Cyber Tips

What Directors & Officers Need to Know About Cyber Risks in 2025

Directors & Officers (D&Os) need to have a cyber insurance policy to protect their own personal liability.

As cyber threats escalate, businesses – in particular their directors and officers (D&Os) who are increasingly held accountable – must stay ahead of evolving risks to protect themselves and their organizations from financial and reputational damage. 

New research from Willis Towers Watson (WTW) shows nearly 80% of North American D&Os consider cyber attacks, including extortion, and data loss extremely significant risks to their organization 

 Cyber-related events, such as data breaches, ransomware attacks, and regulatory failures – are increasingly leading to D&O lawsuits that can run into millions of dollars in damages. These lawsuits can be filed by shareholders, regulators, customers, or employees, alleging that D&Os failed in their fiduciary duty to protect the company from cyber threats. 

 “Cyber risk has become a business-critical concern that directly impacts corporate leadership, making it essential for directors and officers to understand how digital threats can affect their organizations and their own personal liability,” says Neal Jardine, BOXX’s Global Director of Cyber Risk Intelligence. 

 More than 75% of North American D&Os worry about whether their D&O insurance covers cyber security risks. 

 “Given the nature of cyber risk today, it’s a legitimate concern,” says Phil Baker, Chief Underwriting Officer. “Directors and officers need to be aware that their D&O Insurance policy won’t be enough to protect the business from all cyber-related claims. It’s critical for leadership teams to understand how their D&O Insurance policy will respond to a cyber attack – and where there may be gaps that leave them vulnerable to financial and reputational damage,” he says.  

Robust cyber risk management should be top of mind for D&Os, adds Erik Tifft, Head of Products at BOXX Insurance USA. “This means complementing D&O coverage with a comprehensive cyber insurance and security solution – something D&Os can’t afford to overlook.” 

Why cyber risks should be on every board’s radar 

1. Cyber crime is at an all-time high  

The global cyber crime economy is now the third-largest economy in the world, with damages projected to reach $10.5 trillion annually in 2025 

 Globally, cyber attacks surged by 30% in Q2 2024, with organizations each facing 1,636 attacks per week 

 This staggering growth underscores why cyber risk is no longer just a technology concern but a critical governance issue for corporate leadership. 

2. Cyber incidents are more expensive, take longer to recover from 

In 2025, the average cost of a data breach is expected to surpass $5 million.  

It takes security teams an average 277 days to identify and contain a data breach – even longer if it involves stolen credentials. 

Sadly, 60% of small companies go out of business within six months of suffering a data breach or cyber attack. 

Despite this, the World Economic Forum’s Global Cyber Security Outlook 2024 reports only 25% of small-to-medium businesses (SMEs) have cyber insurance, and 75% of large organizations have a cyber policy. 

3. AI and human error make cyber attacks more successful 

Cyber criminals are increasingly leveraging Artificial Intelligence (AI) to launch hyper-realistic, personalised cyber attacks that are more convincing – and successful – than ever, says Jardine. Deepfake technology is also increasingly being leveraged in cyber extortion scams against executives and their employees. 

 And, since 90% of all cyber incidents are the result of human error – like using weak passwords or becoming a victim of phishing attacks – D&Os have to think about the threat from within as well, adds Jardine. 

The rise of Shadow AI – in which employees use Generative AI like ChatGPT without permission, is leading to increased data breach, leaks and compliance violations risks. Recent research shows over 60% of employees are using GenAI without their security team’s knowledge 

4. Growing shortage of cyber security professionals 

“Prevention is far better than recovery,” says Jardine. “The faster a business can detect, contain and recover from a cyber incident, the lower the damage.” 

 But the growing cyber security skills gap is making this harder than ever. 

 Globally, there’s a shortage of more than 4 million cyber professionals, with 67% of organizations reporting a skills gap in cyber security, according to The World Economic Forum’s Global Cyber Security Outlook 2025.  

“The shortage doesn’t just impact recovery – it also makes it harder to implement proactive security measures that could predict, prevent and insure against breaches in the first place,” says Tifft, emphasising the need for businesses to partner with an insurance provider that offers expert pre- and post-breach services and support, such as BOXX’s Hackbusters and vCISO team. 

Rising Claims: How a cyber breach can lead to D&O Liability 

Lawsuits over data breaches are becoming a permanent fixture in the legal landscape. 

Cyber attacks – often enabled by weak cyber security, cover-ups or preventable errors – have cost companies like Uber, Home Depot, Meta, T-Mobile and others a total of $4.4 billion in data breach fines, penalties settlements so far. 

In 2024 alone, some of the largest class action settlements by directors & officers in history were recorded, totalling $560 million across major breach cases. 

It’s no wonder 63% of D&Os surveyed by WTW in 2025 included civil litigation and third party claims among their top significant concerns.

A cyber attack can have serious legal and financial consequences for a company’s leadership. Baker outlines key scenarios where directors and officers could face lawsuits: 

  • Failure to secure cyber insurance – If a company suffers a major cyber incident and doesn’t have cyber coverage, shareholders may sue the board for failing to take reasonable steps to protect the business. “Directors and officers who ignore cyber risk are putting themselves and their companies in jeopardy,” Baker adds.
  • Share price drops after a breach – Publicly traded companies that experience a breach often see a sharp decline in stock value. Shareholders may file lawsuits alleging that leadership failed to implement adequate cyber security measures. 
  • Regulatory penalties and compliance failures – In Canada, provincial securities regulators, such as the Ontario Securities Commission (OSC), oversee cyber security disclosure requirements for publicly traded companies. While there is no single federal securities regulator, businesses must comply with provincial regulations that increasingly emphasize the need for strong cyber risk management. As cyber security threats escalate, Canadian regulators may further tighten disclosure rules, making it even more critical for organizations to demonstrate proactive cyber risk governance.
  • Lawsuits from customers and employees – If a cyber incident leads to the exposure of sensitive customer or employee data, leadership could face direct legal action. Additionally, failing to secure customer data could lead to regulatory fines that cyber insurance helps cover. Forrester predicts that breach-related class action costs will exceed regulatory fines by 50% in 2025, marking a major shift in how businesses experience the financial fallout of cyber incidents – no longer limited to compliance penalties, but now including potentially massive settlements paid directly to affected individuals.
  • Derivative lawsuits from within the company – In cases of severe negligence, a company itself may sue its own executives in what’s known as a derivative lawsuit, seeking damages for losses caused by a cyber breach. 

The Hidden Cyber Risks in D&O Insurance 

While some D&O policies include limited cyber-related coverages via endorsements or small cyber sublimits, it’s rarely enough to provide comprehensive protection, explains Baker. “A small cyber endorsement is often added just to prevent a larger claim from being argued under the D&O policy – even when the cyber incident leads to a governance related lawsuit. This is not sufficient for real cyber exposure today.” 

In fact, some D&O insurers will exclude cyber-related claims if the company doesn’t also have a separate cyber insurance policy – especially for companies that handle a lot of personal data.  

 Unlike a dedicated cyber policy, D&O insurance does not typically cover: 

  • The cost of breach response services (including IT forensics, legal counsel, credit monitoring) 
  • Forensic investigations to determine the cause of an attack 
  • Regulatory fines and penalties (particularly those tied to data protection regulations)
  • Ransomware payments or extortion losses 
  • Crisis communications and PR support to protect the company’s reputation 

“Cyber liability insurance plays a crucial role in covering regulatory fines and penalties that may arise from a cyber incident, offering third-party protection that is often excluded or insufficient in a standard D&O policy,” adds Jardine. “Lawsuits stemming from a cyber breach can be incredibly costly and drag on for years, making cyber liability coverage essential for handling legal defense costs. For small businesses, the PR coverage included in cyber insurance can be particularly valuable, helping to mitigate reputational damage and rebuild customer trust after an attack.”

How Directors & Officers can strengthen their cyber defenses 

To mitigate risk, corporate leaders need to take a proactive and comprehensive approach to cyber security.  

  • Ensure the company has a dedicated cyber insurance policy – “A standalone cyber policy is critical,” explains Tifft. “Relying on D&O coverage alone is a mistake, as it won’t fully protect and mitigate against cyber-related lawsuits.” BOXX’s all-in-one cyber security and insurance solution offers not just financial protection but also expert-guided security measures, risk assessments, cyber awareness training, and breach response – giving leadership teams the confidence that their cyber strategy is robust and regulatory-compliant.  
  • Implement robust cyber security controls – Strong multi-factor authentication (MFA), endpoint detection and response (EDR), and continuous monitoring can significantly reduce risk. 
  • Conduct board-level cyber security training – “Cyber awareness shouldn’t just be an employee concern,” says Tifft. “Directors need to understand the latest threats and know what questions to ask their IT and risk teams.” 
  • Tabletop exercises for cyber incident response – Running breach simulation exercises helps boards and executives prepare for real-world cyber crises. 
  • Verify vendor and third-party security – Many breaches occur due to vulnerabilities in third-party systems. Regularly reviewing vendor security policies can prevent supply chain attacks. 
  • Integrate cyber risk into board strategy – Boards should ensure that cyber risk is treated as a financial, operational, and governance priority, not just an IT concern. 

A Comprehensive Cyber Strategy  

As cyber threats continue to escalate, D&Os need to recognize that cyber security is part of their fiduciary duty. With regulatory scrutiny increasing and lawsuits on the rise, now is the time for corporate leadership to take action and protect themselves and their companies from cyber exposures. 

Taking a proactive approach to cyber risk management means securing a standalone cyber insurance policy that complements D&O insurance.  

Beyond providing financial protection, a comprehensive cyber insurance policy with built-in cyber security services and support can help leadership teams not only meet regulatory requirements, but also strengthen their defenses against evolving threats.  

“It’s not just about having coverage – it’s about improving your security posture,” explains Baker. “It’s critical for leadership to prove they are taking the necessary steps to prevent a cyber related D&O claim.” 

By working with a cyber insurance provider that integrates pre-breach risk management services, 24/7 breach response, and expert cyber security support, D&Os can demonstrate due diligence, reduce personal liability, and ensure their company is prepared for cyber threats in 2025 and beyond. 

Related posts

Cyber Tips Safeguarding Your Mental Health: The Impact of Digital Risks on Mental well-being

Safeguarding Your Mental Health: The Impact of Digital Risks on Mental well-being

In today’s digital age, our online lives can profoundly impact our well-being. From the stress and panic experienced in the aftermath of a cyberattack to the long-lasting psychological effects of cyberbullying, we’ll look at how cyber challenges affect our mental health. We’ll also look at essential steps for prevention and protection to keep your family safe.

06/10/2023
Seven Common QR Code Scams To Watch Out For

Seven Common QR Code Scams To Watch Out For

Quick Response (QR) codes have become an everyday tool, making it easier for businesses to engage with consumers. And consumers have embraced the convenience. From mobile payments, contactless delivery, and digital menus. A lot of personal and financial data is zipping around, and cyber criminals are here for it. So, are QR codes safe? Not always. We’ll look at how QR code scams work, what to look out for, and how you can protect yourself in a scan-happy world. 

18/04/2024

Sign up for the BOXX Insurance Newsletter

Get the latest updates about Cyber Insurance and Protection with our newsletter.