PWC’s 24th CEO Survey released earlier this year, revealed the escalating prevalence and severity of cyber-attacks, along with changes in governance expectations, director liabilities, and regulatory reform is seeing business leaders place significantly more emphasis on their organisations’ cybersecurity and risk management strategies, with around 80% of CEOs surveyed strengthening their cyber security and privacy infrastructure in response.
Why are business leaders concerned?
Critical infrastructure, the subject of Government reform at the end of 2020 – is particularly important for ASX listed companies and their directors. It is not just cyber policies being affected, with some (Directors & Officers) D&O insurance policies containing new ‘Cyber Endorsements’, which can include affirmative language responding to wrongful acts or in some cases, exclusions or remain silent altogether. In turn, this is placing more pressure on boards to build and implement robust governance strategies to protect their shareholders and ultimately, their bottom line / share price in the event of an attack.
Directors can be held responsible for not acting to progress a company’s cybersecurity framework and may be punished if they are found to have failed to ensure a company has an adequate cybersecurity risk management plan in force, not responded in a reasonable time frame to a known data breach, or failed to respond altogether.
Risk mitigation through Cyber and Directors & Officers Insurance (D&O)
A typical D&O policy will provide coverage for individual directors (often including the board), for wrongful acts, errors and omissions arising from their professional conduct acting in their capacity as a director – which could include those matters relating to a cyber incident. ‘Dishonesty/Misconduct’ exclusions may prevent cover for claims arising from misconduct, such as wilful breach of statute, dishonest conduct, or fraud. In rare circumstances, a wilful blindness to cyber-related legislation could trigger exclusion(s).
Whilst the area of potential D&O exposures to cyber-related claims continues to evolve, it is critical to ensure your organisation has sufficient D&O limits of liability. In addition, our preference is to ensure insureds incorporate affirmative language where possible, to avoid ambiguity should a D&O claim arise from a cyber incident occurring. Areas for directors to consider within their insurance program include:
- Investigation of cyber circumstances – costs incurred investigating any circumstance resulting from a cyber event where litigation is anticipated.
- Investigation costs – regulatory investigations arising out of a cyber incident, and at full policy limits.
- Insured individuals (policy language) – all persons (including, but not limited to Managers and Chief Technology Officers) who are involved in significant cyber-related decisions and implementation on behalf of the company.
- Shareholder litigation – shareholder actions brought against the organisation arising from a cyber-related incident and subsequent disclosure (e.g., following a stock drop).
- Policy holders must also ensure there is no broad cyber exclusion sitting across the policy, which could nullify cover.
Fiduciary Duties and Business Continuity
The Australian Information Commissioner (OAIC) recommends that organisations implement a data breach response plan (BRP / Business Continuity Plan). In the event of a security breach, such as a cyber-attacks or theft of data, if the board can demonstrate that not only were they aware of a cybersecurity risk, but they also activated a framework to mitigate that risk, it is less likely to risk breaching their fiduciary duties under both the Privacy and Corporations Act. A good approach is to address the following five areas of cybersecurity management with experienced IT professionals:
- Identifying and developing an understanding of the overall cyber risk landscape which can include data management, operational environment, and an effective risk management strategy.
- Protecting and deploying safeguards for threat actor entry control.
- Detecting and allowing timely discovery of breaches and anomalies.
- Responding and implementing plans to effectively manage cyber incidents and subsequent damage control.
- Recovery -enabling the organisation to resume operations as soon as possible.
Embedding cyber risk management practices in the workplace
While cybersecurity is recognised as an essential part of a business’ risk management strategy, PWC’s report highlights that organisations have work to do in training their staff to identify and manage cyber risks. Find out more about protecting your systems from cybercrime from Honan’s Head of Information Technology and member of the Zoom Customer Advisory Board, Stuart Madden.
With you all the way
To learn how D&O and cyber security policies can be tailored to meet your business’ specific needs, please feel free to reach out at any time.
Placement Manager – Professional & Executive Risks
Read about the latest Financial Institutions Insurance Update.