Directors can't plead ignorance as cyber exposures multiplyReprints
Information and a solid response plan are essential for corporate directors and officers as cyber liability issues evolve.
“This is an extremely dynamic risk area. There's always more learning we all have to do,” said Rob Yellen, executive vice president of FINEX North America at Willis Towers Watson P.L.C. in New York. “How boards will deal with it will be interesting this year. Maybe they'll have nonvoting board members with cyber expertise; having the right expertise and having something the board can tap into is important.”
“As cyber security exposures continue to evolve, the responsibility of protecting an organization from key cyber exposures has shifted away from the (information technology) department and toward the board of directors,” Christian Hoffman, national practice leader of Aon Risk Solutions' financial services group in New York, said in an email. “As data breaches continue to occur, the responsibility and expectation of the board of directors will only increase.”
Most directors and officers liability insurance policies do not specifically exclude cyber-related claims, but corporate officials must understand the nature of the risk they face. And because cyber risk mutates quickly, corporate executives and directors must stay current on the effect of cyber exposures on their organizations.
“Boards always have to deal with the most important issues facing a company,” said Donna Ferrara, senior vice president, managing director and management liability practice group counsel at Arthur J. Gallagher & Co. in Wyckoff, New Jersey. “What's more important to business than technology, after people?”
Boards and executives ignore technology-related exposures at their own peril, experts said.
“I don't think there are any hidden cyber liability risks anymore,” said Neil Posner, a partner at law firm Much Shelist P.C. in Chicago. “There may be corporate officers and directors out there who do not fully appreciate those risks, but I don't think it takes a lot of work to figure out what those risks are. What it really means, it would be very difficult for a corporate director and officer to defend himself or herself on a ground that, "I just didn't know,'” he said.
Mr. Posner cited “spear phishing,” which typically is an email that appears to have been sent by a person or business the recipient knows as an example of such risks. He said hackers use this to extract credit card and bank account numbers, passwords, and similar information. Other risks include malicious code and malware that create vulnerabilities in computer systems, which can result in data theft, damage to files and, in some cases, the systems themselves.
Robert Parisi, managing director and national cyber risk product leader at Marsh USA Inc. in New York, agreed that cyber risks may be “underappreciated” by boards of directors. They include reputational risk and vicarious or contingent risk stemming from reliance on third parties such as cloud computing providers, he said.
But the level of board awareness has increased “dramatically,” said Mr. Parisi. “I think it's become very clear to pretty much every director, every officer that cyber risk is something they have to deal with.”
“We've seen boards becoming very aggressive in trying to attract talent that can manage these issues,” he said. “You haven't until now found many boards seeking people who understand and handle technology issues.”
Board members and officers need to rely on risk management, IT and legal departments to understand their cyber risks, said Mr. Posner. “That's a shared responsibility.”
Boards need to have “a full and current grip on the issue,” said Tony Galban, Chubb Ltd.'s Warren, New Jersey-based senior vice president and D&O global product manager. “You want them to be comprehensively informed, and you want them to be currently informed,” he said. “You don't want cyber to be a once-a-year board discussion.”
The U.S. Senate also may get involved in the issue.
Sens. Jack Reed, D-R.I., and Susan Collins, R-Maine, introduced the Cybersecurity Disclosure Act of 2015, S. 2410, late last year. According to Sen. Reed's office, the bill would have each publicly traded company include in its U.S. Securities and Exchange Commission disclosures whether any member of the company's board is a cyber security expert, and if not, why such expertise is not necessary. No action has been taken on the bill.
Mr. Galban said one challenge is that board directors typically don't speak the language of cyber technology. “Customers have said getting someone to speak to the board who can inform and keep their attention can be a challenge,” he said.
Boards should provide oversight and supervision of a company's cyber security risks and vulnerabilities, among other things, and develop a proper risk and security assessment that will quantify risk, identify meaningful risk metrics and convey the effectiveness of risk mitigation options, Mr. Hoffman said.
If a director or officer becomes the target of a liability action stemming from a cyber issue, D&O liability insurance can respond.
Marsh's Mr. Parisi said he is not aware of any D&O policies that exclude cyber per se, but they also would not provide the same coverage as a formal cyber liability policy.
“If it's a cyber event that has a material impact on the company, that would flow through the same way as if it were a financial or physical catastrophe,” Mr. Parisi said.
But Willis Towers Watson's Mr. Yellen said there could be exceptions.
“One place you could end up having trouble is the terrorism exclusions, whether that applied to the acts of hacktivists and others,” he said.