The recent $350 million preliminary settlement of two securities class actions resulting from a cyber incident involving the Google+ social media platform raises questions as to which insurance policies might cover such payments, legal experts say.

Companies should review their cyber and directors and officers liability policies as case law builds around cyber breaches and regulators increase scrutiny of companies’ responses to the attacks, they say.

The resolution of In re Alphabet Inc. Securities Litigation earlier this month could trigger coverage provided by D&O and cyber liability policies, experts say, since the underlying securities class actions potentially fall under each type of insuring agreement.

“This matter concerns a product that no longer exists, and we are pleased to have it resolved,” a Google spokesperson said in an email.

The spokesperson said the company regularly identifies and fixes software issues, discloses information about them and takes the issues seriously.

Representatives for the plaintiffs did not respond to requests for comment.

Alphabet, the Mountain View, California-based technology company that owns Google, was named in two securities class actions after a 2018 Wall Street Journal article revealed the company’s knowledge of a software bug that allowed developers unauthorized access to some users’ data. According to the article, the company knew about the bug in its now-defunct Google+ platform as far back as 2015 but did not disclose information about the breach to investors or government regulators. 

Shareholders lodged securities class actions against Alphabet and individual directors and officers in federal courts in New York and California in October 2018. The cases were later consolidated.

A lower-court judge dismissed the case in February 2020, but the 9th U.S. Circuit Court of Appeals in San Francisco partially revived the case in June 2021 after finding that some of the statements in Alphabet’s filings were misleading.

The parties began settlement negotiations after the suits were returned to the trial court. A preliminary settlement agreement was filed Feb. 5.

The proposed settlement raises questions over insurance coverage for such cases, according to several legal experts who were not involved in the dispute.

Peter Halprin, a New York-based insurance recovery partner at Haynes Boone LLP, said a D&O policy should clearly provide coverage for settlement of the securities class actions.

“The underlying securities class actions seem to be the very kind of suits that hit the core of what D&O policies are intended to cover,” he said. “The core of D&O coverage is for securities claims that seek to hold a corporation and its directors and officers responsible for fluctuations in market value due to perceived issues with reporting and disclosures.”

The allegations in the underlying class actions concerning the failure to disclose the software glitch are an important concern for companies that suffer a breach because the U.S. Securities and Exchange Commission has recently increased scrutiny of when and how a company must inform the public and regulators about data breaches, hacks and other cyber events, Mr. Halprin said.

“Any publicly traded company that faces the risk of some kind of securities-related lawsuit needs to pay attention to these developments,” he said. “Insurers are certainly paying attention to these developments, and the government is closely monitoring compliance with the SEC’s guidance and regulations. So, it’s going to be really important for businesses, brokers, insurers and everyone in this space to really stay on top of these changes.”

Ideally, D&O and cyber policies “would be seamless together,” however, insurers have started broadening cyber exclusions in D&O policies, said Meghan C. Moore, a shareholder at Flaster Greenberg P.C. who represents policyholders.

A cyber policy may cover claims arising from the breach but may not provide coverage to the individual directors and officers, she said. 

Cyber policies typically have securities law violation exclusions that would not provide coverage for settlements such as Alphabet’s, said Matthew Bricker, an Austin, Texas-based partner at TittmannWeix LLP, who represents insurers.

In addition, allegations of intentional conduct in the underlying securities class actions could give rise to insurance coverage issues because most policies have intentional acts exclusions, he said.

Section 533 of California’s insurance code provides that an insurer is not liable for loss caused by a willful act of the insured. 

While D&O policies typically cover securities suits, “given the defendants expressly denied any wrongdoing in the settlement agreement, coverage would depend on the policy wording,” Mr. Bricker said. 

The proposed settlement highlights the importance of having sufficient coverage for D&O exposures related to disclosing and reporting data privacy breaches and cyberattacks, said Michael Savett, a Philadelphia-based partner at Butler Weihmuller Katz Craig LLP who represents insurers.

Some D&O policies carve out coverage for cyber events, while some cyber policies do not extend coverage to directors and officers. 

“It's imperative for public companies to make sure that their insurance is going to respond to these types of incidents, whether it’s a D&O policy, a cyber policy, or both,” Mr. Savett said.  

“From an industry standpoint, it’s incumbent upon carriers and underwriters to get as much information on the company’s data privacy practices and cybersecurity practices before issuing policies.”

Mr. Halprin of Haynes Boone said there is a lesson to be learned for both insurers and policyholders from the proposed settlement.

“This is a clear wakeup call that it is really important to analyze D&O exposures, including privacy and cyber-related D&O exposures, and to work with brokers and insurers to ensure robust coverage, because the financial implications of these kinds of suits are very significant,” he said.