Cyber risk has become a growing threat for directors and officers in recent years. It’s no longer simply an IT issue but a concern for the highest levels of management. Directors and officers can be held personally liable for cybersecurity breaches so putting in place a strong cybersecurity infrastructure that meets the requirements of regulatory agencies is critical to protecting your company and its executives in the case of a cyberattack.

Why should directors and officers care about cyber risk?

Directors and officers can breach their fiduciary duty to the company and shareholders—and even be held personally liable—for cybersecurity breaches. From setting up the appropriate cybersecurity infrastructure to notifying authorities of an incident, the actions of directors and officers will be under scrutiny after a cyberattack.

More than a half dozen securities and shareholder derivative lawsuits have been filed over cyber incidents in recent years. In a prominent legal case in 2016, Yahoo’s directors and officers faced a shareholder derivative lawsuit following two data breaches, alleging the executives made misleading statements and failed to disclose facts in public filings. The plaintiffs won a settlement of $29 million in the lawsuit. Following recent cyber breaches, shareholders of LabCorp and Target have also sued directors and officers of the company for mismanagement of the incidents.

The increase in cyberattacks, the challenges of cybersecurity in the COVID era, and the introduction of more regulations and laws have intensified the pressure on boardrooms to protect against cyber risk.

Increased Cyber Risk

The frequency of significant cyberattacks has increased eight-fold since 2012. Ransomware attacks, an increasingly prominent cyber risk, have become more frequent and severe in recent years. 

A few years ago, typical ransom demands were in the tens of thousands, while today, they often reach into the millions. Most ransoms are now requested in the form of hard-to-trace digital currencies like bitcoin, making payments faster and prosecution from authorities more difficult. 

Shift to Remote Work

During the COVID-19 pandemic, organizations needed to expedite the process of giving their remote workforce easy access to software and systems. They lowered many IT security standards, which resulted in more exposure to the cybercriminals ready to exploit these known vulnerabilities. In fact, nearly two-thirds (61%) of companies struggled to create adequate security standards for their remote workers during the pandemic.

Tougher Regulations

The evolution of regulations and laws regarding cybersecurity also creates more obligations and consequences for companies and their directors and officers. In recent years, corporations in the U.S. and Europe have been subject to more requirements by regulatory agencies. For example:

• The European Union’s General Data Protection Regulation (GDPR) requires the appointment of a data protection officer, the embedding of privacy controls, and 72-hour notification for personal data breaches.
• The Securities and Exchange Commission in the U.S. requires timely disclosure of cybersecurity breaches prior to the sale of security and disclosure of the nature of the board’s involvement in cybersecurity measures.
• The California Consumer Privacy Act (CCPA) gives consumers privacy rights by requiring businesses to disclose how they are using private information, the right to opt out of the sale of their data, and the private right to action after data breaches.

In addition to introducing new requirements for cyber risk, regulatory agencies have also initiated more investigations and significant fines for companies that don’t comply and face a cyber breach.

What financial risks do directors and officers face?

The average total cost of a cyber breach is $4.24 million, according to a recent Ponemon Institute report. From the immediate costs of restoring IT systems to the lost business, regulatory fines, and litigation a company could face, there are many factors that contribute to this cost:

Direct Response: There are a number of actions that a business must take in order to recover from a cybersecurity breach, which all have an associated cost. These may include:

• Repairing IT systems and restoring data
• Patching security vulnerabilities
• Hiring cybersecurity consultants or lawyers
• Notifying affected customers
• Providing credit monitoring or identity protection services to affected customers

Lost Business: Companies often face operational downtime during a cyber event, which can result in immediate lost revenue and loss of business. Cybersecurity breaches can also result in long-term reputational damage, which may involve a loss of customer trust, negative word of mouth, bad publicity on social media, and a drop in the value of stocks for public companies. Customers may stop doing business with the company and turn to a competitor. Doing damage control, restoring the brand image, and regaining customers will all be costly.

Regulatory Fines: Companies must comply with mandates like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) in dealing with customer data or face hefty fines for violations. The fines could be thousands of dollars of individual violations, upwards of millions in total, or a percentage of the organization’s annual revenue.

Litigation: Companies must retain an attorney to deal with legal ramifications of a cybersecurity breach, including potential lawsuits against directors and officers by customers and shareholders. In the case of litigation, attorney fees could end up being in the millions. Any settlements from legal cases must also be paid out by the company.

How can cyber risk be mitigated?

Directors and officers can take many actions to mitigate their organization’s cyber risk and limit the impact of attacks, including:

• Conducting an assessment of the organization’s cybersecurity vulnerabilities to understand what needs to be protected and where the weak points are
• Analyzing the potential business impact of cybersecurity attacks, for example, the costs of IT failure and business interruption
• Installing firewalls and security software to protect the network from being hacked and from viruses
• Monitoring the entire network’s traffic in real-time to detect potential threats as they arise
• Creating a response plan to prepare your team to take swift and effective action in the case of a breach and minimize losses
• Training employees regularly on good cybersecurity hygiene and how to recognize potential phishing or cyberattacks
• Investing in business insurance coverage, including cyber insurance and directors & officers insurance

Does cyber insurance cover directors and officers?

Cyber insurance typically will not cover the personal liability of your directors and officers following a cyberattack or data breach. This type of coverage is provided in directors and officers liability insurance. However, for your business to be better protected against the financial consequences of cybersecurity attacks, it may be wise to invest in both cyber liability and directors and officers insurance.

Cyber Liability Insurance

Cyber liability insurance will provide coverage for financial losses related to cybersecurity attacks such as data breaches, hacking, viruses, denial of service attacks, and other similar cyber events.

First, cyber liability insurance will cover the expenses after a cyberattack, including the costs of restoring data, repairing computer systems, notifying your customers, and advertising and PR services to help fix your company’s reputation. 

Secondly, cyber liability insurance will also cover defending your company against a lawsuit by customers, vendors, partners, or other parties accusing you of failing to protect their data. These may include network security claims, privacy claims, employee privacy claims, and the legal costs of settling them. Cyber liability insurance plans will also provide coverage for regulatory fines incurred.

Directors and Officers (D&O) Insurance

Cyber liability insurance may not cover any legal actions made against the executives of a company that faces a cybersecurity breach. That’s why obtaining directors and officers insurance can help protect the individuals who run the company when they are personally named in a lawsuit.

Directors and officers insurance provides protection for the personal liability of directors and officers of a company while they are performing their roles as directors and officers. If a cyberattack hits your business, impacted customers, vendors, partners, employees, shareholders, and other parties could potentially bring lawsuits against the company and name your directors and officers personally, accusing them of management errors or failure of duty. Without D&O insurance, the personal assets of your management team could be at risk.

Final Word

The rise of cybersecurity threats poses a personal risk to directors and officers of companies. Increasingly, they are being held responsible for responding effectively to cybersecurity breaches and creating a cybersecurity infrastructure that protects against cyber risks. Evolving cybersecurity regulations and laws around the world place increasing responsibilities on companies to protect their data. Official investigations into cybersecurity breaches and third-party lawsuits are also on the rise. Cyber liability insurance and directors and officers insurance are necessary to protect your business and company executives from liability for cybersecurity breaches.