In today’s digital-dependent landscape, financial institutions face a broad array of cyber threats that challenge their operational integrity and client trust. To address these risks, financial institutions often rely on a combination of directors and officers liability (D&O), professional liability or errors and omissions (E&O), and cyber insurance policies.
The interplay between these policies is fraught with complexities, particularly due to the prevalence of cyber exclusions in D&O and E&O policies. These exclusions can limit coverage for liability claims arising from data breaches and other network security incidents — a risk that most directors and officers believe to have substantially transferred between the purchase of D&O, E&O, and cyber policies.
Attention to detail — and help from the right insurance broker — can enable financial institutions to effectively address this concern.
The evolving challenge of cyber exclusions
Cyber exclusions were originally introduced by insurers as “funneling” exclusions to ensure claims arising from cyber incidents were addressed by dedicated cyber policies, thereby avoiding duplicate coverage under D&O or E&O policies. In practice, however, these exclusions have been interpreted broadly, allowing insurers to wrongfully deny claims that should reasonably fall under D&O and E&O coverage. This creates a significant disconnect for financial institutions that believe their risks have been effectively transferred across these policies.
But not all cyber exclusions are created equal. Wording and breadth vary significantly between insurers and policies, and recent trends indicate a move toward broader and more absolute exclusions. These exclusions reflect insurers’ concerns about the expanding risks associated with technology and cybercrime and the aggregation of such risk across multiple policies that could respond to the same claim. These concerns are exacerbated in the financial sector, as institutions frequently engage in M&A activity and handle sensitive financial data.
Understanding the nuances of these exclusions is essential for financial leaders. Many risk professionals, for example, may be familiar with the dreaded “absolute” exclusionary preamble, often phrased as “based upon, arising out of, in consequence of, or in anyway involving…” When followed by terms like “cyber incident,” “data breach,” or “network security failure,” this exclusion can leave very little room for a claim to attach — even when allegations concern liability of directors and officers or the provisions of core professional services that D&O and E&O policies are specifically designed to protect against.
Why cyber policies alone are not enough
It is a mistake for brokers to view cyber exclusions in D&O and E&O policies as inconsequential or to assume that purchasing a separate cyber liability policy fully mitigates a financial institution’s risk. While cyber insurance policies are vital, their interplay with D&O and E&O policies can create dangerous gaps in coverage that leave financial institutions exposed. For example:
The definition of “loss” in cyber policies may be limited and may not encompass all potential liabilities that financial institutions could face, which might otherwise be covered under D&O and E&O policies.
Liability coverage under cyber policies often requires a direct connection to a data breach, security failure, or failure to comply with privacy regulations.
Stand-alone cyber policies frequently include broad securities exclusions and may also contain exclusions for certain financial services.
In blended E&O/cyber programs, the definition of “professional services” typically focuses on technology-related services, which may not be appropriate for financial institutions or adequately capture the full range of services they provide.
So, what happens when an organization’s primary operation as a financial service provider suffers losses due to liabilities resulting from a cyber event? The unfortunate reality is that an insured may be left holding the bag when a cyber incident is excluded or not clearly covered under a cyber policy (for the reasons previously noted) and also excluded or not affirmatively covered under a D&O or E&O policy.
Proactive strategies for insurance brokers and insureds
Imprecise language in cyber, D&O, and E&O policies, coupled with hardline stances by carriers, can lead to liberal interpretations of cyber exclusions and drive negative outcomes for insureds. Moreover, relying solely on cyber insurance may overlook the implications of broader exclusions in D&O and E&O coverage, which could deny claims related to executive decisions made during a cyber crisis.
To mitigate the risks of policy interplay, financial institutions must take a proactive approach during policy negotiations. To do this, it’s vital that they work with experienced insurance brokers who understand the specific nature of financial institutions’ cyber risk and the importance of including the right language in all relevant policies.
Specifically, financial institutions should consider the following strategies:
Limit the scope of cyber exclusions: Restrict exclusions in D&O and E&O policies to first-party losses, which should be covered by separate cyber policies.
Modify exclusion preambles: Replace absolute preambles with narrower lead-ins, such as “for loss directly from…”
Include key exceptions: Add exceptions to exclusions for claims brought by clients, customers, or investors alleging wrongful acts in connection with performing or failing to perform professional services.
Address executive oversight in D&O policies: Carve out coverage to exclusions for failed oversight or operational errors.
Use Side A difference in conditions policies: These policies often do not have any cyber-related exclusions, providing an additional safety net for executives.
Clarify priority between policies: Specify that the E&O policy is primary for professional service failures, with cyber coverage acting as excess. Review "other insurance" clauses included in all policies.
Broaden professional services definitions: Explicitly include the use of technology in the definition of professional services included under E&O policies.
Extend insured person coverage: Ensure that CISOs and CTOs are included as insured persons under D&O and E&O policies.
Seek clarity from underwriters: Obtain written confirmation of coverage intent to address ambiguous exclusions.
The interplay between D&O, E&O, and cyber policies can expose financial institutions to significant risk if not carefully managed. By working with their brokers to take a proactive approach to policy structuring and negotiations, financial institutions can ensure they are adequately protected in an increasingly complex cyber risk environment.
For more information, contact a member of your Lockton team or get in touch here (opens a new window).
