Utilizing D&O Insurance Coverage for Cyber Claims

Joshua Gold


October 21, 2021

D&O Cyber insurance

As the frequency of regulatory action and large shareholder class action securities and derivative litigation targeting senior management in the wake of cyber incidents increases, many policyholders are turning to their D&O insurance policies for coverage. D&O insurance is particularly important when cyber insurance is unavailable, was not purchased, or contains an exclusion for “securities claims.” For a host of reasons, this coverage needs to be available when directors and officers are targeted in shareholder suits or when the company comes under regulatory scrutiny in the wake of cyberattacks.

There are also circumstances in which allegations in non-securities suits of negligence or wrongdoing on the part of company officers or directors that enable cybercrime potentially trigger D&O coverage. D&O insurance companies often resist claims of this sort, on various grounds. However, two recent decisions by the U.S. Fifth Circuit affirmed coverage for cyber claims in which a policyholder’s clients or business partners sought redress for alleged company errors.

In a recent D&O insurance coverage case involving a cyber claim, HM International, LLC v. Twin City Fire Insurance Co., a Fifth Circuit panel reversed a district court ruling that had excused a D&O insurance company from providing D&O coverage for a negligence claim made by a third party. The policyholder’s CFO had transferred $1 million from client accounts to cybercriminals in response to an email in which a fraudster posed as a client of the firm. Thereafter, the clients sought recovery from the policyholder, making, among other things, a claim for indemnity against the policyholder due to its alleged negligence in falling for the email scam. The policyholder sought D&O coverage for the clients’ demand, but the insurance company denied the claim. The policyholder then settled the clients’ claim for $470,000 without litigation and sued the D&O insurance company for coverage.

The insurance company denied the claim on grounds that the policyholder settled with its clients after the expiration of limitations for the clients’ underlying negligence claims. The insurance company also claimed that there was no coverage because the policyholder settled prior to the clients filing suit, so there was no “adversarial process.” The district court accepted these arguments in summary judgment. The Fifth Circuit panel reversed.

The D&O policy in question provided that it would cover “loss on behalf of an insured entity resulting from an entity claim first made against such insured entity during the policy period or extended reporting period, if applicable, for a wrongful act by an insured entity.” The policy’s definition of “loss” included “defense costs and damages.” “Damages” was defined to mean “the amounts, other than defense costs, that the insureds are legally liable to pay solely as a result of a claim covered by this liability coverage part, including: settlement amounts.”

The D&O policy promised insurance coverage for “entity claim[s],” which included coverage for a “written demand for monetary damages or other civil non-monetary relief commenced by the receipt of such demand.” 

The Fifth Circuit vacated the district court judgment in favor of the D&O insurance company on grounds that the district court had misconstrued the policy’s definition of a “claim”:

[T]he district court did not account for the policy’s definition of the term “claim,” instead treating it as synonymous with “cause of action.” That error is apparent from the court’s referring to a “claim barred by the statute of limitations.” A cause of action can certainly be time-barred by a statute of limitations. But the policy’s definition of “claim” includes a “written demand for monetary damages or other civil non-monetary relief”—i.e., a Demand Letter—which cannot.

With those two misinterpretations clarified, the settlement payment’s inclusion in the policy becomes clear. The policy covers “Loss . . . resulting from an Entity Claim.” The demand letter that the Geibs’ attorney sent to HMI constitutes an Entity Claim because it is a “written demand for monetary damages or other civil non-monetary relief.” The HMI’s settlement payment constitutes a Loss because it is an amount that HMI is legally liable—through contract—to pay to the Geibs as a result of the demand letter.

The policy does not require that the party suing the insured win a judgment.

In short, the demand for monetary damages from the policyholder’s client constituted a claim, and that claim was not time-barred.

In another D&O case, also from the Fifth Circuit, Spec’s Family Partners, Ltd. v. Hanover Insurance Co. (S.D. Tex. Jul. 23, 2019), a panel addressed coverage for payment card industry claims for “liability assessments” following the breach of credit card data processed through a retailer’s systems. After getting hit with two separate hacks of its computer systems, compromising credit card information, the policyholder’s merchant bank claimed over $7 million in damages against the policyholder and alleged non-compliance with PCI Data Security Standards. The policyholder sought coverage for defending against the claims made in the demand letter and for funding a lawsuit it launched itself against its merchant bank in furtherance of the defense of the demand letter. The D&O insurance company relied on a contractual liability exclusion to deny insurance coverage. 

The Fifth Circuit ruled that the exclusion for breach of contract does not preclude defense coverage for the policyholder. On remand from the appellate court, the trial court found a defense owing to the policyholder, since the Fifth Circuit had found that the exclusion for contractual liability did not apply to the claims arising out the merchant bank’s demand letter, which included allegations of liability that did not depend upon the merchant agreement.

The D&O insurance company also was required to fund the affirmative lawsuit commenced by the policyholder against the merchant bank. The insurance company argued that a duty to defend can never encompass an obligation to fund an affirmative suit by the policyholder against the underlying claimant.

As the above cases make clear, policyholders may have insurance coverage for cyber-related claims under their D&O policies and such coverage may not be solely limited to securities litigation from investors. Accordingly, when a cyber claim is made, consider insurance policies beyond just specialty cyber policies, including D&O insurance, E&O insurance, crime insurance, and other commercial policies that may afford protection.

Joshua Gold is a shareholder in Anderson Kill’s New York office, chair of Anderson Kill’s cyber insurance recovery group and co-chair of the firm’s marine cargo industry group. He is co-author with Daniel J. Healy of Cyber Insurance Claims, Case Law, and Risk Management, published in 2022 by the Practising Law Institute.