Looking beyond cyber policies when faced with cyber risks
"It's 16:30 on Friday afternoon, the weekend is about to start, a few loose ends to tie up before logging off and then time to relax after a heavy week of board meetings and tough decisions. Murphy’s Law, just as I want to do something quickly, the computer freezes. After waiting and a few mouse clicks, the computer fails to respond. Turning off and leaving it until Monday morning seems the sensible option. The Head of IT’s face appears on my mobile screen, I do not remember them ringing me directly before, especially on a Friday afternoon. The next 30 seconds hit me like a sledgehammer... the IT systems have been compromised and a ransom is being demanded to allow us to regain access".
Such scenarios and fears of such scenarios are increasing. It’s safe to say that our fictional director’s weekend was anything but relaxing. Cyber policies provide front-line action to aim to control the crisis and regain access. This can include the appointment of forensic IT experts, expert ransom negotiators, public relations experts and lawyers. Even though the actual cyber-attack may be successfully resolved, here we explore how a cyber-attack could potentially have impacts on D&O policies.
Nowadays, there is a general acceptance that cyber incidents are an everyday business risk. In many cases, there has been a mental shift from “what if we are affected by a cyber-attack?” to “when will we be affected by a cyber-attack?”
Our initial thoughts regarding claims exposure may have been that it is the company that faces the direct risk from persons affected by the data breach, whether consumers, providers or clients. Companies will also directly take on the regulatory risks for breaches of personal data obligations.
Nevertheless, applying US emerging litigation trends, it is not beyond the realms of possibility that Spain will follow suit. The personal liability of directors and officers (D&Os) will soon have relevance before the Spanish courts as a consequence of a cyber attack if D&Os have caused detriment to a company through their acts or omissions.
The Spanish Corporations Act imposes a duty of diligence on D&Os, together with an obligation to adopt necessary measures for the good management and control of the company. The Act also determines that D&Os are liable to the company and shareholders for acts or omissions contrary to law, the company’s articles of association or the inherent duties of a D&O.
Given the potential financial and reputational damage arising from a cyber attack, prevention and remediation planning has to be a boardroom priority and not left exclusively to the IT department. A lack of or insufficient planning against cyber risks at board level could constitute a breach of a D&Os inherent duty of diligence and give rise to shareholder actions against D&Os.
US history shows that shareholder class actions against D&Os have faced hurdles before the courts, but high-profile settlements reached in claims against Yahoo and Equifax, for example, highlight that D&Os are increasingly becoming a potential defendant for claimants. False and misleading statements regarding security measures and delayed disclosure of data breaches make up some of the arguments presented against both the company and named D&Os in the cited examples.
Mitigating insurers’ risk
A cyber attack in itself is not an indication that a company has failed its cybersecurity procedures. Organised crime is always a step ahead of developing new techniques to perpetrate their acts. Furthermore, falling victim to a cyber attack is frequently a result of human error which allows attackers to gain access to systems, an error not directly attributable to the D&Os.
In the same way that insurers can mitigate risks arising directly from a cyber attack under cyber policies, the D&O exposure arising from a cyber incident requires insurers to know their clients and obtain sufficient information in the underwriting phase to ensure that the company and potential insureds have a robust security culture. Key issues to determine possible D&O exposure to a cyber incident are:
- Have there been previous cyber incidents?
- Which security measures are in place? (Firewalls, malware protection, password policy, two-factor authentication, etc.).
- How often are security measures reviewed and updated?
- Does the company undertake data audits to know which data it handles?
- Does the company have a crisis response plan in place?
- Are training programmes in place to alert staff to cyber risks and how to mitigate the risk?
D&Os have a duty of diligence when managing a company. In an environment where cyber-risks are a well-known publicised risk, it will be difficult for D&Os to justify any conduct that does not place importance on protecting a company from cyber incidents.
A sustained period of inactivity resulting from a cyber attack will not only affect profitability but cause reputational damage which could also have longer-term impacts. A passive attitude towards cyber security could mean that not only will the company be faced with claims from parties affected by data breaches, but D&Os could also be subject to disgruntled shareholders. Whilst we foresee difficulties with such claims (causation, quantification of losses, etc.), we have to consider that very often where the US leads in litigation trends, the rest of the world follows.
For the moment, in Spain, recent case law has established that companies and, in turn, D&Os have an obligation to prioritise data protection and cybersecurity. It is not enough to design the necessary technical and organisational means, they need to be implemented correctly and used appropriately. In this way, the company will also be responsible for the lack of diligence in their use, understood as reasonable diligence according to the circumstances of the case.
Read other items in Professions and Financial Lines Brief - July 2022