{"id":23898,"date":"2025-05-27T09:58:19","date_gmt":"2025-05-27T14:58:19","guid":{"rendered":"https:\/\/www.bbrown.com\/?post_type=insight&p=23898"},"modified":"2025-06-03T09:23:57","modified_gmt":"2025-06-03T14:23:57","slug":"cyber-and-do-risk-the-dual-boardroom-threat","status":"publish","type":"insight","link":"https:\/\/www.bbrown.com\/us\/insight\/cyber-and-do-risk-the-dual-boardroom-threat\/","title":{"rendered":"Cyber and D&O Risk | The Dual Boardroom Threat"},"content":{"rendered":"

[vc_row row_style=”page-hero” full_width=”stretch_row_content”][vc_column]\n\t

\n\n\t\t
\n\t\t\t
<\/div>\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t<\/div>\n\n\t\t
\n\t\t\t
\n\t\t\t\t
\n\n\t\t\t\t\t\n
\n

Property & Casualty<\/p>\n

\n Cyber and D&O Risk | The Dual Boardroom Threat\n <\/h1>\n\t\n <\/div>\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\n\t<\/div>\n\n\t\n[\/vc_column][\/vc_row][vc_row][vc_column width=”2\/3″]\n
\n \n

\n Cyber and D&O Risk | The Dual Boardroom Threat\n <\/h1>\n\t\n <\/div>[vc_column_text css=””]Cyber risk has emerged as one of the most critical challenges for corporations, setting it apart from more traditional property and casualty risks. Unlike physical losses from fires or natural disasters, a cyber event can represent more than just a financial loss to a balance sheet. These events often expose vulnerabilities in a firm\u2019s governance and risk management capabilities, making them an essential test of leadership for directors and officers (D&Os).<\/p>\n

For a public company, the stakes can be even higher: a significant cyber event can trigger dramatic share price declines as markets react to the disclosures and potential lawsuits from investors alleging shareholder loss or negligence in oversight or preparedness. Understanding the relationship between cyber and D&O risk and exploring the impact of alleged shareholder loss following cyber events is essential.<\/p>\n

Understanding the Cyber and D&O Connection<\/h3>\n

Cyber: A Top Concern for Directors and Officers<\/h4>\n

Cyber risk consistently ranks among the top concerns for directors and officers1<\/sup>, reflecting its role in corporate stability and the level of influence D&Os have over managing this risk. While awareness is growing, many firms remain unaware of the link between cyber incidents and D&O liability. This disconnect can leave firms ill-prepared for financial and operational fallout following a cyberattack.<\/p>\n

SEC Cyber Disclosure Rules: A New Era of Accountability<\/h4>\n

Regulatory requirements have evolved to reflect the heightened importance of a board\u2019s role in cyber risk management. The SEC\u2019s updated 8-K disclosure rules mandate that companies disclose material cybersecurity incidents within four business days of determining their impact, including qualitative and quantitative assessments. Yet, compliance has been inconsistent: 73% of early disclosures from firms did not determine materiality, suggesting firms struggle to quantify the full extent of costs\u00b2. This gap in preparedness may leave D&Os vulnerable to claims of insufficient governance and oversight.<\/p>\n

The Rising Frequency of Cyber Events<\/h4>\n

The frequency and cost of breaches continue to rise at an alarming rate\u00b3. While not always publicly reported, ransomware attacks and business interruption compound this risk, with numerous studies and high-profile events showing their prevalence and damage\u2074. This rising threat highlights the importance of strong cybersecurity preparedness to avoid these incidents escalating into a crisis with board-level implications.<\/p>\n

\"\"<\/h4>\n

The Subsequent D&O Liability<\/h4>\n

As cyberattacks rise, so have D&O claims tied to these events. Securities class action (SCA) filings related to data breaches have surged in recent years\u2075, driven by investors alleging economic losses often tied to drops in share price following the disclosure of a cyber event. While public companies are particularly vulnerable to these securities suits, privately held firms are not immune\u2076.<\/p>\n

The financial stakes of these claims can be substantial. In 2024 alone, just three data breach-related SCAs resulted in settlements totaling $560 million,\u2075 marking some of the largest payouts in history. Even when these suits are unsuccessful, the equity declines that often follow cyber events remain highly relevant to corporate leadership and investors. Shareholder value can be eroded by short-term market reactions and long-term underperformance, making cyber risk a persistent concern for investors and boards alike.<\/p>\n

Shareholder Loss Following Cyber Events<\/h3>\n

Cyber incidents often result in sharp, immediate declines in stock prices as investors react to the potential operational and reputational fallout. Some studies have reported average stock price drops of over 7%5<\/sup> immediately following a breach disclosure. However, share declines can be far more extreme for certain industries and high-profile events.<\/p>\n

Prolonged underperformance of the share price is another critical consequence of cyber events. It can take an average of 46 days to rebound to pre-breach levels.5<\/sup> Even after recovery, firms can still underperform market indices long-term. Research conducted by Moody\u2019s finds that even moderate-impact cyber events can result in abnormal equity returns over a longer time period, with average cumulative underperformance over a 12-month period of over 5%.\u2077<\/p>\n

Securities Class Action Suits: Alleged Shareholder Loss<\/h4>\n

To understand the magnitude of shareholder loss for more extreme breaches, consider the share price drops referenced in securities class action filings related to cyber events.<\/p>\n

Zywave\u2019s Loss Insight Feed for cyber and D&O risk is used to identify a set of SCA lawsuits tied to cyber events. For this analysis, all references to stock price declines are extracted from the corresponding complaint filings and reviewed. Many of these complaints cite publicly available news sources\u2014rather than conducting detailed market analyses\u2014to establish the basis for shareholder loss surrounding the class period. Occasionally, a complaint will outline multiple stock price drops over multiple trading days. In these cases, the cumulative return over all referenced trading days is calculated.<\/p>\n

\"\"<\/p>\n

Figure 2: Equifax Closing Share Price: Aug. 2017 \u2013 Nov. 2017\u2078<\/em><\/p>\n

The full distribution of share declines is shown below:<\/p>\n

\"\"<\/em><\/p>\n

Figure 3: Securities Class Action Complaints Following Cyber Events \u2013 Alleged Shareholder Losses<\/em><\/p>\n

The alleged losses are significant, with the average share drop for the sample of cyber-related SCA filings being over 18%. While complaints tended to focus on the immediate market reactions following the disclosure of an event, rather than any long-term underperformance, the distribution provides important context for firms looking to understand potential D&O losses following a cyber event.<\/p>\n

However, cyber-specific data remains limited, with few finalized SCA settlements from which to draw. To address this gap, consider the broader population of all SCA suits to understand how market capitalization declines can correlate with potential settlements. Below, the declines in market capitalization are in dollars rather than percentages, since larger, well-capitalized firms will generally have larger market cap declines and deeper pockets for potential payouts . This broader dataset of events allows us to approximate potential D&O losses from cyber events, even when direct cyber-related SCA precedent is scarce.<\/p>\n

\"\"<\/p>\n

The fitted distributions above show a clear correlation between market capitalization declines\u2079 and securities class action10 settlements. This relationship, however, reinforces the many sources of financial risk that public companies face following a cyberattack. Firms first encounter uncertainty in the direct costs of a cyberattack, from extortion demands to liability and incident response costs. Following an attack, they face uncertainty in the magnitude of market cap declines, as indicated in the distribution of stock price declines observed in cyber-related SCA filings. Finally, even with a given market cap decline, D&O liability can vary significantly.<\/p>\n

Understanding these different dimensions of risk is important for refining cyber risk management and insurance strategies. Modeling various distress scenarios and their financial impacts, including potential market cap declines and corresponding SCA settlements, can enable more informed decisions regarding insurance coverage, financial reserves and governance measures. Such proactive modeling and the recommendations provided in the next section will help companies better prepare for the financial implications of cyber incidents and mitigate potential shareholder losses and D&O claims.<\/p>\n

Managing the Dual Threat: Recommendations for Firms<\/h3>\n

Effectively managing the interconnected risks of cyber and D&O requires a proactive approach.<\/p>\n

1. Understand Existing Cyber and D&O Programs<\/strong><\/p>\n