How Will Cyber Risk Evolve D&O?

The fallout from the recently discovered two-year-old Yahoo breach is substantial. The first customer suit for breach of privacy has already been filed, with more expected. Verizon is reevaluating the $4.83 billion cash deal on the table to buy Yahoo’s web assets, and some predict a $1 billion drop in their offer.

A derivative suit against the directors and C suite for shareholder value losses can’t be far behind. Will Yahoo’s D&O policy cover liability from a billion-dollar loss? It may not, and many corporate directors are watching to see how it plays out.

Prudent board candidates have long demanded that directors’ and officers’ insurance be in place before accepting a board seat, and now D&O coverage is the default. The magnitude of losses in recent years from cyber breaches – through consumer class actions, customer data loss, and reputational damage – has significantly increased the exposure D&O insurers face, and it is becoming an issue for underwriters. While at least one carrier has carved out cyber risk from its policies, most haven’t. Unease prevails, since the lack of predictive analytics makes it difficult for underwriters to analyze the risk of post-breach derivative suits in order to set rational rates.

What changes could occur to D&O coverage?

1. Base rates on external risk measures
   Earlier this year, FICO itself announced the acquisition of QuadMetrics and its plan to develop a “FICO Enterprise Security Score” to help underwriters predict cyber risk. Many other businesses are springing up to offer FICO-like scores. All these scores are based upon analyses of external data gathered from multiple sources. It’s too early to tell how effectively they will predict breaches by themselves, but their aggregations of external information will likely be part of the coming changes.
2. Base rates on assessment of internal risk measures
   Current solutions don’t incorporate internal information provided by the insureds on the cyber controls they have in place. As we pointed out in a previous post, “Imagine how accurate FICO could be if, rather than relying on credit history, they had unlimited access to a consumer’s detailed financials (e.g., financial account statements) and could ask questions of their financial advisor. The same is true in cybersecurity: an understanding of existing internal controls can enable a meaningful list of prioritized actions to guide ongoing improvements.”
3. Base rates on continual assessment of internal and external measures of risk.
   Peter Drucker famously said, “What gets measured gets improved.” Continually measuring cyber risk and acting to mitigate it may be the best course, both for insureds and insurers. Offering preferred rates for organizations that incorporate a program of continual improvement and regular external ratings helps the insureds by decreasing the likelihood of a breach while preparing them to respond quickly if one does happen. It helps the insurers by constantly improving aggregated risk across their portfolio of clients while ensuring the best possible rates for coverage.

If option 3 is optimal, the biggest challenges is acquiring the required internal information. Organizations fear increasing their cyber exposure by releasing details of their internal cyber measures.

In our experience, companies will share anonymized internal data if two conditions are met:

1. Anonymity must be guaranteed.
   The promise to hold the data in a secure repository where all of it is kept anonymously and used to develop predictive analytics is being widely accepted.
2. Significant benefits must be delivered.
   Insureds are willing to share their data if they gain access to a platform that enables them to monitor and mitigate risk in an organized way based on industry standards. By aligning and prioritizing needed actions according to accepted industry standards, they progress from simply applying the best defensive technologies (a needed part of the solution) to taking an ordered approach to the problem and engaging everyone from board down in overseeing and managing cyber risk.