The threat of a disastrous cyber breach – and of lawsuits against specifc company directors – is all too real, say risk managers
Data loss is seen as the biggest emerging threat to directors’ and officers’ (D&O) liability, a Management Liability Survey of StrategicRISK’s Advisory Panel has found.
The panel singled out data loss as the D&O risk most likely to occur and to have the greatest impact financially. Close behind was ‘breaching industry regulation’, with ‘employment practice claims’ rounding out the top three (see scattergraph, above).
Some 77% of respondents also said that liability owing to a cyber breach was a bigger concern to their board than it was 24 months ago. This will come as no surprise to insurers, who are seeing a rise in client enquiries about management liability connected to cyber breaches.
“It’s a huge threat,” says Alex Morgan, Zurich commercial insurance chief underwriting offcer, Japan, adding that a breach is now “a matter of when, not if”.
“If [a cyber breach] happens and it becomes apparent to a potential litigant that [the company directors] didn’t do anything to prepare, then there is scope for them to be sued individually and that’s a critical part of D&O cover. What have you done firstly to mitigate it, and secondly to prepare yourself for how you respond to it, is where directors really are at risk.”
Lendlease group head of risk and insurance and RIMS Australasia president Kevin Bates says most directors are alert to the evolving risks that cyber presents.
“Directors are acutely aware of personal accountability and, therefore, exposure that does exist in areas which were previously deemed as ‘emerging’, such as cyber,” he explains. “They’re asking the correct questions and taking appropriate mitigation.”
Bates says a key element of Lendlease’s approach to cyber risk has been to focus on business resilience and disaster recovery.
“It’s like drug testing in sports. You actually don’t know what you’re going to nd, which means that the hackers – or the cheaters in sport, for example – will always be ahead of the testers, or indeed the programmers in this case.”
In the event that something does happen, he says, the important question is: “Can we be back up and running quickly?”
PCCW head of risk management and compliance David Ralph agrees that resilience is key.
He recommends risk managers treat cyber like any other risk to help their directors minimise personal liability. “Our job as a risk manager is obviously to provide them with adequate defence as well as good advice on how to stop things from happening,” he says.
When it comes to their D&O policy, risk managers are most concerned about how any claims against directors and offcers will be controlled and settled (56%).
Almost as concerning (54%) is whether the policy will respond to claims in all jurisdictions.
When asked about industry regulation breaches – the management liability risk ranked second – the panel’s responses were mixed.
The most frequent answers, in terms of which regulatory risk their company was most concerned about, were corruption and anti-money laundering. Many in Australia also cited new mandatory data loss legislation.
“With technology constantly evolving, I am concerned with the raft of regulations which will have to come into play to govern this,” one respondent said.
Another listed their company’s top concerns as “breach of privacy and newly introduced mandatory reporting laws, corruption (especially with regards to supplier landscape and potential customers)” and “dealings with government entities in legislated areas”.