As UK businesses are increasingly focussed on operational resilience and particularly their reliance on a digital infrastructure, the consequences of cyber incidents are extending far beyond exclusively the technical disruption caused. A growing trend reveals that major cyber events are triggering a rise in claims against Directors and Officers (D&O) insurance policies, placing corporate leadership under heightened scrutiny.
In the UK, regulatory bodies such as the Information Commissioner's Office (ICO) and the Financial Conduct Authority (FCA) are intensifying their oversight of cyber resilience and data protection. According to the ICO, data security breaches noted as a Cyber Incident (Q1 2023 – Q2 2025) in the Finance, Insurance and Credit sector have risen to just over 3000 notifications (ICO Data Breaches) whilst the number of notifications in Q2 2025 has increased by 37% over the equivalent period in 2024.
When a company suffers a breach, particularly one involving personal data, directors may face allegations of failing to implement adequate cybersecurity measures or risks appropriately. These allegations can lead to litigation from shareholders, regulatory investigations, and reputational damage, all of which may result in D&O claims D&O Responsibilities/Vulnerabilities amid Cyber threats.
There is considerable scope for a director to incur personal liabilities for failing to implement and oversee robust cyber risk policies which could fall within cover provided by a D&O Policy. Board members may have breached fiduciary duties to the company and shareholders if they fail to implement appropriate controls or cyber security or investigate adequate cyber insurance. Recent UK case studies underscore this risk, for example. The High Court of Ireland has imposed personal liability on a director for data breaches, in the judgment of Nolan & Ors [2024] IEHC 4.
The implementation of the increasing Data Protection Regulations together with the increase of cyber threats has led to this being an item of growing significance included on boardroom agendas. Further, the ICO is empowered to impose personal fines on directors for failing to implement and oversee robust cyber risk policies and can order directors to provide personal undertakings to improve data protection and/or cyber security policies.
Recent analysis of FINEX cyber claims data (See Article Here) found that D&O claims followed closely in time the date of a cyber event/incident. This data helps to predict the likelihood of a D&O claim after a cyber event.
Given the intertwined nature of cyber and D&O risks, Willis believe that every firm must have robust business continuity plans including:
a. Insurance efficiency opportunities: Given the interrelated aspects of cyber and D&O insurance, leveraging insurer relationships across both lines of coverage can bring forth coverage and pricing efficiencies.
b. Improve senior management coverage: In an era where Senior Managers are increasingly exposed to personal liability, it’s imperative to maximize coverage certainty for their personal asset exposure in pre-enforcement dealings with regulators prior to a D&O claim.
c. To mitigate exposure, UK boards must treat cyber risk as a strategic priority. This includes regular risk assessments, board-level cyber training, and transparent communication with stakeholders. As the link between cyber events and D&O claims strengthens, proactive governance is not just prudent, it’s essential contact the Operational Risk and Resilience team to find out how we can help.
