17

Cyber Directors' & Officers' claims may be on the rise

UK companies need to recognise the risk of cyber-related directors’ and officers’ (D&O) liability claims, a leading British lawyer has warned.

Although such claims have yet to materialise in the UK, directors across the Atlantic are already facing legal action stemming from oversights in their company’s cyber security.

A series of large-scale data breaches, involving corporate heavyweights such as Sony, Target and Adobe, along with concerns over increasingly sophisticated malware attacks such as the Heartbleed bug and Regin spyware, has brought this growing problem into sharp focus.

No company is too small to face a cyber-attack, and the increasing regularity of such incidents means that as cyber breaches become more common, claims against directors, following losses suffered by the company, will no doubt increase.

Increasing problem

In the US, which is generally seen as a more litigious society, directors are already facing cyber-related D&O lawsuits. Following the Target security breach, when up to 70 million credit and debit cards details from customers of the US retail giant were stolen in November 2013, there are thought to have been at least two shareholder class action lawsuits filed, out of almost 70, against directors and officers.

Meanwhile, in October 2013, computer software company Adobe announced that a hack had potentially compromised the data of nearly 40 million customers. It is now braced for multiple lawsuits against not only the company, but also its directors.

Technology giant Sony, which saw hackers access the data of 77 million PlayStation Network users in 2011, faced lawsuits in the US stemming from the breach, as well as a £250,000 fine by UK authorities for its ‘preventable’ hack. Sony has also been the victim of another recent high-profile cyber-attack, which has seen Sony Pictures suspend the release of its new film, The Interview.

In the US, there are already mandatory data breach notification and disclosure requirements in place for cyber incidents, however large or small. Europe is about to follow suit with a major overhaul of its data protection laws. Currently, companies here only have to divulge anything if there is a ‘serious’ breach.

It means that directors in the UK will increasingly be held to account over any failures of a company’s privacy and data protection policies.

Need for better cyber oversight

Directors should adapt their protocols to provide a more complete oversight of cyber security, otherwise directors could be exposed to breaches of duty, privacy charges, failure to adhere to corporate legislation, claims of misleading conduct and the prospect of criminal proceedings.

Directors, by law, must also exercise reasonable skill and care in performing their duties, which in cyber terms means assessing data risk, ensuring IT security is adequate, training staff in their duties and having plans in place to deal with a data breach.

For listed companies too, there are obligations to notify the stock exchange of any information, such as a cyber-breach, that could have a material impact on its price or value.

In October 2014, a study by EY, a professional services firm, called the Global Information Security Survey, found that 37% of the global companies surveyed were unprepared for a cyber-attack. This means that potentially more than a third of firms out there are in breach of their duties.

Not only that, but a cyber-event can bring with it system downtime and business interruption – all of which can be costly, as well as loss of data and charges relating to subsequent regulatory investigations. The Ponemon Institute calculated that the average cost to a company of a data breach in 2014 was $3.5 million, up 15% from 2013.

Cyber risk management is an issue that should be at the heart of boardroom discussions and not one that is solely an IT department problem.

What to do next? 

We have a team of experienced insurance professionals who would be happy to talk to you about managing your Cyber Risk. If you would like to discuss further then please give us a call.

Call 01789 761670

Congratulations to Stephen Toms from Jepway Properties for guessing the closest rebuild value yesterday at the Kens… https://t.co/2gZflm7NVp

Our client @TaylerFletcher worked with their agents to provide the @PoppyLegion free occupation for a month to sell… https://t.co/8NIxI97hOm

RT @STUARTMREY Jodie smashing it today at Kensington Professional Conference @PiPropertyIns #Conferences #cpd https://t.co/I6aIYXc5z4