The rising risk of cyber-related class actions

Organisations who fail to have cyber insurance could be at risk of class actions for neglecting to adopt the coverage, according to Lockton’s Peter Jackson.

Package delivery company FedEx said a June cyber attack on its Dutch unit, for which it did not have insurance, sliced $300 million from its quarterly profit. The company said it is “re-examining” buying cyber insurance because of the attack.

Commenting on the FedEx story on LinkedIn, Peter Jackson, director of multi national clients at Lockton Wattana Thailand, said: “I hear this all too often: ‘we’ll buy some cyber insurance if we ever have a problem’.

“It’s amazingly naive and going to cost you a lot of money to persuade an insurer that after the cyber event you’re a better risk than before. Shareholders might also ask if saving a couple of million dollars for a substantial cyber programme was good use of their funds.

“So far class actions have not been successful against boards for negligence in not protecting against cyber risks, but Fedex and Equifax may provide the opportunity for class action lawyers to try again. In which case there had better be a good D&O insurance policy in place,” added Jackson.

Dean Carrigan, managing partner of Clyde & Co said cyber-related class actions and claims which are related to significant data breaches are already a feature of the US landscape.

“Recent US actions brought against a range of companies including Target, Home Depot, Anthem, Neiman Marcus and Equifax are all rooted in underlying data breaches, or from the consequences of failing to appropriately respond to, manage and disclose the incidents.”

Carrigan said this increased risk exposure needs to be understood and taken into account by D&O underwriters.

“It is likely to have an impact on both premium rates and policy terms and conditions. The former are likely to increase and the latter, depending on the actual claims experience, may well over time narrow as underwriters adjust the available coverage for such exposures to take into account any increased losses incurred,” he said.

Carrigan said insurers can assist their insured clients prepare for and mitigate potential cyber related class actions in a number of ways.

“Prevention is better than cure. Key to this is to strongly encourage boards and senior executives to own a problem, ensure that IT security systems and staff awareness and training are sufficiently robust. Boards should also set the appropriate ‘tone from the top’ as regards the critical business importance of cyber awareness and IT security,” added Carrigan.