Risk Management

Why do I need Directors and Officers Liability Insurance?

Why do I need Directors and Officers Liability Insurance? 1920 1280 James Hallam

Directors and Officers have a significant role in helping to keep businesses running smoothly, but mistakes can happen. Directors and Officers Liability insurance applies to anyone who serves as a director or officer of a for-profit business or nonprofit organization. In the event that the individual within the business falls short of their obligations, this insurance is intended to protect them from personal losses if they are sued as a result. It can also cover the legal fees and other professional costs of defending yourself against such claims.

Who can sue?

  • The Company
  • Shareholders
  • Third Parties
  • Employees
  • Creditors
  • Regulatory Bodies
  • Competitors

Directors and officers can be sued for a variety of reasons, including:

  • Misrepresentation of company assets
  • Misuse of company funds
  • Improper disclosure
  • Failure to comply with workplace laws
  • Negligent
  • Theft of intellectual property or poaching of competitor’s customers
  • Lack of corporate governance

What does Directors and Officers Liability insurance policy cover?

The purpose is to provide protection for the directors and officers of the company for any alleged wrongful acts that are committed in the course of their duties. A Directors and Officers Liability Insurance Policy is comprised of two sections; officers and directors liability which pays any loss they are liable to pay and which arises from their having committed a wrongful act while acting as such. The second section refers to company reimbursement, if the company is legally liable to indemnify its directors and officers for their actions, this section will reimburse the company in respect of such liability.

Why does my business need to purchase D&O insurance cover?

Any business with a corporate board should consider investing in D&O insurance. While you may not be legally required to have D&O insurance if you are alleged to have acted wrongfully, you could face claims for compensation or criminal proceedings. Regardless of the size of your company, directors and officers can still be personally sued over their management of company affairs. Smaller businesses with fewer assets may need as much protection as larger corporations with higher revenues. There are so many decisions to be made for your business as we navigate through these uncertain times and whilst there is a wealth of professional advice out there, this won’t necessarily prevent allegations being brought against you or your business. It is for this reason that many company directors tend to have D&O cover in place.

D&O Insurers are aware that the current crisis has resulted in more claims, which is causing a hardening market. This means that insurers are likely to revise the D&O cover they provide and increase their premiums. This trend is probably going to continue for the foreseeable future so purchasing a policy now makes sense, even if your other insurance policies are not yet due for renewal.

Reduce Data Exposure to Cyber Threats

Reduce Data Exposure to Cyber Threats 1920 1280 James Hallam

In our current world, protection against cybercrime is needed more than ever. Cyber criminals will be using COVID-19 to increase their activities to attack individuals and organisations. The National Cyber Security Centre has reported a rise in online scams exploiting the pandemic with the aim of obtain money from victims. It is critical for organisations to re-assess their data protection practices to cyber security and help protect themselves from experiencing data exposure and breaching GDPR.

Why is cyber security important?

• Damage to IT systems
• Loss or impairment of critical business data
• Loss or compromise of customer data
• Loss of use of customer facing websites
• Damage to brand or reputation and loss of public trust.

The increase in the number of individuals working from home poses even more risk to businesses as they become more reliant on their IT systems and employees often working on their own devices.

What steps can I take to be prepared for a cyber attack?

1. Protect data using strong passwords and encryption. Make sure you avoid using predictable passwords and provide secure storage for passwords.

2. Secure your computer, wireless network and mobile device. Often cyber criminals will gain entry by exploiting your software. To prevent this, ensure you keep all your applications and operating systems up to date.

3. Provide training against cyber treats. Your employees should know your cyber security policies and know how to report suspicious activity. Providing training on these topics should assist employees in reducing the risk of data exposure.

4. Consider having an offline back up. Back up your data regularly in more than one place and do not leave your backup connected to your device when not in use.

5. Understand phishing threats and how to respond. Phishing is a method cyber criminals use to gather information. They often send victims emails with links that will direct you to fraudulent websites, asking you to provide sensitive information. Providing real life examples through training can help employees understand what to look for and how to best deal with them.

6. Create an incident response plan. While cyber security programmes secure an organisations digital assets, an incident response plan provide steps in case a cyber attacks occurs. This will allow organisations to notify impact customers quickly and limit financial and reputational damages.

7. Use multi factor authentication. This adds a layer of security to protect against compromised credentials. Users must confirm their identity by providing extra information when attempting to access networks, e.g. phone number or security code.

What if my business becomes victim to a cyber attack?

Taking these steps can reduce the chances of you becoming a victim of a cyber-attack but it is impossible to eliminate the risk entirely. Cyber Insurance can help your business deal with and recover from any cyber attacks.

Cyber & Data Risks Insurance

Cyber & Data Risks Insurance 1920 1280 James Hallam

Each year when completing a review of their insurances, most businesses will look at uninsured exposures with their insurance broker. Most of these can be reasonably ignored following simple cost-benefit analysis, but cyber is more difficult in that the associated risks and their potential cost to a business are still developing. It is anticipated though that the frequency and severity of such incidents will continue to rise, mirroring the experience of North America where cyber risks are given a higher regulatory and boardroom prominence. In the US it is now estimated that over 75% of corporate businesses purchase cyber insurance.

  • Different businesses will be exposed to cyber risk in different ways; some are reliant on their website to drive turnover, some rely on a hosted accounting or billing system to operate whilst others hold sensitive client data or intellectually valuable data on their systems. There are a multitude of scenarios that leave a business exposed to internal and external electronic threat. The failure of an IT network could be debilitating and a good first step is to identify and take steps to mitigate external and internal IT risks. These include:
    data theft or data loss
  • hijacks where hackers gain control of a system and demand a ransom to restore service
  • bot scams where viruses are used to take over large numbers of computers
  • basic human error (internally generated risks should not be overlooked and continue to be the most common proximate cause to a cyber loss)

Notification costs following the loss of third party data is now a major concern for EU business following GDPR. Safekeeping of data is the responsibility of the customer facing entity, notwithstanding that a third party processing company may have been the party that lost the data and/or contractual terms making a third party responsible for notification. This means if you are hacked and lose your customer data (names, addresses, credit card numbers etc.) you will need to report the loss to the data commissioner, possibly pay PCI fines, pay the cost of notifying your customers that they are at risk, pay for advice to manage their risks and pay PR costs to manage the potential damage to your brand and reputation. All of these risks can be insured and cyber insurance will additionally cover fines and penalties associated with regulatory investigations due to a privacy event.
The other major threat to a business may be the loss of a website and a resultant loss of revenue. Again, this can be insured.

  • The cyber insurance market has been developing at a rapid pace over the past five years as experience has been gained by insurers. Areas of cyber-risk that can now be insured include:
    replacing, restoring or recreating data that has been corrupted or destroyed by network failure or first/third party intervention
  • loss of data and notification management costs
  • criminal threat or extortion to release sensitive information or bring down a network unless demands are met
  • loss of income and extra expenses resulting from when a network is interrupted by attack. Covers criminal hackers, malicious insiders and denial of service (DOS) attacks, (including extortion monies)
  • payment fraud (deception of the insured’s customers into transferring over funds)
  • public relations expenses and crisis management
  • disaster recovery activation costs
  • fines and penalties where insurable by law
  • use of leased / rented external equipment
  • use of third party services
  • additional staff expenditure and overtime payments
  • terrorism risk, including ideological risk (LulzSec, Anonymous etc)

James Hallam Insurance Brokers have been placing cyber risk in the London market for over fifteen years. We source cover to insure against all of the above threats and, in addition, we can protect against risks that the majority of cyber insurers omit. For example, our favoured market will also provide:

  • the provision of first party cover on an “each and every claim” basis, ensuring that policyholders aren’t restricted by a policy aggregate and that the full benefits of cover are available each time a crisis strikes, even if they experience multiple cyber incidents in the same policy period
  • full retroactive cover as standard, meaning that policyholders are covered for breaches they discover during the policy period, even if it first occurred long before. Symantec has reported that the average time to discover a breach is 205 days, making this a particularly important feature
  • an extensive in-house incident response capability to ensure that cyber incidents are dealt with quickly and efficiently in real time. Initial response services are offered with no deductible payable by the insured
  • broader cover for senior executive officers who are regularly targeted in cyber attacks, covering theft of personal funds of individuals as well as those of the company
  • if a suit is brought against directors and officers following a cyber attack, the policy provides affirmative cover in the event that their management liability policy doesn’t respond
  • incident response costs are provided in addition to the policy limit
  • no excess is applied to the initial reporting and investigation costs
  • full systems failure is covered, including resultant business interruption
  • full Supply Chain is covered, including Technology suppliers (and non-Technology suppliers if named)
  • Cryptojacking and Botnetting are included under the definition of Cyber Crime
  • Additional Extra Expense coverage is included for costs above the normal operating expenses of a business
  • Hardware Replacement coverage is included for computer hardware or tangible equipment damaged as a result of a cyber event

Some points to consider when discussing Cyber Risk with your clients

Dealing with a ransomware incident is rarely a simple matter of the ransom payment being made and the business in question automatically regaining access to their systems and data. Even after a ransom payment has been made, and assuming the system can be successfully decrypted, the ransomware can have the unintended side effect of severely impairing the functionality of one or more of a business’s vital systems.

The use of legacy systems can significantly increase the risk of a cyber loss. Generally speaking, legacy systems are not only far more vulnerable to attack, they are also much more susceptible to dysfunction following a cyber attack.

The importance of having data re-creation cover is becoming increasingly apparent. Many cyber policies only provide cover for the cost to recover or restore data from back-ups, but not the costs to re-create or re-enter lost data from scratch. The bulk of the costs to a claim can come from the labour costs associated with manually re-entering data, and brokers should be sure to check that their clients have this important cover in place.

Almost all modern businesses have some form of cyber exposure. Even if a policyholder does not solely rely on their computer systems to carry out work, they will still have an office function that playing a key role in the running of the business. When the computer systems in an office are affected by a cyber event it will almost certainly have a negative impact on the overall business operation and having a cyber insurance policy in place will provide a valuable safety net for the company.

James Hallam can place cyber insurance in the London Market for business domiciled almost anywhere worldwide so please feel free to get in touch if you would like us to assist you and your clients.