The top brass at companies are increasingly being held accountable by partners and shareholders for cyber attacks that occur under their watch, putting their directors’ and officers’ personal assets at risk when lawsuits ensue.
While actions by officers and directors have always been held under scrutiny, the cyber threat expands their potential liability significantly, according to a new report by Fitch Ratings.
And with new regulations that hold organizations accountable for cyber breaches and responsible for remediation, mitigation and recovery from cyber attacks, the onus is even greater now on your directors and officers if they are deemed negligent for failing to protect the company’s data.
Companies and corporate boards have generally not paid as much attention to cyber security as to other corporate risks. However, the 2014 shareholder derivative suits faced by Target Corp. and Wyndham Worldwide Corp. have changed the litigation landscape.
Fitch Ratings probably summed up the risk to directors and officers best in its report:
“D&O-related exposures from cyber events arise through allegations that ineffective or negligent corporate governance and board oversight were contributing factors behind inadequate systems defenses and a breach that led to losses and/or a sharp decline in share value.”
That warning means that board members can’t afford to not monitor their company’s cyber security efforts.
Fitch noted that to date there had been no events that led to significant director’s and officer’s liability settlements, but the growing threat of cyber attacks “will create more potential for cyber-related D&O actions going forward.”
If you have a board, you should already have director’s and officer’s liability insurance. Policies indemnify a firm’s directors and officers and/or the company itself for expenses and losses suffered in connection with lawsuits that accuse them of wrongful or negligent acts.
For publicly traded companies, D&O policies mainly indemnify for securities claims, but for private companies, such policies generally contain no such limitation and may provide coverage when claims are brought by plaintiffs who are not shareholders – like customers, creditors and suppliers.
The big question going forward is whether the typical D&O policy will continue indemnifying for lawsuits alleging personal negligence on the part of directors and officers. Already, some insurers include clauses in their policies excluding coverage for claims alleging negligence over cyber security.
Now various insurers are developing new policies that are designed specifically to cover directors and officers for claims related to cyber breaches.
D&O coverage will vary depending on the specific language of each policy.
Cyber security and insurance advice
There are a number of steps organizations can take to reduce the risk that their data is secured and not susceptible to being compromised.
The board and management should work with competent outside vendors to handle their data and protect their systems, test their cyber security measures and ensure that the company has appropriate insurance in place, including cyber insurance and D&O liability insurance.
To prepare for the aftermath of a breach, your board and management should be prepared to answer difficult questions about the actions they took to protect their company’s data.
You should have the right insurance coverage that is specific to the risks in your industry and company.
Without D&O coverage, directors and officers could be left on their own to defend against lawsuits and pay any potential liability.
That risk is even greater for smaller companies that may not have the same resources to voluntarily indemnify directors and officers.