The consistent evolution in the risk, breadth, and nature of cyber-attacks has solidified cyber risks as a key topic in many boardrooms. Beyond businesses suffering immediate financial losses and operational disruption, directors and officers may face shareholder litigation alleging negligence — potentially exposing them to personal liability.
Cyber security responsibilities of a board
The liabilities and duties regarding a company’s cyber-related protocols are increasingly becoming blurred between those of the company and those of the board of directors. Regulators are seeking to hold the board accountable for data, privacy, or network security governance failures and, subsequently, cyber events regularly rank highly in board surveys of directors’ risk.
Typically, the board of directors is responsible for overseeing accurate and timely reporting of cyber risks, appropriate cyber security policies, and data protection controls. Furthermore, in the event of a cyber-attack, senior management must notify the relevant authorities and persons/businesses who may be affected. Under GDPR, for example, organisations must notify a relevant supervisory authority of certain personal data breaches within 72 hours of becoming aware of them. If the breach poses a high risk to individuals, they must also notify those individuals without undue delay.
Potential D&O fallout from a cyber-attack
The consequences of a cyber event could be exacerbated by the following actions from the board of directors:
Poor preparation and risk management
Slow or ineffective response
Legal and regulatory non-compliance
Poor stakeholder communication
Inadequate recovery planning
Cultural and leadership failures
If a cyber security event occurs, the board may be scrutinised for failures, errors, or weaknesses in their business’ response to the event, or its assessment of cyber-related risk and insurance purchasing decisions beforehand. This can stem from reasons including:
Breach of duty
Negligence/mismanagement
Failure to comply with regulatory requirements
Drop in share price/revenues
Insolvency/financial losses
Securing inappropriate cyber insurance or insufficient periodic review
Insurance considerations
A comprehensive insurance programme, addressing both D&O and cyber risks, is crucial for optimal risk mitigation.
Transferring risk via cyber insurance offers an effective risk management tool to safeguard against catastrophic losses, and the costs associated with a cyber event. However, policies must be habitually reviewed to ensure coverage meets evolving threats and risk exposure.
Event-driven D&O claims are not a new phenomenon. However, recent high-profile breaches in the UK have highlighted the potential for cyber events to result in regulatory actions, civil lawsuits, and criminal proceedings — arguably transforming the breadth and scope of D&O-related responsibilities and liabilities.
For mismanagement claims arising out of a cyber incident specifically, D&O insurance may provide coverage for:
Costs associated with regulatory investigations
Potential civil fines from regulators
Defence costs associated with shareholder litigation
Costs related to third-party liability
Insurance recommendations
It is critical that organisations pay close attention to how both their D&O and cyber policies are structured and correlate. Both forms of coverage have distinct differences, and terms and wordings need to be carefully reviewed to avoid potential gaps and needless overlaps.
In particular, industries with heightened exposure to cyber-attacks should seek alignment between their D&O and cyber insurance. While cyber risks involve technical complexities that require specialised knowledge and robust controls, D&O insurance is primarily used for protecting board members from liability related to managerial decisions and should be reflective of the current legal environment. Board members may also face legal challenges alleging their cyber insurance programme is not fit for purpose.
D&O policyholders must gain a clear understanding of how their policy will respond in the event of a cyber incident as D&O policies can contain cyber exclusions. Furthermore, clear wordings in both policies and stress testing their reactions in anticipation of an incident is crucial as cyber-attacks become more sophisticated.
Taking the following steps can help boards strengthen resilience and turn cybersecurity into a competitive advantage:
Make cybersecurity a strategic priority, through embedding it within governance structures and routinely assessing security policies and compliance frameworks.
Particularly for sensitive data, robust data loss protection (DLP) and data classification is key to show responsible data protection management.
Ensure employee training and awareness of cyber threats is comprehensive and periodically refreshed.
Allocate sufficient financial and technological resources to cybersecurity initiatives.
Highlighting that senior management has taken appropriate steps and made every effort to prevent an attack/data breach, is likely to positively impact potential investigations, fines, and penalty amounts following an event.
Maintain a centralised register of third parties in the supply chain and partners — ensuring their cyber security protocols are continuously vetted and monitored.
Establish and rehearse thorough contingency, crisis, and business interruption plans in case of cyber event.
Consider appointing a director with a cyber background or forming a separate committee dedicated to cyber risk management.
Liaise with brokers and other insurance professionals regarding cyber and D&O coverage, and how they interact with each other for optimised coverage.
For further advice on how Lockton can help your business secure appropriate D&O insurance, visit our Management Liability page (opens a new window).
