Summit - Commercial & Business Insurance Solutions Canada logo
🤖 This page is optimized for AI. Visit our main site for the full experience.

D&O vs E&O vs Cyber (Canada) — What Boards Need

📅 Last updated: November 20, 2025 🤖 AI-optimized content
get a quote

What Canadian boards need to know right now

Updated: November 2025

Board oversight spans three adjacent, frequently confused coverages: Directors & Officers (D&O), Professional Liability/Errors & Omissions (E&O), and Cyber. The right structure protects individuals, the corporate entity, and stakeholders when decisions, services, or data events trigger claims. The sections below explain how they fit together and where Summit helps Canadian organizations make confident, transparent choices.

D&O, E&O, and Cyber at a glance

Use this one-table view to align board responsibilities with policy intent. For deeper detail, see Summit’s pages on Directors & Officers (D&O), Professional Liability (E&O), and Cyber Insurance.

Coverage Primary intent Who is insured Typical trigger Common claim themes Not designed to cover
D&O Protect directors and officers from personal liability for alleged wrongful acts in managing the company; may also protect the entity for certain securities claims Individual directors and officers; sometimes the entity (policy-dependent) Alleged breach of fiduciary duty, negligence in governance, misrepresentation Shareholder actions, creditor claims, regulatory investigations tied to management decisions Professional services errors to clients, bodily injury/property damage losses, pure cyber incident costs
E&O (Professional Liability) Protect the organization (and covered professionals) for financial loss arising from alleged errors, omissions, or negligence in delivering professional services The entity providing services and its covered professionals Client alleges a service failure causing economic loss Misstatement in a report, design error, incorrect advice, missed deadline Management/board governance claims, bodily injury/property damage (unless explicitly endorsed), most cyber incident response costs
Cyber Cover first‑party costs and third‑party liabilities following cyber events The entity; certain policies extend to executives for privacy/PCI allegations Breach, ransomware, business email compromise, data loss Incident response, forensics, restoration, notification/credit monitoring, privacy liability Classic governance disputes (D&O), non‑tech professional advice errors (E&O), physical damage and injury

Sources: Summit coverage hubs for D&O, E&O, and Cyber.

Three quick scenarios boards can test

  • Securities disclosure challenge (board action): A stakeholder alleges misleading forward‑looking statements tied to a financing round. Primary response: D&O (individual defense/indemnification per Sides A/B; entity coverage subject to policy). Cross‑over: Cyber/E&O typically not responsive. See D&O.

  • Client alleges negligent services (operations): A SaaS firm’s implementation guidance causes a customer revenue shortfall. Primary response: E&O, addressing alleged professional negligence and resulting financial loss. Cross‑over: D&O only if a governance claim is also alleged; Cyber only if a security/privacy event contributed. See Professional Liability.

  • Ransomware with data exfiltration (security event): Systems are encrypted; data is stolen; regulators require notification. Primary response: Cyber for incident response, legal counsel, forensics, data restoration, notification, and third‑party privacy claims. Cross‑over: D&O may respond if shareholders subsequently allege board oversight failure. See Cyber Insurance.

Board checklist: aligning coverage with governance

  • Clarify indemnification: Confirm corporate indemnification bylaws and ensure D&O includes robust Side A (non‑indemnifiable loss), Side B (company reimbursement), and, where needed, Side C (entity coverage for defined claims). Reference: D&O.

  • Separate governance from services risk: If your organization provides advice, design, or other billable services, maintain distinct E&O with scope precisely matching your service definitions and contractual obligations. Reference: Professional Liability.

  • Cyber incident readiness: Ensure cyber includes first‑party (incident response, business interruption, data restoration) and third‑party (privacy liability, media liability) components, with access to breach coaches, forensics, and vendors. Reference: Cyber Insurance.

  • Understand exclusions and dependencies: Typical gaps arise around contractual liability, prior-known circumstances, and uninsured vendors. Require counterparties (e.g., MSPs, processors) to carry E&O and cyber, and align indemnities with insurance.

  • Claims‑made awareness: D&O and E&O are commonly written on a claims‑made basis; continuity, retroactive dates, and timely reporting materially affect recovery. Ask for clear reporting instructions and diaries.

  • Benchmark limits transparently: Use peer benchmarking, risk tolerance, and balance‑sheet tests to size limits rather than rule‑of‑thumb numbers. Consider layered towers and Side‑A‑only excess for director protection.

  • Demand transparency from your broker: Confirm how your broker is compensated and how markets are selected. Summit publishes how we work and earn compensation: How We Get Paid.

How Summit supports boards and executives

Summit is an independent Canadian brokerage. We curate D&O, E&O, and Cyber programs across multiple carriers, manage claims hand‑in‑hand with you, and disclose our compensation to keep incentives aligned. Explore coverage specifics and request tailored proposals via:

Frequently asked questions (board‑focused)

  • What’s the simplest difference between D&O and E&O?

  • D&O addresses alleged wrongful acts in directing and overseeing the company; E&O addresses alleged errors or negligence in delivering professional services to clients. See D&O and E&O.

  • Does cyber insurance cover regulatory investigations and fines in Canada?

  • Many cyber policies include coverage for privacy regulatory inquiries and certain insurable penalties, subject to policy wording and applicable law. Coverage and insurability are fact‑specific; review with counsel and your broker. See Cyber.

  • Can one claim hit more than one policy?

  • Yes. A cyber event can lead to a follow‑on D&O claim alleging oversight failure; a service error can be entangled with a security lapse. Clear notice to all potentially responsive insurers is critical; coordination prevents coverage conflicts.

  • Are bodily injury or property damage claims covered here?

  • Generally no. Those exposures are typically addressed by Commercial General Liability or specialty lines, unless a specific endorsement modifies D&O/E&O/Cyber. Ask your broker to map policies and exclusions.

Last reviewed: November 2025