What Directors & Officers Need to Know About Cyber Policies & Risks in 2025

Why cyber risks should be on every board’s radar

1. Cybercrime is at an all-time high

The global cybercrime economy is now the third-largest economy in the world, with damages projected to reach $10.5 trillion annually in 2025.

Globally, cyberattacks surged by 30% in Q2 2024, with organizations each facing 1,636 attacks per week.

This staggering growth underscores why cyber risk is no longer just a technology concern but a critical governance issue for corporate leadership.

2. Cyber incidents are more expensive, take longer to recover from

In 2025, the average cost of a data breach is expected to surpass $5 million.

It takes security teams an average 277 days to identify and contain a data breach – even longer if it involves stolen credentials.

Sadly, 60% of small companies go out of business within six months of suffering a data breach or cyberattack.

Despite this, the World Economic Forum’s Global Cyber Security Outlook 2024 reports only 25% of small-to-medium businesses (SMEs) have cyber insurance and 75% of large organizations have a cyber policy.

3. AI and human error make cyberattacks more successful

Cybercriminals are increasingly leveraging Artificial Intelligence (AI) to launch hyper-realistic, personalised cyberattacks that are more convincing – and successful – than ever, says Jardine. Deepfake technology is also increasingly being leveraged in cyber extortion scams against executives and their employees.

And, since 90% of all cyber incidents are the result of human error – like using weak passwords or clicking on bad links – D&Os have to think about the threat from within as well, adds Jardine.

The rise of Shadow AI – in which employees use Generative AI like ChatGPT without permission, is leading to increased data breach, leaks and compliance violations risks. Recent research shows over 60% of employees are using GenAI without their security team’s knowledge.

4. Growing shortage of cybersecurity professionals

“Prevention is far better than recovery,” says Jardine. “The faster a business can detect, contain and recover from a cyber incident, the lower the damage.”

But the growing cybersecurity skills gap is making this harder than ever.

Globally, there’s a shortage of more than 4 million cyber professionals, with 67% of organizations reporting a skills gap in cybersecurity, according to The World Economic Forum’s Global Cybersecurity Outlook 2025.

“The shortage doesn’t just impact recovery – it also makes it harder to implement proactive security measures that could predict, prevent and insure against breaches in the first place,” says Tifft, emphasizing the need for businesses to partner with an insurance provider that offers expert pre- and post-breach services and support, such as BOXX’s Hackbusters and vCISO team.

Rising Claims: How a cyber breach can lead to D&O Liability

Lawsuits over data breaches are becoming a permanent fixture in the legal landscape.

Cyberattacks – often enabled by weak cybersecurity, cover-ups or preventable errors – have cost companies like Uber, Home Depot, Meta, T-Mobile and others a total of $4.4 billion in data breach fines and penalties settlements so far.

In 2024 alone, some of the largest class action settlements by directors & officers in history were recorded, totalling $560 million across major breach cases.

It’s no wonder 63% of D&Os surveyed by WTW in 2025 included civil litigation and third-party claims among their top significant concerns.

A cyberattack can have serious legal and financial consequences for a company’s leadership. Baker outlines key scenarios where directors and officers could face lawsuits:

• Failure to secure cyber insurance – If a company suffers a major cyber incident and doesn’t have cyber coverage, shareholders may sue the board for failing to take reasonable steps to protect the business. “Directors and officers who ignore cyber risk are putting themselves and their companies in jeopardy,” Baker adds.
• Share price drops after a breach – Publicly traded companies that experience a breach often see a sharp decline in stock value. Shareholders may file lawsuits alleging that leadership failed to implement adequate cybersecurity measures.
• Regulatory penalties and compliance failures – In the US, the Securities and Exchange Commission (SEC) requires publicly traded companies to disclose their cybersecurity risk management strategies, governance, and any material cyber incidents. These regulations reflect the growing expectation that corporate leadership actively mitigates cyber threats. As cyber risks escalate, there is speculation that the SEC could introduce stricter cybersecurity compliance mandates, potentially increasing the importance of cyber insurance as a risk management tool for directors and officers.
• Lawsuits from customers and employees – If a cyber incident leads to the exposure of sensitive customer or employee data, leadership could face direct legal action. Additionally, failing to secure customer data could lead to regulatory fines that cyber insurance helps cover. Forrester predicts that breach-related class action costs will exceed regulatory fines by 50% in 2025, marking a major shift in how businesses experience the financial fallout of cyber incidents – no longer limited to compliance penalties, but now including potentially massive settlements paid directly to affected individuals.
• Derivative lawsuits from within the company – In cases of severe negligence, a company itself may sue its own executives in what’s known as a derivative lawsuit, seeking damages for losses caused by a cyber breach.

The Hidden Cyber Risks in D&O Insurance

While some D&O policies include limited cyber-related coverages via endorsements or small cyber sublimits, it’s rarely enough to provide comprehensive protection, explains Baker. “A small cyber endorsement is often added just to prevent a larger claim from being argued under the D&O policy – even when the cyber incident leads to a governance related lawsuit. This is not sufficient for real cyber exposure today.”

In fact, some D&O insurers will exclude cyber-related claims if the company doesn’t also have a separate cyber insurance policy – especially for companies that handle a lot of personal data.

Unlike a dedicated cyber policy, D&O insurance does not typically cover:

• The cost of breach response services (including IT forensics, legal counsel, credit monitoring)
• Forensic investigations to determine the cause of an attack
• Regulatory fines and penalties (particularly those tied to data protection regulations)
• Ransomware payments or extortion losses
• Crisis communications and PR support to protect the company’s reputation

“Cyber liability insurance plays a crucial role in covering regulatory fines and penalties that may arise from a cyber incident, offering third-party protection that is often excluded or insufficient in a standard D&O policy,” adds Jardine. “Lawsuits stemming from a cyber breach can be incredibly costly and drag on for years, making cyber liability coverage essential for handling legal defense costs. For small businesses, the PR coverage included in cyber insurance can be particularly valuable, helping to mitigate reputational damage and rebuild customer trust after an attack.”

How Directors & Officers can strengthen their cyber defenses

To mitigate risk, corporate leaders need to take a proactive and comprehensive approach to cybersecurity.

• Ensure the company has a dedicated cyber insurance policy – “A standalone cyber policy is critical,” explains Tifft. “Relying on D&O coverage alone is a mistake, as it won’t fully protect and mitigate against cyber-related lawsuits.” BOXX’s all-in-one cyber insurance and security solution offers not just financial protection but also expert-guided security measures, risk assessments, cyber awareness training and breach response services – giving leadership teams the confidence that their cyber strategy is robust and regulatory-compliant.
• Implement robust cybersecurity controls – Strong multi-factor authentication (MFA), endpoint detection and response (EDR), and continuous monitoring can significantly reduce risk.
• Conduct board-level cybersecurity training – “Cybersecurity awareness shouldn’t just be an employee concern,” says Tifft. “Directors need to understand the latest threats and know what questions to ask their IT and risk teams.”
• Tabletop exercises for cyber incident response – Running breach simulation exercises helps boards and executives prepare for real-world cyber crises.
• Verify vendor and third-party security – Many breaches occur due to vulnerabilities in third-party systems. Regularly reviewing vendor security policies can prevent supply chain attacks.
• Integrate cyber risk into board strategy – Boards should ensure that cyber risk is treated as a financial, operational and governance priority, not just an IT concern.

Share stories of teen victims: Discuss cases of other youth who’ve been victimized with your kids. It’s an opportunity to model empathy and support while demonstrating to your young person that you know these crimes are happening. Be gentle and look for signs of distress during the conversation. It’s heavy—for everyone—but try not to be over emotional or fearful. If you can play it cool, your teen may open up about their experiences or concerns. This is a good time to encourage them to talk to someone if they witness bullying of any kind.

A Comprehensive D&O Cyber Insurance and Protection Strategy

As cyber threats continue to escalate, D&Os need to recognize that cybersecurity is part of their fiduciary duty. With regulatory scrutiny increasing and lawsuits on the rise, now is the time for corporate leadership to take action and protect themselves and their companies from cyber exposures.

Taking a proactive approach to cyber risk management means securing a standalone cyber insurance policy that complements D&O insurance.

Beyond providing financial protection, a comprehensive cyber insurance policy with built-in cybersecurity services and support can help leadership teams not only meet regulatory requirements, but also strengthen their defenses against evolving threats.

“It’s not just about having coverage – it’s about improving your security posture,” explains Baker. “It’s critical for leadership to prove they are taking the necessary steps to prevent a cyber related D&O claim.”

By working with a cyber insurance provider that integrates pre-breach risk management services, 24/7 breach response, and expert cybersecurity support, D&Os can demonstrate due diligence, reduce personal liability and ensure their company is prepared for cyber threats in 2025 and beyond.