What's Happening?

How exposed are directors personally in the face of a cyber attack?

ARTICLE BY

SHARE THIS POST

The views expressed in this article are not necessarily those of the FIA. The article below was supplied by 2018 FIA partner, ITOO Special Risks.

Anyone who sells directors and officers liability products will know that the responsibility for a company’s financial, reputational and operational success ultimately lies with its directors. When joining the board, these individuals undertake to manage the business with due care, skill and diligence. This includes safeguarding the organisation against cyber breaches.

A breach is an incident in which sensitive, protected or confidential information is either stolen, copied, transmitted, viewed or used by an unauthorised party. A company’s directors have a lot to be concerned about following a cyber breach. The most obvious concern would be around expenses, including response and remediation costs and consequential loss of bottom-line revenue. They would also need to consider the impact on their clients, as well as employee relationships.

It is therefore  imperative for any board to proactively manage cyber security, which includes driving awareness and creating readiness for a cyber security incident. It is extremely difficult, if not impossible, for anyone who doesn’t work fulltime in cyber security to keep up with the ever-changing threat landscape. Directors are increasingly being named as defendants in costly and intrusive litigation. Saying, “I didn’t have enough information” or, “I didn’t quite understand the risk” is not an adequate defence.

The failure to implement appropriate cyber security risk management measures could, in fact, constitute a breach of directors’ fiduciary duties. These fiduciary duties are codified in the Companies Act (No. 71 of 2008). A breach could lead to claims being brought against directors and executives in their personal capacities.

The South African Companies Act stipulates that any person who contravenes any section of the Act is liable to any other person for any loss or damage suffered by that person as a result of that contravention. These are some of the potential pitfalls:

Regulatory action

Depending on the regulatory framework and industry within which the company operates, complaints can be made to the Companies and Intellectual Property Commission (CIPC), which will in turn investigate and allow action to be taken against a company or its directors.

Right to privacy

Directors and executives may face personal liability as a result of having breached privacy law in South Africa, including the Protection of Personal Information Act (No. 3 of 2013), also known as POPI. Depending on the nature of the contravention, a director could face civil fines, administrative fines, penalties and even a period of imprisonment.

Technology and information governance

According to Principle 12 of King IV, the governing body must oversee that the IT responsibilities are managed, appropriately resourced and sufficiently defined.

Shareholder action

Shareholders may sue directors for a decrease in the share price following a breach, as well as the costs involved and reputational or brand damage.

Client action

Those affected by a cyber breach can hold the corporation’s management and board accountable as they might feel that the corporation failed to address weaknesses in its systems and programs.

Here are a few good corporate governance tips for brokers to share with corporate clients that can help to protect directors and executives from personal liability in the event of a cyber attack:

  • Ensure cyber security and data privacy matters are appropriately addressed at board meetings. Depending on the organisation, this would include, but not be limited to:
    • Understanding data security legislation such as POPI, GDPR etc., and how they impact the organisation
    • Making appropriate appointments in terms of data security officers if required (Interestingly, a 2017 study by Ponemon found that the appointment of a chief privacy officer significantly decreased the per capita cost of a cyber breach, the average cost of which was R32 million)
    • Seeking expert advice around minimum security requirements
    • Ensuring adequate resources are made available to implement and maintain security
    • Implementing reporting and monitoring requirements in the event of a breach
  • Maintain a high level of cyber awareness. Around 29% of cyber breaches are caused by human error. Strong security practices can minimise the possibility of successful attacks
  • Have a breach response plan in place – and have printed copies readily available (the plan should not only be saved electronically in case the attack leaves you locked out of your systems)
  • Put systems, personnel and software in place that can detect a security breach promptly
  • Hire third party consultants to audit the security systems through vulnerability scans or penetration tests and ask ask for recommendations to improve your network
  • Make sure the board is aware of their disclosure obligations. Failure to disclose increases the risk that clients may bring an action against the board and the company
  • Act promptly by conducting a post-breach review. Assess security gaps and evaluate the effectiveness of the corporation’s current policies and procedures. This may include updating technology controls and policies and procedures, revisiting existing plans, and making appropriate changes

A fundamental aspect of corporate governance is to have a strong cyber risk management programme in place. This would include cyber and D&O cover to protect both the interests of the business itself and the directors and executives in their personal capacities. Cyber Insurance provides comprehensive cover to respond to a network security or privacy breach. Cover extends from the incident response process through to business interruption losses and the defence and settlement of ensuing liability claims.

D&O insurance typically covers the following:

  • Directors & Officers – Provides cover for non-indemnified events – i.e. protects a director against personal liability or expenses not paid for by the company, and advances defence costs
  • Company Reimbursement – Reimburses the company when the company has indemnified a director for an insured event, including any defence costs and expenses
  • Company Securities – Cover for the entity where it is joined as a defendant with the directors in respect of actions relating to breach of securities regulation