Category: Governance risk · Reviewed by Chrissie Anderson, Client Executive · Last reviewed 2026-06-10
Cyber governance insurance is the convergence point between directors’ and officers’ liability cover and standalone cyber insurance, addressing claims and regulatory action alleging that UK board members failed to oversee the organisation’s cybersecurity, data protection and operational resilience obligations.
Category: Governance risk Also known as: board cyber liability, cyber D&O, directors’ cyber oversight cover Typical UK market form: D&O wording with affirmative cyber oversight cover plus standalone cyber policy; Side A drop-down where entity cover is impaired Related concepts: Directors and officers insurance, Cyber insurance, Information governance insurance
Cyber governance insurance covers the financial consequences of allegations that individual directors or officers failed to discharge their oversight duties in relation to cyber risk. It is not a single product but the meeting point of two adjacent placements: a D&O policy that responds to personal liability of directors, and a cyber policy that responds to first-party (business interruption, breach response) and third-party (data subject) cyber loss at the entity level.
In a serious incident, both policies engage in parallel: the cyber policy funds technical response, regulatory notification and customer notification, while the D&O policy funds defence of any subsequent regulatory investigation, shareholder action or derivative claim alleging inadequate board-level oversight.
Directors’ personal accountability for cyber oversight arises through several routes. UK GDPR Articles 5(1)(f) and 32 require appropriate technical and organisational measures, with the Data Protection Act 2018 implementing the statutory framework and the Information Commissioner empowered to issue penalties of up to £17.5 million or 4 per cent of global turnover. The Network and Information Systems Regulations 2018 (NIS Regulations) impose security and incident-reporting duties on operators of essential services and relevant digital service providers, with the Cyber Security and Resilience Bill (in the UK Parliament during 2025/26) expanding scope to managed service providers.
For regulated financial firms, the FCA and PRA expect operational resilience under the joint policy statement of March 2021 (in force from 31 March 2022, with full implementation by 31 March 2025), and SMCR senior managers are personally accountable. For listed companies, material cyber incidents may require disclosure under Market Abuse Regulation (UK MAR) Article 17 and DTR 2 (inside information). Directors owe Companies Act 2006 section 174 duties of reasonable care, skill and diligence in respect of cyber risk oversight.
Derivative actions citing inadequate board cyber oversight remain less developed in the UK than in the United States but are increasingly intimated following high-profile breaches.
D&O wordings have evolved to address cyber oversight claims explicitly. Affirmative coverage clauses confirm that claims arising from alleged cybersecurity oversight failures are not excluded by the policy’s general data breach exclusion (where one exists). Pre-claim inquiry cost extensions respond to ICO investigations under UK GDPR Article 58 and FCA reviews under FSMA 2000 sections 165 and 166.
Standalone cyber policies cover incident response (forensics, legal advice, notification), business interruption (lost profit and extra expense following a security incident), cyber extortion (subject to UK sanctions compliance), regulatory defence and fines where insurable, and third-party liability to data subjects. The cyber policy typically does not cover individual directors’ personal liability; that exposure sits on the D&O programme.
Information governance and management endorsements increasingly bridge the two. Some markets offer integrated “GRC liability” products that aggregate D&O, cyber and crime, but most UK placements remain structured as separate towers with co-ordinated wordings.
The UK cyber market is concentrated in Lloyd’s and the London company market, with Beazley, CFC, Chubb, AIG, Travelers, Tokio Marine HCC, QBE and Hiscox among the largest writers. Capacity expanded materially through 2023 to 2025 after the 2021 to 2022 hard market driven by ransomware. The Lloyd’s Market Bulletin Y5381 (16 August 2022) required cyber policies incepting from 31 March 2023 to exclude state-backed cyber attacks at a defined level. D&O writers serving cyber-exposed sectors typically request evidence of board-level cyber oversight, including a cyber-skilled NED, regular tabletop exercises and ISO/IEC 27001 or Cyber Essentials Plus certification.
Boards should treat cyber as a governance issue, not a technology one. The strongest signal to underwriters is documented board-level engagement: a named NED with cyber expertise, regular CISO reports to the board, evidence of crisis simulation, and a written incident-response plan. Where there is overlap or gap between the D&O and cyber towers, the broker should obtain a co-ordinated wording analysis to ensure that directors are not left exposed by a “data breach exclusion” in D&O or a “management liability exclusion” in cyber.
A UK private-equity backed software-as-a-service business suffered a ransomware attack that exposed customer data. The cyber policy funded incident response, ICO notification and customer notification, and indemnified ten weeks of business interruption. Six months later, a shareholder of the parent intimated a derivative claim alleging the board had failed to act on internal CISO warnings. The D&O Side A and Side B layers funded defence costs, and the pre-claim inquiry cost extension responded to the ICO investigation. A coverage review confirmed that the D&O policy contained no data breach exclusion, having been negotiated with affirmative cyber oversight wording at the prior renewal.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quoteThe mechanics of this term appear in the following Apex guides where they apply directly to a specific profession or commercial sector: