
market and are aligned with JLT Group’s client-first culture and entrepreneurial drive.
We pride ourselves on a pragmatic approach that leverages the Cyber and E&O Practitioners’
deep industry and product knowledge. This starts with an interactive exposure identification and
priority discussion. We then transform this discussion into a risk transfer solution strategy, including
proposed coverages, insurer partners and execution timeline.
The C/EO Perspective: What You Don’t Know Will Hurt You 1
CYBER LIABILITY IN THE BOARDROOM
When a company becomes the victim of a cyber breach, naturally fingers point
in all directions – the Chief Information Security Officer (if there is one) or the IT
department in general; third party vendors that may have acted as an initial point
of contact; foreign governments that have gained a reputation for hacking into
competing companies; the Board. Wait… the Board of Directors?
Until recently, board accountability following
With complex cyber issues threatening businesses
a cyber breach was merely theoretical. In an
of all sizes and sectors on a daily basis – cited
ever evolving legal and regulatory environment,
as 97% of all companies currently being hacked
various theories of negligence and fault have been
by FireEye CEO Dave DeWalt during a recent 60
tested, in many cases unsuccessfully. The latest
Minutes segment - ignorance or lack of action is
trend, however, puts even the Board at risk for
no longer a defense, and in fact, can expose a
liability stemming from a failure to protect their
Board to liability. The failed derivative suit also acts
customers’ personal and financial information.
as another example of how an established breach
Wyndham Worldwide has kept itself in the news
following three data breaches over a period of
response plan, including third party assistance,
can be the best defense against future liability.
22 months, beginning in April 2008, resulting
In another example, Heartland Payment Systems
in the compromise of 600,000 records – a
suffered a breach of a whopping 130 million
relatively small community of victims based on
records, discovered in early 2009, which is still
2014 standards. But Wyndham has taken an
considered to be the largest breach based on
unprecedented approach in challenging, not the
record count. Following disclosure of the breach,
merits of the allegations, but the authority of the
Heartland’s stock plummeted 80%, prompting
entity bringing regulatory action against them,
securities class action litigation.
namely the FTC. Following the FTC investigation
and subsequent legal action, shareholders
demanded, on two separate occasions, that
the Board file suit against Wyndham officers for
employing inadequate security controls. After
the Board declined to bring suit a second time,
the shareholder filed a derivative suit in February
2014. Ultimately, the court dismissed the suit
with prejudice on the basis that the Board had
conducted their due diligence and acted in the
best interest of Wyndham.
Though this suit was also dismissed for failing
to meeting the pleading standards, it was
aggressive in alleging that Heartland had made
fraudulent statements during a 2008 earnings
call, ultimately misleading investors regarding the
state of their security controls. Nearly five years
after the Heartland breach, and more than ten
years since the first dedicated cyber insurance
product was introduced, underwriters will candidly
admit that they are still refining the questions and
tools necessary to adequately evaluate exposure
Though the Wyndham derivative suit was
through a dedicated cyber underwriting effort,
unsuccessful, it affirms the growing responsibility
much less via the D&O placement, which in
of the Board to actively engage in cyber security
many cases has been a continuous renewal for
implementation. Wyndham was successful in
several years. The SEC’s attempt to incorporate
dismissing the suit primarily because they had
clarity in financial statements regarding cyber
strong evidence to suggest that they were
security measures has actually done little to inform
active in the breach response and cyber security
investors and other interested parties into the
conversation. How many Boards are employing
granular details necessary to assess a company’s
the same due diligence before a breach occurs?
security measures.
2 The C/EO Perspective: What You Don’t Know Will Hurt You
According to the 2014 EY Global Information
questions to be asked of insureds and potential
Security Survey, the second most critical, but
insureds at each placement. Underwriters will
overlooked foundational requirement of an
want to discuss the company’s strategy to
organization without proper cyber security
understand and mitigate the risk associated with
integration is to “Get Board-level support for a
a cyber breach as well as the role of the directors
security transformation. Redefine cybersecurity
and officers in developing and reviewing that
governance, e.g., realigning cybersecurity outside
strategy.
of the IT function and ensuring that the Board
understands processes”. Put another way, EY
views Board support and collaboration to be as
important as, and specifically, a fundamental
principal along with, more commonly recognized
practices like penetration testing, risk assessment
and road mapping, continuity and incident
response plans.
As is frequently the case with specialty insurance
products where policy language and carrier
appetite vary widely, no Insured should assume
that all risks associated with a cyber breach are
affirmatively covered. While a dedicated cyber
policy should respond to many of the first and
third party losses associated with a breach (if
properly negotiated), the D&O policy should also
Despite the dismissals, the Wyndham and
be reviewed to ensure affirmative response to
Heartland lawsuits illustrate the potential litigation
suits against the directors and officers resulting
exposure arising out of a cyber breach to not only
from a breach.
the company and its directors and officers, but
also to its D&O insurers.
Following Target’s acknowledgement of their
massive data breach in December 2013, two
Whereas coverage for the company under a
derivative suits were filed in January 2014. The
public company D&O program is generally limited
suits allege Breach of Fiduciary Duty, Waste
to claims alleging violations of securities laws, the
of Corporate Assets, Gross Mismanagement
scope of coverage for individual directors and
and Abuse of Control. Shareholders specifically
officers (defendants in derivative litigation) is much
allege that directors and officers failed to properly
broader. A D&O program, if properly negotiated,
oversee Target’s business and operations. Based
should protect the individuals for derivative
on FireEye’s assertion of 97% of all companies
litigation arising out of a cyber breach. Furthering
being breached, is any Board in a position to
the concern of D&O insurers, many jurisdictions
properly oversee their company’s business
preclude corporate indemnification for settlements
and operations? Based on The Global State of
and judgments resulting from derivative litigation
Information Security Survey 2015 conducted by
– implicating the Side A (non-indemnifiable
PwC, only 42% of respondents confirm that the
loss) insuring agreement of the D&O program,
board is active in the security strategy, and only a
eliminating the retention and putting the insurer’s
quarter review current security and privacy risks.
limit at greater risk.
When less than half of these boards are involved
In light of this emerging exposure, D&O insurers
are taking notice and companies should be
prepared to address questions related to the
in the security conversation, how can they
adequately defend their ability to properly oversee
businesses and operations?
firm’s cyber exposure as part of the D&O Liability
At the time of this publication, Sony has spent
insurance renewal process - some insurers have
over a month as the leading cyber breach story,
even formalized a set of cyber security-related
finding itself in the midst of a cyber security and
The C/EO Perspective: What You Don’t Know Will Hurt You 3
Public Relations nightmare, with no foreseeable
be prepared to defend their ability to properly
end in sight. Déjà vu all over again? Sony was on
oversee their business and operations, even more
the receiving end of multiple targeted attacks by
so because of the 2011 breach.
hacktivists in 2011, casting a lasting negative light,
not only due to their response, but the actions
that led to the retaliatory attacks. Three years
later, Sony can’t seem to exit the spotlight nor the
rhetorical question of “did they learn nothing the
first time?” More troublesome then finding yourself
as the victim of a cyber attack is finding yourself in
that situation again. As the release of information
by the attackers, calling themselves “Guardians
of Peace” slowing, and the modified, but no less
controversial release of the film at the heart of
the attack having come and gone to earn much
lower revenue figures than originally forecast, the
next phase of the conversation is speculation
as to the types of losses Sony is likely facing
now, and likely to face in the future. To date,
Sony has been named in four suits, one of which
filed by two former employees in federal court
alleges that Sony failed to secure its computer
So, what is a Board to do when they can’t cross
their fingers and hope to be part of the 3% of
companies that have somehow eluded the threat
of cyber criminals to date? Despite much of the
litigation against directors and officers pending,
and others unsuccessfully testing various theories,
it is clear that preparedness, or lack thereof, is a
common theme among the suits. Boards need
to take an active role in the ongoing responsibility
of cyber security, which goes far beyond simply
trying to prevent intrusions. Minimizing the
information that can leave the organization,
knowing how the company will respond once
an incident occurs, and ensuring that they have
taken all reasonable and appropriate measures
to minimize the harm not only to the customer or
individuals whose information may be at risk, but
now the shareholders, too.
systems, servers and databases because “Sony
JLT’s Cyber Liability and D&O experts are well
made a ‘business decision to accept the risk’ of
versed in this emerging exposure and welcome
losses associated with being hacked.” Though
the opportunity to engage in additional dialogue.
Sony’s own emails obtained and released by
The C/EO team utilizes a defined, pragmatic
the hackers seem to support the claim that their
approach in order to evaluate cyber liability
controls were lackluster and demonstrate some
exposures and craft a customized policy to meet
warnings from their IT department and others, this
the insured’s specific needs. Part of that process
specific allegation begs the question of whether
includes the evaluation of ancillary policies and
a company’s choice to accept the financial and
coverage that could be impacted in the event of
reputational risk associated with a cyber breach
a cyberattack. JLT’s experienced D&O brokers
introduces a new theory of liability. If Sony’s
work in conjunction with the attorneys in our
decision makers were aware of the risk but chose
dedicated Legal & Claims Practice and the C/EO
to assume it, does that mean that the decision
team to conduct a gap analysis on the existing
makers at 97% of companies that are purportedly
D&O program, remediate coverage deficiencies,
currently being hacked, or those that choose not
ensure coordination between the D&O and Cyber
to insure the financial aspect of a cyber breach
Liability programs and maximize protection for
are breaching their Fiduciary Duty, or failing to
both personal and corporate assets.
properly oversee their business and operations?
If you’d like to discuss how your company
Included in the list of suits that Sony is likely to
can coordinate and contain your cyber liability
face in the future is shareholder litigation as a
exposures among your various insurance policies
result of the low revenue figures earned from the
or otherwise, please don’t hesitate to contact the
film’s modified release. Sony’s share price took
brokers at JLT Specialty.
a rather large tumble in 2011 resulting from the
hacktivist attack, and though no shareholder
suit followed, based on recent activity and
expectations of accountability, the Board should
FOR D&O INQUIRIES
WILLIAM KROUPA
Vice President,
JLT Specialty Insurance Services, Inc.
Financial Lines Group
303 589 3744
[email protected]
FOR CYBER INQUIRIES
SHANNON GROEBER
Senior Vice President
JLT Specialty Insurance Services, Inc.
Cyber/E&O
215 246 3993
[email protected]
JLT Specialty Insurance Services, Inc.
Centre Square East
1500 Market Street
Philadelphia, PA 19102
Tel 215.246.1600
www.jltspecialty.com
Lloyd’s Broker. Authorised and regulated by the Financial
Conduct Authority. A member of the Jardine Lloyd
Thompson Group. Registered Office: The St Botolph Building,
138 Houndsditch, London EC3A 7AW.
Registered in England No. 01536540. VAT No. 244 2321 96.
© December 2014 xxxxxx