Navigating the Crossroads of D&O and Cyber Insurance in a Shifting Risk Landscape

As cyber threats intensify and corporate governance grows more complex, the intersection between directors and officers (D&O) liability and cyber insurance has become increasingly relevant. Organizations can benefit from understanding how these policies complement, overlap, and leave potential coverage gaps is essential when seeking comprehensive protection.

“These two coverage lines, which were once distinct, are now converging frequently,” said Steve Anderson, Cyber Insurance Director at Safety National. “This pairing is being driven by regulatory environments, litigation trends, and evolving risk exposures, but they both can be essential for an organization in effectively managing risk across operational, technological, and executive levels.”

Here, we explore how these two insurance lines have become more intertwined, including through claims and regulatory trends.

1. Market Landscape and Growth Outlook

Both cyber and D&O insurance lines are growing rapidly. The D&O market represents $25 billion globally in gross premium written (GPW) with a 9% compound annual growth rate (CAGR). Of the $25 billion in GPW, public organizations represent $15-$16 billion, private organizations represent $8 billion, and nonprofits represent $2 billion. The cyber insurance U.S. market accounts for approximately $17-$18 billion, but is projected to reach $25 to $30 billion in the next five years, with a 15-17% CAGR.

2. Coverage Breakdown: Structure and Purpose

First-party cyber insurance refers to coverage that protects an insured organization from the direct losses of a cyber incident, and may include coverage for business interruption, data restoration, cyber extortion, and response costs. Third-party cyber insurance provides coverage for claims made against an organization, whether that be customers, clients, regulators, or partners, due to cyber incidents that affect them because of actions, negligence, or data security failures.

D&O insurance is strictly third-party, but includes side A, B, and C coverage. Side A covers individual D&Os when the company cannot indemnify, side B reimburses the company for indemnifying individuals, and side C covers the company for its own liability. D&O broadly defines claims and can include lawsuits, regulatory investigations, and criminal proceedings.

3. Market Innovations and Convergence

The D&O market has experienced a rise in Chief Information Security Officer (CISO)-specific coverage following litigation. For example, the SolarWinds cyber incident highlighted how a CISO could be held personally liable for cybersecurity failures, especially when tied to governance or disclosure issues. These cross-functional risks have led to more blended policies, responding to gray areas, especially where CISOs are named in lawsuits but are not legally defined as officers.

4. Claims Triggers and Exclusions

Claims timing, exclusions, and warranty application differ significantly across the two lines and must be coordinated during underwriting. In cyber policies, coverage is triggered for claims made within a policy period, but only for incidents that occurred after a specific date. For D&O, coverage is more nuanced. Claims must be made during the policy period, and coverage may exclude any litigation that was pending or known before the policy started. These terms can vary across primary and excess layers.

Some exclusions, like warranty clauses, have seen resistance from brokers in a soft market. Warranty clauses, in both cyber and D&O lines, require an insured to note that they are not aware of any facts or circumstances that may give rise to a claim. They may be interpreted as harsh, especially when the knowledge standard for a policy is ambiguous.

5. Litigation and Regulatory Trends

Litigation has grown in both markets, but plaintiff firms are targeting breaches with a market cap impact, making D&O risk more acute for public companies. Class action lawsuits following a breach have spiked, more than doubling from 2022 to 2023. Regulatory enforcement is also increasing. Due to short-staffing, the Securities and Exchange Commission (SEC) has become more selective, pursuing more high-profile cases to set an example for the rest of the market.

6. SEC Cyber Disclosure Guidelines

Under new rules, organizations must disclose material cyber incidents and outline governance processes in filings. However, with the new Trump administration and SEC leadership, regulation rollbacks may be possible. Private companies are still governed by fiduciary duty and disclosure standards under state law. Compliance may change in the future, but disclosing cyber risk should remain a board-level priority.

While business models may determine coverage priorities between cyber and D&O, timely reporting is still essential for both insurance lines. Cyber threats will continue to grow, and litigation will evolve, making cyber and D&O alignment a foundational strategy for companies.