As readers of this blog know well, cybersecurity issues can be an important potential source of directors’ and officers’ liability risk exposure. In the following guest post, Arlene Levitin, Esq., takes a detailed look at the many ways that cybersecurity-related issues can translate into D&O liability risk and insurance concerns, particularly with advent of artificicial intelligence technology. Arelene is Claims Officer, Complex Management Liability, NAS Financial Lines Claims, Liberty Mutual Insurance. I would like to thank Arlene for allowing me to publish her article as a guest post on this site. Here is Arlene’s article.
************************************
Cybersecurity risks are cyber events that may compromise the confidentiality, security and access to information. Whether caused by a system or network flaw, malicious actor, or some other error, cybersecurity risks[1] pose vulnerabilities to sensitive information ranging from an individual’s Personally Identifiable Information (“PII”) to proprietary corporate information.
Within the insurance landscape, cybersecurity risks are often associated with Cyber Liability policies. However, in recent years, the advent of Artificial Intelligence (“AI”) and its vast capabilities have prompted many businesses to implement AI in their operations and functions. The growing number of corporations using AI presents an example of potential cybersecurity risk in Directors, Officers & Company Liability (“D&O”) insurance, that has resulted in increased litigation against companies and their directors and officers (“D&Os”). Corporations may face greater cybersecurity risks as courts and regulators seek to implement oversight and compliance standards. This article provides an overview of cybersecurity risks that may impact corporations and their D&Os and offers proactive measures that may help companies prepare and mitigate potential risk.
Historically, cybersecurity risks have not been thought of as a corporate governance issue, however, with the rapid growth and use of AI among companies, coupled with the global and occasionally ominous population of the world-wide web, cybersecurity risks and related litigation, now may pose greater risk to corporate boards that could face exposure stemming from cybersecurity incidents. Such risks include litigation brought by shareholders or regulators against D&Os asserting claims for breach of fiduciary duty for failure of oversight, misleading, inaccurate or incomplete disclosures related to cybersecurity risks, slow or inadequate response to cyber incidents, and Cyber-Washing[2].
Cyber-Washing is when a company materially overstates its cybersecurity readiness to the public and investors. Companies alleged to engage in cyber-washing may face securities litigation if a breach occurs that demonstrates that the company made material misrepresentations regarding their readiness to respond to cyber incidents. This expands the bounds of corporate oversight and potentially leaves corporate boards responsible for exposure caused by cybersecurity events.
Cybersecurity risks as a corporate governance issue has already been previewed in the D&O Insurance space with at least twelve (12) AI related securities class action lawsuits filed in 2025 that alleged, among other things, claims for “AI Washing”.[3] As regulatory efforts to hold companies accountable increase, so too does the potential impact on D&O liability. In addition to securities litigation arising from claims alleging AI Washing, cybersecurity incidentsmay result in litigation against companies by shareholders or regulatory bodies that may allege corporate leadership failed to properly manage cybersecurity risks, implemented inadequate safety measures, or did not disclose cybersecurity vulnerabilities that may result in financial losses, reputational harm, and/or regulatory violations.
In other words, cybersecurity related litigation against companies and their D&Os will likely assert the causes of action hallmark of D&O litigation: Breach of Fiduciary Duty: failure for D&Os to implement, monitor and oversee that protective controls are in place for cybersecurity related risks. Disclosures: failure to disclose known vulnerabilities or material cyber incidents to investors or for Cyber-Washing (i.e., overstating security safeguards). Mismanaged Response: failure for a company to timely respond following a cybersecurity incident which may cause financial losses or reputational harm.
Cybersecurity related litigation against companies and their D&Os may also arise from the False Claims Act (“FCA”). The FCA is a U.S. federal law that prohibits people and companies from defrauding government programs, mainly by submitting false claims for payment, and allows private citizens (i.e., whistleblowers) to sue on behalf of the government, receiving a portion of any recovered funds[4]. The FCA provides that any person who knowingly submits, or causes to submit, false claims to the government is liable for three times the government’s damages.[5]
In an effort to use the FCA to pursue cybersecurity related fraud, the Department of Justice (“DOJ”) created the Civil Cyber-Fraud Initiative.[6] The Civil Cyber-Fraud Initiative[7] uses the FCA to pursue government contractors that knowingly provide deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, knowingly violating contractual obligations to monitor and report cybersecurity incidents. This allows the government to seek treble damages plus penalties for each violation of the FCA against companies and their D&Os, subject to the applicable standard that requires actual knowledge, deliberate ignorance, or reckless disregard.
Significantly, under the Civil Cyber-Fraud Initiative, a data breach is not required and potential liability may be triggered by a company falsely certifying compliance with cybersecurity standards. Another way the FCA may be used to pursue companies, and their D&Os is through Qui Tam lawsuits (i.e., lawsuits brought by a private individual (or whistleblowers) against a company on behalf of the government for allegedly violating the FCA). One example from 2025 involves a DOJ settlement with a life sciences company that allegedly violated the FCA by selling genomic sequencing systems to the government that had cybersecurity vulnerabilities[8].
While some level of uncertainty is inherent in risk, there are steps companies can take to safeguard and try to mitigate potential exposure posed by cybersecurity risks. Such proactive steps may include: Board Oversight & Awareness: Companies should ensure their D&Os are familiar with the cybersecurity safeguards and practices in place – and have a plan in place to address potential cybersecurity incidents.
Stay Informed: D&Os should routinely review their company’s cybersecurity practicesand policies and should update these processes if warranted, as regulatory and compliance standards continue to be developed & implemented by courts and regulatory bodies[9]. Insurance: Companies can increase their readiness to respond to potential cybersecurity risks by maintaining and reviewing their insurance programs and familiarizing themselves with the coverage available under their D&O policies (third party liability) and cyber liability policies (first- and third-party liability) to ensure optimal preparedness. Companies should also carefully review their policies’ language to familiarize themselves with the coverage available.
__________________________________________
Arlene Levitin, Esq.
Claims Officer, Complex Management Liability
NAS Financial Lines – Liberty Mutual
arlene.levitin@libertymutual.com
[1]https://hyperproof.io/resource/what-is-cyber-risk/#:~:text=Put%20simply%2C%20if%20you’re,of%20your%20data%20and%20systems
[2]https://riskandinsurance.com/rising-do-exposures-as-geopolitical-shifts-cyber-threats-and-ai-reshape-risk-landscape/
[3]https://www.aon.com/en/insights/articles/responding-to-cyber-attacks-how-directors-and-officers-and-cyber-policies-differ
[5]https://www.justice.gov/civil/false-claims-act#:~:text=The%20False%20Claims%20Act%20(FCA)%20is%20a,*%20**Prohibiting%20conspiring%20to%20commit%20these%20acts**
[6]https://www.dandodiary.com/2025/08/articles/cyber-liability/cybersecurity-and-false-claims-act-liability-exposure/#:~:text=On%20July%2031%2C%202025%2C%20the,cybersecurity%20vulnerabilities%20to%20federal%20agencies.&text=There%20is%20one%20particular%20aspect,this%20kind%20of%20regulatory%20vulnerabilit
[7] https://www.justice.gov/archives/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative
[8] https://www.justice.gov/opa/pr/illumina-inc-pay-98m-resolve-false-claims-act-allegations-arising-cybersecurity
[9] https://www.aon.com/en/insights/articles/responding-to-cyber-attacks-how-directors-and-officers-and-cyber-policies-differ