Co-ordinating cyber and D&O covers is critical for the reputation of both markets
The wide-ranging nature of cyber security risks means companies and their brokers must review those exposures in tandem with related risks to ensure there are no gaps in cover.
Directors have responsibility for managing cyber risk, both as a collective group responsible for managing a company and as individuals, particularly in respect of the fiduciary principles of oversight. As a result, directors can be exposed where financial and reputational loss is incurred as a result of cyber security failures and/or failure to minimise that risk and damage.
“Directors” in the context of this article refers to those with decision-making responsibilities relating to cyber risk. In addition to the IT director (often a chief information officer), responsibility for cyber security can involve those from finance, operations and communications and, in the case of larger companies, a data protection officer and risk manager(s) who can often hold positions on boards.
Representations and disclosures made in respect of a company’s ability to respond to cyber security breaches is expected in Fortune 100 companies in particular. If it transpires subsequently that these were inaccurate, this can lead to exposure to litigation, such as securities class actions, shareholder actions and investor claims.
This, of course, has implications for any applicable directors’ and officers’ (D&O) liability cover and whether Side C cover (an important component of D&O liability insurance providing an organisation with protection in the event that it is named in a securities-related claim) is available in the case of securities claims. For reputational harm, appropriate communication is key. The decision on how the message is conveyed to the public and shareholders may prove very important.
The Uber claim demonstrates these issues well. In 2016, Uber suffered a breach, which exposed the personal information of approximately 57 million customers and drivers. In an attempt to “cover up” the severity of the matter, the former Uber chief security officer arranged to pay the hackers $100,000 under Uber’s bug bounty programme (which was not intended to pay ransoms) and asked the threat actors to sign non-disclosure agreements that said they had not stolen data.
Having sufficient insurance in place is also important and what is “sufficient” is linked to properly understanding a company’s cyber risk profile. Adequate cyber and D&O cover is increasingly important to both protect the company and its directors in the event of a breach and as a key part of the cyber security due diligence and risk analysis. Companies need to consider what a full outage would be if their systems are hit by a cyber attack, as well as any remediation costs.
For example, retailer Target’s 2013 data breach is said to have cost the company more than $200m (of which a large proportion was not insured). Directors of Target were criticised for not following advice that suggested they purchase a larger limit for their cyber policy.
In the event there is a breach, directors should act in the best interests of those they owe fiduciary duties to. In addition to notifying insurers and ensuring that as far as possible insurance policy terms and conditions are complied with, directors should be aware of the importance to engage the right vendors and ensure appropriate communications are made to internal and external stakeholders to mitigate potential reputational harm.
The Caremark case remains the guiding principle on the scope of duty where US plaintiffs are seeking to establish directors can be held personally liable for failing to monitor and appropriately supervise.
In addition to fiduciary duties, directors also face an environment of enhanced regulatory scrutiny. Failure to comply with the requisite regulations in which the company operates is an additional personal exposure for directors, often carrying fines and penalties if they are found to be in breach. The impact of the response to the payment of a ransom can have both insurance and regulatory repercussions, which companies and their directors need to be mindful of.
In light of the wide-ranging nature of cyber security risks and the potential overlap with a number of insurance products, some insurers are introducing cyber exclusions to mitigate the risk of inadvertently providing cover for “silent” cyber.
Conversely, there are cyber products that contain D&O exclusions. Companies’ D&O and cyber policies should therefore be reviewed in tandem to ensure there are not any gaps in cover that may become apparent when a claim is notified.
This is best achieved through an up-to-date and realistic risk assessment that is regularly and routinely reviewed in collaboration with the risk manager, data protection officer, chief information office/IT, finance and operations for the board to be able to make an informed decision about the type and scope of insurance products to best suit the company’s needs.
Maintaining oversight of cyber risk strategy
It is critical businesses understand the nature of cyber risk to ensure they implement an appropriate cyber risk strategy, as well as to effectively manage a cyber incident. In addition, there should be appropriate governance in place to ensure sufficient oversight of the cyber risk strategy.
Directors should also ensure they understand the risk profile of their company, how the risks could affect their business and what company assets could be of interest to different threat actors. For example, companies that have a high amount of personal or sensitive information face a higher risk from a regulatory and PR perspective if that data is accessed and/or exfiltrated and regulatory obligations in respect of such information will vary across jurisdictions.
Key responsibilities will revolve around establishing and overseeing a risk plan that encompasses: identify, protect, detect, respond and recover. In recent years, in some jurisdictions failure to report a breach can be considered a crime.
Effective cyber security training for employees should be part of any effective cyber risk strategy and be undertaken on a regular basis, tested and amended in line with changing risks. It should be integral to company culture.
There should also be a proper business continuity plan and breach response plan, in case it is needed. This should consider a range of scenarios: for instance, what will happen following an incident; the resources that will manage the incident; and there should be documentation and communication so a response can be quickly rolled out. Business continuity plans should also be regularly tested.
Unfortunately, the existence of a business continuity plan does not necessarily mean it is followed and implemented. Failure to implement one can, potentially, have policy cover implications.