A data breach at a community bank exposes the personal financial information of more than 50,000 customers. Within 60 days, three things happen at once.
-
A group of shareholders files a derivative action in state court. The allegation: the board of directors failed to maintain adequate cybersecurity oversight. This is what courts call a Caremark claim, the legal theory that directors can be held personally liable for failing to monitor known compliance risks.
-
The OCC opens a formal examination of the bank’s cybersecurity program. The 36-hour notification went out on time, but the examination will dig into whether the board approved the information security program, whether it reviewed management reports, and whether it provided what the FFIEC calls “credible challenge to management.” Legal fees will run six figures at minimum.
-
A class action is filed on behalf of affected customers, alleging the bank failed to protect their personal information.
The bank’s directors turn to their directors and officers (D&O) policy. They have had D&O coverage for years. It is supposed to protect them from exactly this kind of claim.
Three Policies, Zero Coverage
The D&O carrier reviews the claims and points to the policy’s cyber exclusion: “arising out of any cyber event.” The derivative action, the regulatory defense costs, the shareholder claims. All of them arise from the data breach. All of them are excluded.
The directors ask: will the cyber policy cover us? The answer is no. The cyber policy contains a securities exclusion. It does not cover shareholder derivative actions, securities class actions, or claims against individual directors and officers.
The fidelity bond is not applicable. This is not fraud, theft, or employee dishonesty.
The directors are in the seam. The D&O policy excludes claims that arise from cyber events. The cyber policy excludes claims that look like D&O claims. Neither policy covers the loss. The directors face personal liability with no insurance response.
Three-Policy Breakdown
Recovery: $0. Directors face personal liability.
For credit unions, the pathway is different but the gap is the same. A credit union board is less likely to face a shareholder derivative suit and more likely to face NCUA supervision, member harm claims, and privacy complaints. The D&O cyber exclusion blocks all of them the same way.
This Is Not Just an Insurance Problem
The breach is the first-order event. The board getting sued is the second-order event. The D&O gap means the second-order event is uninsured.
But the deeper problem is governance. After a breach, regulators and shareholders do not just ask what happened. They ask who was responsible for preventing it. They ask whether the board received cybersecurity briefings, whether it assigned committee ownership, whether it tracked remediation, and whether management escalated known risks. If the board cannot show documented oversight, the breach becomes a governance failure.
About 45 percent of companies that experience a significant cyber event also face a D&O event: securities suits, regulatory actions, or derivative claims (WTW, 2024 FINEX Observer). Cyber has ranked among the top three concerns for directors and officers in WTW’s global D&O survey every year since 2020.
I review community bank insurance programs. This gap appears in nearly every one.
For community bank board members, many of whom serve as a civic duty rather than as professional directors, the idea that their personal assets are at risk because of a policy exclusion they have never read is sobering.
The Courts Are Watching
After a data breach exposed 339 million guest records, shareholders sued Marriott's board under the Caremark theory, alleging the directors failed to oversee cybersecurity. The Delaware Court of Chancery recognized cybersecurity as a serious board oversight concern, but dismissed the claim. Why? Because Marriott's board could show regular cybersecurity briefings, committee ownership, outside expert assessments, remediation tracking, and incident escalation to the board during the investigation. The court found the board had a functioning oversight structure. Most community bank boards cannot show any of these.
The FTC held Drizly's CEO personally responsible for cybersecurity failures after a breach exposed data on 2.5 million consumers. The order follows Rellas to any future company for 10 years: if he serves in a leadership role at a firm handling substantial consumer data, he must implement an information security program. This was the first time the FTC held a CEO personally accountable in a privacy and security enforcement action. It is an administrative order, not a court judgment, but the direction is clear. Cybersecurity accountability is personal, not just institutional.
The scale of exposure at larger institutions illustrates what is at stake. The Equifax breach produced more than $880 million in total settlements and penalties. Capital One faced an $80 million OCC penalty and a $190 million consumer class action from a single breach. The FDIC prohibits banks from insuring civil money penalties with D&O insurance. Defense costs may be coverable, but the penalties themselves are personal exposure.
No published court case exists where a community bank board was the defendant in a cybersecurity oversight claim. That does not mean the gap is not there. It means banks settle these quietly, or the claims have not arrived yet. The legal framework is set. The question is when, not if.
The Fix
The community bank in this scenario made two changes at its next renewal. It replaced its D&O policy with one that does not contain a blanket cyber exclusion, and it added management liability coverage to its cyber policy. It also established a documented cybersecurity oversight process at the board level.
Four things to check now:
You cannot close a gap you have not checked.
If your board has not reviewed how your D&O and cyber policies interact after a breach, get in touch.