Directors and Officers Responsibilities: Vulnerabilities amid cyber threats

It is now more important than ever for directors and board members to manage cyber incidents effectively by arranging adequate protection against losses arising from cyber events. Effective insurance solutions will play a large part in de-risking companies from cyber losses evolving in frequency and severity. These losses may arise from the cyber incidents themselves and related director liability for financial losses sustained by companies.

Cyber threats and regulatory scrutiny

There is an increasing amount of regulatory scrutiny globally on directors and members of the board for companies who neglect their obligations in managing cyber incidents efficiently, with post-cyber breach litigation becoming increasingly common. This is also driven by the development of case law in this area. By way of examples:

• UK / Ireland: the High Court of Ireland have imposed personal liability on a director for data breaches, in the judgment of Nolan & Ors [2024] IEHC 4. The implementation of the European General Data Protection Regulations and increase of cyber threats has led to this being an item of growing significance included on boardroom agendas. Further, the ICO is empowered to impose personal fines on directors for failing to implement and oversee robust cyber risk policies and can order directors to provide personal undertakings to improve data protection and/or cyber security policies.

• Asia-Pacific: the Court declared RI Advice Group Pty Ltd (RI Advice) [2022] FCA 49 had contravened its obligations as the holder of an Australian Financial Services Licence (AFSL) under the Corporations Act 2001 by failing to have appropriate cyber security controls and cyber resilience in place to manage its own cyber risks, and cyber risks across its network of authorised representatives.
• US: the Federal Trade Commission’s 2022 action against Drizly and its chief executive over security failures led to a cyberbreach that exposed the personal information of 2.5 million customers, and the SEC’s 2023 enforcement action against Solarwinds and its chief information security officer, alleging the company misled investors by minimising the company’s cyber vulnerabilities and the ability of hackers to infiltrate the company’s systems. The FTC made an order requiring Drizly to destroy personal data it collected that was unnecessary for it to provide products or services to consumer and implement a comprehensive information security program.

• Europe: The EU Digital Operational Resilience Act (DORA) and Network and information Security Directive (NIS2), have been developed to protect organisations in the financial sector (in the case of DORA) and organisations operating in certain sectors critical to national infrastructure (in the case of NIS2) in respect of systemic risks caused by digital threats, as well as define national cybersecurity strategies, and require organisations to take appropriate security measures. The relevant authorities are able to impose fines not only to the organisations themselves, but also to members of senior management, with maximum fines of EUR 1 million being possible under DORA. This impacts countries subject to European Union rules and regulations.

Cyber losses can be potentially wide-ranging and catastrophic, including incident response costs (i.e. IT forensics, legal, PR) after a cyber security breach by a threat actor, business income losses after a period of disruption, extortion payments following a ransomware incident, digital asset replacement costs, together with additional costs potentially flowing from a data breach, including dealing with any third party claims and the payment of any damages attached to those claims. In addition to the above, a company and its directors could face regulatory investigations and potential fines imposed by those regulators.

With growing regulator focus in this space, it will be critical for directors to comply with their legal responsibilities and obligations to their companies across relevant jurisdictions.

Director Potential exposure

Directors have two key responsibilities in relation to cyber threats: (i) implementing and overseeing effective cyber risk management policies and reporting frameworks, and (ii) obtaining appropriate insurance that will respond to provide protection for financial loss arising out of claims.

There is considerable scope for a director to incur personal liabilities for failing to implement and oversee robust cyber risk policies which could fall within cover provided by a D&O Policy. Board members may have breached fiduciary duties to the company and shareholders if they fail to implement appropriate controls or cyber security, including cyber insurance policies.

These liabilities may also extend to third parties whose data has been misused, regulatory penalties such as ICO fines or orders to undertake to improve data protection and cyber policies, and to shareholders who have seen their share value impacted by financial losses caused by security breaches.

Insurance Solutions

Adequate protection should be arranged to provide customers with insurance solutions against any losses arising from cyber incidents and any associated director and company liability.

Brokers should be consulted with a view to arrange sufficient level and scope of cover to provide effective protection from financial losses. Insurance solutions for first and third party cyber losses sustained by D&Os / companies include the following:

• Directors’ and Officer’s insurance: D&O cover should be obtained and is designed to protect management from financial loss arising from claims including but not limited to i) third party data breach liability, ii) investigation costs incurred arising out of regulatory investigations, and iii) shareholder claims arising from claims against management for inadequate procedures or cyber controls in place to manage risk.

• Cyber insurance: the intention of this cover is to provide an indemnity for both first-party cyber losses sustained by an insured arising from a cyber security incident (including restoring systems, business interruption losses, and extortion payments), and also third-party losses, for example if claims are brought against an insured for failure to keep customer data secure. In addition, policies are able to cover the costs of dealing with a regulatory investigation, together with fines imposed by regulators, to the extent these are lawfully insurable in the relevant jurisdiction.

When combined, effectively these insurances (and, potentially, others) can help to mitigate the risk of financial loss sustained to companies and move such risks off balance sheets to unlock greater capital for growth of the business than would have been held in reserve. Neither product is a replacement for the other and both are needed alongside other risk mitigation strategies. Such risk mitigation strategies also may include (i) endpoint detection and responses, which monitor end-user devices for malicious activity and automatically respond to advanced threats like ransomware, (ii) privileged access management to secure accounts with sensitive data and critical systems, and (iii) immutable backups to ensure vital data cannot be altered or deleted once created. Whilst these measures will help companies bolster cyber security, ultimately effective insurance solutions are critical to cyber resilience across industries.

Double insurance

The health warning around the above is to consider and manage double insurance issues when both policies are likely to cover third party data breach losses. It is important that a practical approach is taken in order to decide how indemnity payments should be allocated between the D&O and Cyber policies, as double insurance issues can sometimes impact coverage response times and result in greater costs incurred investigating such claims. To avoid such disputes, it is helpful to agree wording in policies during the underwriting stage to clarify which policy should respond in the first instance.

It is advisable to obtain both D&O and Cyber insurances with one provider to eliminate any potential for conflict between multiple insurers and to drive harmony and clarity around how the policies interact. Arranging D&O and Cyber insurances with one provider should allow the two covers to dovetail together and provide efficient protection from liability arising from cyber incidents, whether this is from the incident itself or from the longer tail director liability arising from it.

Going forward

In the wake of greater regulator activity it is crucial to devise strategies to manage exposures for organisations globally. Companies should proactively review their insurance arrangements as well as other risk management strategies and obtain advice to ensure they have sufficient protection from such risks.

We are here to help

Please do get in touch if you would like to know more about how we can support you and your business.

This article was adapted from an article by Zurich which can be found here.