The past year was saturated with detailed disclosures of cyber attacks against marquee corporations. From Target to Home Depot and JP Morgan and Sony Pictures, the wider public now knows how wide open corporate networks are to disruptive, damaging hacks.
In the coming year, court cases should begin to define and quantify a new realm of liability exposure posed by such cyber attacks. The result: directors and officers liability insurance is poised for a boon. ThirdCertainty asked insurance industry attorney Eric Dolden of the Canadian law firm Dolden Wallace Folick to outline how this message is reverberating through boardrooms around the globe.
3C: Can you frame how the risk of losing valuable digital information is being viewed by directors and officers in light of the major breaches of 2014?
Dolden: Historically, cyber breaches were viewed as a problem to be dealt with at the managerial level with the chief information officer. But in early 2014, the U.S. government issued guidelines and said cyber attacks can cause harm to a company that requires board involvement. Whether you’re public or private company, you have to take ownership of the problem at the board level. It’s very much a board responsibility.
3C: So this isn’t just an abstract notion?
Dolden: If there’s a cyber attack, and there’s either inadequate protocols or you’ve fumbled the ball in trying to deal with this cyber breach, there’s going to be an exposure to the board members who have responsibility for that cyber security risk.
3C: So it’s more than just the loss of reputation and costs like replacing credit card accounts?
Dolden: Yes, you can actually see a segmentation of the liability. For example, there might be liability because there was a cyber event that was preventable. It could have evolved from management’s conduct. Shareholders might well say, “Look at the share values last year. We’ve experienced some wasting of company income and assets to deal with this problem, and I have a claim against the board members who are charged with responsibility for cyber security risk.”
3C: So directors and officers have something tangible to lose?
Dolden: They do, and I should stress that this is equally applicable to private companies. Claimants lawyers will be targeting private companies the same way because private companies have shareholders, and if they feel their share value has been reduced by reason of improper conduct or any adequate attention to the protocol, they’re going to want to seek redress.
3C: What’s available for companies to insure against these risks?
Dolden: At the very rudimentary level, you can buy insurance that reimburses for your cost to restore the data, giving notice to your affected customers. You may also face a third-party negligence lawsuit. On top of that, shareholders can start a class action against the directors saying that their governance was inadequate and it gave rise to a loss. So you’re going to need cyber liability insurance for defense.
3C: So we’re very early in the process of this whole field emerging?
Dolden: Yes. It has taken some years to develop the cyber product and make it readily available. It’s only in the last few years that people have realized that a directors and officers liability policy could respond to a claim against the directors, either because their standards are inadequate, their protocols are inadequate, or they drop the ball in the aftermath of a cyber breach.