Cyber risk management has been an issue for IT departments for years. It’s now a problem at the heart of boardroom discussions, too.
Case in point: Equifax, which has been hit with dozens of lawsuits from shareholders, consumers and even a credit union, all hoping to recoup losses related to its massive data breach in September.
The breach at Equifax exposed sensitive information on about 143 million consumers, including Social Security and driver’s license numbers. That kind of data can be used for identity theft and to create fake accounts.
At least one of the class-actions in the Equifax case alleged that its directors and officers are responsible for the company’s stock price drop after the breach was made public. The plaintiffs allege that Equifax’s financial statements were materially false and misleading because Equifax failed to maintain adequate measures to protect its data systems and failed to maintain adequate security and monitoring systems to detect data breaches.
Whether the plaintiffs pull it off is anyone’s guess. But there’s good reason for corporate directors and officers to be concerned.
That’s because the lawyers representing the shareholders in these cases are doing all they can to hold companies and their managers directly responsible for flawed or inadequate cybersecurity decision-making.
A cyber liability policy alone won’t address the management liability questions in these sort of shareholder suits.
To protect themselves properly, board members and corporate executives will need a directors and officers insurance policy. This isn’t a problem for publicly traded companies alone. Private entities will find themselves in the cross-hairs, too, and, as we’ve seen repeatedly, no company is too small to face a cyber-attack.
Allegations in these cyber-attack cases have included breach of fiduciary duty, negligence, breach of implied contract, and violation of various state and federal statutes.
D&O policies generally cover “wrongful acts” by management, protecting the personal assets of those individuals as well as losses incurred by the corporation in securities claims.
A D&O policy would help a company and its officers defend themselves against such allegations, as well as help pay any settlements, even when the allegations don’t stick.
Insurance policies aside, directors should make certain their companies are prepared for a cyber-attack.
Directors, by law, are required to exercise reasonable skill and care in performing their duties; in cyber terms, that means assessing data risk, ensuring IT security is adequate, training staff in their duties and having plans in place to deal with a data breach.
The bottom line is that, given the potentially crippling mix of losses and liabilities potentially triggered by a data breach, don’t assume that a single liability or cyber policy will provide complete protection.
There’s no doubt cyber policies are increasingly important. But directors and officers will also want to look to more traditional D&O coverage for cyber-related losses.
Spencer Mahoney is a CCIG insurance advisor. Reach him at 720-212-2051 or SpencerM@thinkccig.com
Mind the gap: If you’re in the market for a D&O policy, be sure that key areas of coverage are broad enough to address the types of events that could lead to a data breach, whether due to an external hacker or internal employee conduct.