D&O series - Evolving risks in the boardroom: A new era of D&O liability - Part 2

Part 2: Navigating the cyber storm: How Moody's equips D&O insurers for digital-age risks

In the rapidly evolving digital landscape, the interconnectedness between cyber risk and directors and officers (D&O) insurance has never been more pronounced. This relationship is spotlighted in a series of industry analyses and reports, underscoring the pressing need for sophisticated risk management solutions, such as those provided by Moody's.

A pivotal October 2024 report by QBE Insurance Group, titled "Connected business: digital dependency fueling risk," offers a comprehensive overview of the current cyber threat landscape. It notes that a single incident — the CrowdStrike outage — inflicted an estimated $5.4 billion in damages and wiped $25 billion off of Fortune 500 companies’ market value. This incident serves as a stark reminder of cyber vulnerabilities’ cascading effects, with QBE emphasizing the increasing likelihood of multifaceted cyber incidents causing widespread disruption across numerous companies simultaneously. 

"As technology interdependencies grow, we expect more cyber incidents to disrupt many companies in a single attack, meaning businesses are more likely to experience a disruptive cyber event," the report warns. Furthermore, QBE's research in the United Kingdom reveals significant disruption, with 69% of medium-to-large businesses affected by cyber events in the past year alone.

The ramifications of cyber incidents extend beyond immediate operational impacts, posing a direct challenge to D&O insurance. Industry leaders, including Airmic in collaboration with Marsh and AIG, highlight the scrutiny on board members and senior management in the aftermath of cybersecurity breaches. The failure to implement, monitor, or oversee adequate cyber and data protection controls can lead to allegations of breaching fiduciary duties.

Beazley, in its 2022 article "Navigating the shifting business risk landscape," supports this, indicating that poorly managed cyber incidents could evolve into D&O claims against a company's executives. Echoing this sentiment, WTW's September 2024 piece "The rising frequency of D&O exposures following material cyber incidents" points to a tangible increase in D&O claims post-cyber events. The article elaborates on how significant cyber incidents can lead to D&O events, such as shareholder class actions or derivative suits, with research indicating a 43%-50% likelihood of companies facing such challenges after a major cyber event.

The landscape is further complicated by regulatory developments, such as the Securities and Exchange Commission’s cybersecurity disclosure rules introduced in July 2023. Reed Smith's analysis suggests that these new requirements are likely to spur an increase in lawsuits alleging breach of duty or oversight claims, with D&O insurance playing a crucial role in coverage.

WTW's research uncovers key insights into the cyber-D&O nexus, noting a dramatic increase in the risk of securities class action from 5% to 68% following a substantial cyber incident. This research also suggests growing evidence of a correlation between D&O events and the state of a company's cyber hygiene, indicating that cyber incidents often lead to corporate derivative suits alleging insufficient oversight by directors and officers.

Amid the growing concern over cyber threats and their impact on D&O liabilities, Moody's, through its acquisition of Praedicat, introduces an invaluable asset for D&O underwriters — the SCA Tracker. This specialized tool tracks Securities Class Action (SCA) lawsuits, shedding light on the tangible consequences of cybersecurity lapses.

Since 2021, the SCA Tracker has identified 14 SCAs against companies alleged to have made misstatements regarding their cybersecurity internal controls, underlining the legal and financial stakes at play.

In 2023, notable SCAs were filed against Dish Network and Block, each stemming from distinct cyber incidents that affected these companies individually. The trend continued into 2024, with two significant cyber-related SCAs capturing the industry's attention. A data privacy breach at UnitedHealthcare in February led to an SCA by May, showcasing the quick turnaround from incident to legal action. Similarly, the widely publicized CrowdStrike outage, resulting in substantial business interruption, saw an SCA filed in July — less than two weeks post-event. These examples not only illustrate the rapid progression from cyber incident to legal action but also emphasize the critical role of Praedicat's SCA Tracker in equipping D&O underwriters with essential insights to navigate this evolving risk landscape.

Further research by WTW and Clyde & Co in the influential “Global Directors and Officers Survey Report 2024” notes that even if cyber risk was knocked off the top spot for the first time for quite a while, “In 2024, cyberattacks had [their] highest percentage in terms of risk rating for the last four years, coming in at 79%.”

 The pressing issue of cyber risk's impact on D&O insurance is succinctly captured by Aon's assertion that "cyber risk is D&O risk." This statement encapsulates the essential need for robust analytics and risk management solutions, such as those Moody’s offers, to navigate the complex interplay between cyber threats and D&O liabilities.

According to a Marsh McLennan Cyber Risk Analytics Center study, cybersecurity performance as measured by Bitsight is statistically significant and correlated with the likelihood of cybersecurity incidents. This is corroborated by a more recent report by Gallagher Re in October 2024, which presents the findings of a study of Bitsight security performance data and its own proprietary database containing cybersecurity incidents and claims. The study concludes that poor performance in certain key areas increases an organization’s risk of experiencing a cybersecurity incident and subsequent claim, while strong performance implies a lower risk of incident. As industry leaders and insurers alike grapple with these complex challenges, the reliance on trusted data analytics becomes increasingly critical.

Moody’s cyber risk solution, in partnership with Bitsight, covers 360 million companies with firmographic cyber models and 6.6 million companies with detailed technographic cyber models; it is designed to help D&O underwriters identify cyber risks and understand the potential for cyber incidents. This allows underwriters to make more informed decisions by highlighting companies with a lower risk of breach or ransomware attack, meaning they are less likely to run afoul of the lawsuits or oversight concerns noted above. In addition, it highlights companies with strong cybersecurity performance. We help integrate cyber risk monitoring into underwriting workflows, helping insurers continually assess their portfolio’s security health based on historical cyber risk data so they can underwrite policies with confidence. Additionally, underwriters can identify and address exposures to evolving risks and vulnerabilities among existing policyholders.

To extend cyber insights to smaller organizations and enhance underwriting across the entire portfolio, we have introduced the Implied Cyber Threat (ICT) score. The ICT is an offering built on Bitsight’s leading cyber risk analytics engine and Moody’s Orbis company database, providing cyber risk insights and valuable market context for more than 325 million organizations worldwide — the highest coverage in the market by a factor of over 25x.

The ICT quantifies the inherent cyber risk for an organization based on Moody’s leading firmographic indicators including company size, sector, and geography, plus a unique subset of Bitsight’s risk vectors including botnet infections and open ports. The result is a highly actionable inherent risk indicator, with a significant correlation to breach and ransomware. Entities with very high risk are nearly 11x more likely to experience a security incident compared with very low-risk entities.

Bitsight 2024 case study

In the landscape of cybersecurity, predictive analytics and security ratings play a crucial role in forewarning organizations about potential vulnerabilities and threats. A compelling case study that underscores the predictive power of Bitsight's analytics involves an organization that faced significant cybersecurity challenges. This narrative not only highlights Bitsight’s effectiveness but also serves as a cautionary tale for companies navigating the complex cyber threat landscape. The organization in question was classified under the "Very High Risk Implied Cyber Threat" category based on its firmographic profile. This classification suggested that it was nearly 11 times more likely to encounter a cybersecurity incident compared with companies categorized as "Very Low Risk" in their sector. This stark difference underscores the predictive capability of Bitsight's firmographic analysis in identifying potential cyber threats.

There was an additional alarming observation that over the 12 months leading up to a cybersecurity incident, the organization's Bitsight Security Rating plummeted by 80 points. This significant drop was not just a number but a clear indicator of the organization's declining cybersecurity performance. Such a drastic decrease in the security rating is a red flag signaling underlying vulnerabilities and a heightened risk of attack.

By the time the cyberattack was announced, the organization's Bitsight rating had fallen to 640, placing it in the bottom 10% of its industry peers. This low rating was indicative of a severe risk, making the organization 4.6 times more likely to experience a ransomware event and 3.2 times more likely to suffer from a cybersecurity incident.

These statistics vividly illustrate the correlation between Bitsight's security ratings and the likelihood of facing cyber threats. Compounding the issue, Bitsight data revealed that for the past three years, the organization consistently received D’s and F’s in Patching Cadence. This poor performance in keeping software up to date made it 3.2 times more susceptible to cybersecurity incidents. Patching Cadence is a critical measure of an organization's ability to apply security updates in a timely manner, and failing to do so significantly increases the risk of exploitation by cybercriminals.

This case study exemplifies the predictive power of Bitsight's analytics and security ratings. By providing actionable insights into cybersecurity performance and potential threats, Bitsight allows organizations to proactively address vulnerabilities and reduce the risk of cyber incidents.

In conclusion, as the digital landscape evolves and cyber threats become ever more complex, the imperative for D&O insurance to adapt through enhanced risk selection and pricing becomes clear. Moody's is at the vanguard of addressing this need, providing D&O underwriters with a sophisticated array of tools and insights designed to navigate cyber risk’s intricacies. This offering helps underwriters refine their risk selection processes and adjust pricing with a higher degree of precision. Moreover, it empowers them to take a proactive stance with existing policyholders, identifying potential vulnerabilities and guiding them toward improved cybersecurity measures. With Moody's as their ally, underwriters are better equipped to manage the dynamic nature of cyber risk, contributing to a more resilient and informed D&O insurance landscape in an interconnected world where managing cyber risk is crucial for success.