At a glance
- With data breaches becoming more common and high profile, there is a need for increased diligence from directors concerning cyber security, to prevent claims arising
- Directors in the US are potentially vulnerable to cyber-related D&O claims, and the trend is almost certain to cross the Atlantic
- To prevent exposures, cyber risk management must become the responsibility of directors
UK companies need to recognise the risk of cyber-related directors’ and officers’ (D&O) liability claims, a leading British lawyer has warned.
Although such claims have yet to materialise in the UK, directors across the Atlantic are already facing legal action stemming from oversights in their company’s cyber security.
A series of large-scale data breaches, involving corporate heavyweights such as Sony, Target and Adobe, along with concerns over increasingly sophisticated malware attacks such as the Heartbleed bug and Regin spyware, has brought this growing problem into sharp focus.
No company is too small to face a cyber attack, and the increasing regularity of such incidents means that as cyber breaches become more common, claims against directors, following losses suffered by the company, will no doubt increase.
For more information, visit:
“The risks around the cyber threat and potential D&O claims in the UK are growing,” says Alex Hamer, a London-based partner at law firm RPC.
“Claims may arise if a company is taken to insolvency as a consequence of a serious data breach, or where the circumstances giving rise to the data breach affect a company after a takeover – where you have new management suing old management for problems within a company.”
In the US, which is generally seen as a more litigious society, directors are already facing cyber-related D&O lawsuits. Following the Target security breach, when up to 70 million credit and debit cards details from customers of the US retail giant were stolen in November 2013, there are thought to have been at least two shareholder class action lawsuits filed, out of almost 70, against directors and officers.
Meanwhile, in October 2013, computer software company Adobe announced that a hack had potentially compromised the data of nearly 40 million customers. It is now braced for multiple lawsuits against not only the company, but also its directors.
Technology giant Sony, which saw hackers access the data of 77 million PlayStation Network users in 2011, faced lawsuits in the US stemming from the breach, as well as a £250,000 fine by UK authorities for its ‘preventable’ hack. Sony has also been the victim of another recent high-profile cyber-attack, which has seen Sony Pictures suspend the release of its new film, The Interview.
In the US, there are already mandatory data breach notification and disclosure requirements in place for cyber incidents, however large or small. Europe is about to follow suit with a major overhaul of its data protection laws. Currently, companies here only have to divulge anything if there is a ‘serious’ breach.
It means that directors in the UK will increasingly be held to account over any failures of a company’s privacy and data protection policies.
Need for better cyber oversight
Directors should adapt their protocols to provide a more complete oversight of cyber security, otherwise directors could be exposed to breaches of duty, privacy charges, failure to adhere to corporate legislation, claims of misleading conduct and the prospect of criminal proceedings.
For brokers, this is not really a D&O sell – cyber risk is not generally a driver for purchasing D&O insurance. It is more about how cyber risks can impact on D&O cover
Alex Hamer, a partner at law firm RPC
Directors, by law, must also exercise reasonable skill and care in performing their duties, which in cyber terms means assessing data risk, ensuring IT security is adequate, training staff in their duties and having plans in place to deal with a data breach.
For listed companies too, there are obligations to notify the stock exchange of any information, such as a cyber breach, that could have a material impact on its price or value.
In October 2014, a study by EY, a professional services firm, called the Global Information Security Survey, found that 37% of the global companies surveyed were unprepared for a cyber attack. This means that potentially more than a third of firms out there are in breach of their duties.
Not only that, but a cyber event can bring with it system downtime and business interruption – all of which can be costly, as well as loss of data and charges relating to subsequent regulatory investigations. The Ponemon Institute calculated that the average cost to a company of a data breach in 2014 was $3.5 million, up 15% from 2013.
Cyber risk management is an issue that should be at the heart of boardroom discussions, and not one that is solely an IT department problem.
“For brokers, this is not really a D&O sell – cyber risk is not generally a driver for purchasing D&O insurance,” says Alex Hamer. “It is more about how cyber risks can impact on D&O cover. If they are talking to directors, they should already have D&O cover in place but they should also be looking at purchasing cyber risk cover for the company, if they do not already have it.”