What's Happening?

What is a Directors liability following a cyber breach?



The views expressed in this article are not necessarily those of the FIA. The article below was supplied by the 2018 FIA partner, ITOO Special Risk.


A breach is an incident in which sensitive, protected or confidential information is either stolen, copied, transmitted, viewed or used by an unauthorized party.  This data could belong to the company itself (intellectual property) or it could be employees or third parties (clients, suppliers, contractors) private information which is exposed either electronically or in paper format

In 2017 the phishing rate in South Africa was the highest in world, where 1 in 785 emails was a phishing attack.  According to the Ponemon 2018 Cost of Cyber Breach Study:  South Africa shows the following alarming statistics:

  • The average total cost of a cyber breach was R32 million
  • R1 755 is the average cost per lost or stolen record
  • Malicious attacks (43%) and human error (29%) caused most cyber breaches

Interesting findings is that the appointment of a CPO significantly decreased the per capita cost of cyber breach

Ultimately, a company’s financial, reputational and operational success rests on the Board.  Directors owe the corporation and its shareholders three duties: due care, skill and diligence in managing the business

Boards and Directors have significantly more to worry about following a cyber breach:  expenses such as response and remediation costs could be crippling for any business but perhaps the most onerous would be the consequential loss of bottom-line revenue as well as the impact on client, customer, patient and employee relationships

Directors and Executives can face personal liability in relation to cyber breaches under South African law.  The Board must proactively manage cybersecurity and drive the organisation’s attention to, and readiness for a cyber security incident.  It is extremely difficult if not impossible for anyone who doesn’t work full-time in cyber security to keep up with the ever-changing threat landscape and Directors are being named as defendants in costly and intrusive litigation.  A statement or claim of not having enough information or an insufficient understanding of the IT systems would not be an adequate defence

The failure to implement appropriate cyber security risk management measures could constitute a breach of Directors’ fiduciary duties. These fiduciary duties have been codified by the Companies Act No 71 of 2008 (Companies Act) and a breach of these fiduciary duties could lead to claims being brought against Directors and Executives.  South African common law principles stipulate that any person who contravenes the Companies Act is liable to any other person for any loss or damage suffered by that person as a result of that contravention

Regulatory action:  depending on the regulatory framework and industry within which the company operates, complaints can be made to the Companies and Intellectual Property Commission (CIPC) who will in turn investigate and allow action to be taken against a company or its Directors

Right to privacy:  Directors and Executives may face personal liability as a result of having breached privacy law in South Africa. The right to privacy is protected under the common law in South Africa. South Africa has also passed the Protection of Personal Information Act 3 of 2013 (POPI). Depending on the nature of the contravention, a Director may face civil fines, administrative fines, penalties and even a period of imprisonment

Parties affected by a cyber breach can hold the corporation’s management and Board of Directors accountable as they might feel that the corporation failed to address weaknesses in its systems and programs.

Good corporate governance steps a Board could implement to protect Directors from personal liability are:

  • Board meetings.  Ensure that cyber security and data privacy matters are discussed regularly at board meetings
  • Employee Education. Maintain a high level of cyber awareness.  29% of cyber breaches were caused by human error and strong security practices can minimise the possibility that attacks like phishing are successful
  • Breach Planning. How has management prepared for a cyber breach.  Have printed copies of your breach response plan readily available (not only saved electronically i.e., should there be a Denial of Service Attack you would not be able to access your systems)
  • Intrusion detection. Are there systems, personnel and software in place that can detect a security breach promptly
  • Vulnerability scans or penetration testsHire third party consultants to audit the security systems.  Ask for recommendations to improve your network
  • Disclosure Obligations. Is the Board aware of these obligations, as failure to do so certainly increases the risk that clients may bring an action against the Board and the Company.
  • Post-Breach Review. The Board must act promptly.  Assess security gaps and evaluate the effectiveness of the corporation’s current policies and procedures. This may include updating technology controls and policies and procedures, revisiting existing plans and making appropriate changes
  • Insurance. A fundamental aspect of corporate governance and having a strong cyber risk management program would include cyber insurance policy as well as a D&O policy to protect the personal assets of Directors

Cyber insurance, more than any other insurance, allows access to the correct channel of service providers needed to recover fully from a cyber incident



  • Network security breach – means a Downstream attack, or Unauthorised Access to, Unauthorised Use of, Theft of Data from, Denial of Service Attack or transmission of Malicious Code to the Insured’s Computer System, including physical theft of the Insured’s Computer System, or any part thereof
  • Privacy breach – means a breach of confidentiality, infringement, or violation of any right to privacy, which results in harm to employees or third parties



3rd party

Privacy liability

Defence and settlement of liability claims arising from compromised information

Network security liability

Defence and settlement of liability claims resulting from a system security incident affecting systems and data as well as causing harm to third-party systems and data

Media liability

Defence and settlement of liability claims resulting from disseminated content (including social media content) including:

• Defamation

• Unintentional copyright infringement

• Unintentional infringement of right to privacy.

Incident mitigation

Incident response costs

Costs to respond to a systems security incident, including incident triage, forensic investigation, legal, crisis communication, public relations and credit monitoring

1st party

Regulatory fines

Fines assessed by a government regulatory body due to an information privacy breach

Business interruption

Loss of income and increased cost of working as a result of a systems security incident

Data restoration

Costs to restore, re-collect or replace data lost, stolen or corrupted due to a systems security incident

Cyber extortion

Costs to investigate and mitigate a cyber extortion threat. Where required, costs to comply with a cyber extortion demand


For more information contact:

Ryan van de Coolwijk  083 794 4332    ryanv@itoo.co.za                      

Candice Sutherland       082 346 1716   candices@itoo.co.za



The ITOO D&O policy is structured as follows:

Directors & Officers – Provides cover for non-indemnified events – i.e. protects a director against personal liability or expenses not paid for by the company, and advances defence costs

  • Company Reimbursement – Reimburses the company when the company has indemnified a director for an insured event, including any defence costs and expenses
  • Company Securities – Cover for the entity where it is joined as a defendant with the directors in respect of actions relating to the sale or purchase of the company’s securities or shares

(An officer is defined as any employee in a managerial or supervisory capacity as well as the company secretary)

For more information contact:

Warwick Goldie    08082 653 7833  warwickg@itoo.co.za     

ITOO is a special risks Underwriting Management Agency (UMA) focused on liability, special and emerging risks underwritten on the Hollard Insurance licence.  www.itoo.co.za