Cyber defences not up to scratch? Maybe we’ll see you in court

Earlier this year, a listed Australian company took out a cyber insurance policy.

No big deal, you might think: corporates are increasingly looking to insurers to transfer their cyber risk. What makes this purchase interesting is that previously, the business spurned such standalone cyber products. So, why the change of heart? A key reason was to cover individual directors’ accountabilities and responsibilities, the company’s risk manager told StrategicRISK.

It’s a clear sign that boards are wising up to the possibility that they could be held personally liable for a cyber breach.

“The more that the public becomes aware of the dangers of how vulnerable data is and how sensitive data can be protected, companies will be running out of excuses for failing to protect that data, and eventually that liability will fall with the directors personally,” says Aon Risk Solutions’ financial services and professions group Asia director, Andrew Mahony.

Consider the US.

To date, four cases have been brought against directors in relation to cyber hacks, with Target and Home Depot executives involved in recent cases. These were dismissed and settled out of court, but many think it is only a matter of time before a precedent is set, with the advent of regional legislation that requires companies to report data breaches.

“We’re keeping an eye on [the US] to see how cyber risk will materialise and change and how insurance policies will respond,” Mahony says.

Alex Morgan, Zurich commercial insurance chief underwriting officer, says: “The minute that we have a nding which really articulates the plaintiff’s complaint and how the plaintiff draws the connection between the breach and the directors’ actions, I think that will be something of a watershed moment.”

Client queries about how its directors’ and officers’ (D&O) insurance policy would respond to such an incident are rising, he adds.

“Board members are realising that the financial impacts [of a cyber breach] are huge, and therefore they’re worried they’ll be potentially in trouble as part of their fiduciary obligations. The extension of that is, they know they’ve got to buy D&O – and if a cyber event does happen, they want to know if their D&O will cover it.

“Good policies won’t have any specific exclusions. To the extent that an individual director is held personally liable for a loss [where the] underlying cause is a cyber breach, then it should be covered.”

Rewriting the rules

In lines such as property and energy, many insurers have redrafted policies to exclude cyber events and thereby silo off the risk.

Both Mahony and Morgan told StrategicRISK they did not expect a similar move in the D&O market.

As Mahony says: “D&O policies are really quite unique in terms of the personal cover they give and provide. There’s no clear merit in trying to distil out cyber risk or related claims.”

Take, for example, the Australian company that purchased standalone cyber insurance recently. The concern was not that its D&O policy would not respond to a cyber-related claim. In part, the directors wanted to limit their personal liability by showing that they took the risk seriously.

Pierre Noel, chief security and privacy officer for Huawei and treasurer for the Pan-Asia Risk and Insurance Management Association, agrees that insurance plays a critical role in mitigating cyber risk as it relates to personal liability.

He recommends a three-pronged approach: “One, educate the board so that they have a thorough understanding on the liabilities and implications. The ‘I did not know’ is not applicable any more (at least in most countries).

”Two, board directors have to ensure the organisation is deploying a proper cyber-security programme, with mechanisms commensurate to their assessment of the risks.

”Three, [an insurance] policy to cover board directors and a policy to cover cyber risks within the organisation, reflecting the effciency of the cyber risk management.”

Noel stresses that no organisation is immune to a cyber security incident.

He adds: “As long as we can demonstrate that the board was concerned about cyber risks [and] paid real attention to the problem and its resolution, board members are, by and large, immune to personal liability issues.”

David Ralph, PCCW head of risk management and compliance, concurs.

He says: “Provided that we are putting in place adequate measures to identify such risks and taking reasonable and appropriate measures to mitigate them, then there’s a reasonable argument that the directors and o cers are going to be reasonably well protected against any personal liability.”

But while directors recognise liability for a cyber breach as a corporate responsibility, he says many have not linked that back to their obligations as a board.

“Over time, we’ll see it developing out that way, especially if we do see start to see cases of it being brought specifically against directors in their failure to ensure that controls are in place to protect data.”

For the moment, we’re seeing “executive officers falling on their swords, rather than directors being held accountable”.

Many believe that this is bound to change. Indeed, regulators in Asia-Pacific are taking a tougher stance on data protection, says Zurich’s Morgan.

“They’re following the lead of their US and European counterparts and bringing in data protection regimes. People realise that this is an urgent threat and now you’ve got politicians responding,” he says.

Australia’s Senate recently introduced legislation that compels certain companies to notify customers and authorities of any data breach.

And a firm could, in theory, be subject to a civil penalty for a breach of the country’s Privacy Act, says Allens managing associate Valeska Bloch – if, for example, a board knew that there was a significant risk but failed to act in advance.

The Act states that directors must have “appropriate” oversight of cyber risks. But how do you define “appropriate”?

“The first thing is making sure that you are aware of what the risks actually are,” says Bloch.

“A central part of that is being aware of the systems that the business is reliant on, the data that they possess or control or have access to, and then understanding the different potential points of vulnerability.”

She says boards must ensure the company has a range of systems, processes and procedures in place to deal with those risks, and keep them updated.

It seems clear that directors will be held increasingly liable for a range of emerging risks, including cyber. It’s only matter of time before one of them’s on the hook.