Executives can't dismiss cyber accountability
In the wake of the Yahoo data breaches in December of 2016, it is hardly surprising that yet another shareholder has filed a data breach securities class action lawsuit against the publicly traded company. While we’ve seen other securities suits, they have failed to make their case. In fact, by the end of 2016, Target Corp., Wyndham Worldwide and Home Depot all saw derivative lawsuits – filed after highly publicized data breaches — dismissed.
While these recent data breach-related Director and Officer (“D&O”) lawsuits have been unsuccessful, it is expected that future complaints will continue to take aim at holding executives accountable for high-profile hacking incidents. Merger objections, financial restatements and regulatory actions continue to be the principal issues driving Directors & Officers Liability claims activity, however, although the shareholder derivative actions brought against the Target, Wyndham Worldwide and Home Depot were dismissed, it is a clear sign that shareholders are becoming increasingly more focused on companies’ cyber exposures and more importantly, on their management’s protocols around mitigation and remediation.
As the “Internet of Things” continues to expand, we can anticipate future suits involving failure to safeguard funds, intellectual property, or the confidentiality of corporate information to be more commonplace and thus, potentially impacting a firm’s Cyber, D&O and possibly its Fidelity insurance program.
It is safe to say that “cyber” is no longer just a technology issue, but a board level priority within a firm’s enterprise risk management framework. Knowing the potential implications on a company’s balance sheet and stock price, executives must stay vigilant managing their role in cyber security oversight especially as companies’ cyber exposures continue to grow and more stakeholders look to executives to provide assurances that they are taking their cyber risks seriously.
Failed litigation attempts will likely shape future complaints. Consider the recent dismissal of a case against Home Depot. The plaintiffs alleged that the defendants breached their duty of loyalty because they failed to institute internal controls sufficient to oversee the company’s cyber risks. In their case, they cited how the company disbanded the Board of Directors committee that was supposed to have oversight of those risks. The plaintiffs also alleged that the defendants wasted corporate assets.
In his dismissal of the case, Atlanta-based U.S. District Chief Judge Thomas Thrash noted that the company’s top management, as well as its board of directors, did try to address the weaknesses in its online and data security, although not fast enough. He wrote: “With hindsight, it is easy to see that the Board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one. But this decision falls squarely within the discretion of the Board and is under the protection of the business judgment rule.”
Because the plaintiffs failed to show beyond a reasonable doubt that the Board faced substantial liability and because it consciously failed to act, Judge Thrash concluded that this argument, among others, was not strong enough to move forward.
Stakeholders now expect executives to prioritize this exposure and stay ahead of the curve as much as they can..."
Cyber Responsibility in the C-Suite
Cyber risk was, in the not so distant past, considered a technology issue as compared with the board level issue it has become. Failing to address this exposure diligently can have far reaching ramifications, ranging from the cost of remediation, lost, client retention or the inability to establish or maintain key vendor relationships. Most importantly, shareholder expectations are growing. Stakeholders now expect executives to prioritize this exposure and stay ahead of the curve as much as they can by learning from past breaches, even if not their own, and expect them to continually assess and improve upon managing their company’s cyber exposure.
Executives should be well versed in their firm’s cyber breach protocols. Company management has to pay close attention to aspects of their businesses that could potentially increase the likelihood or severity of a cyber breach/attack on their business. For instance, they have to consider their reliance on intellectual property (“IP”), dependence on online services and critical vendors and, the retention of the personal information of customers and employees. Executives in such industries as retail, healthcare, hospitality and financial services are particularly susceptible to great scrutiny because they have large amounts of information in their possession.
Management should minimize corporate exposures by implementing enterprise-wide procedures and standards applicable to cyber risks that cross corporate departments and real-world geography. Several federal agencies, including the Securities and Exchange Commission, the National Institute of Standards and Technology and Federal Trade Commission, have issued guidance for adopting measures. There is also a growing marketplace of cyber security experts available to enlist and design tailored strategies.
While reviews and assessments help, another effective strategy is establishing and supporting a Chief Information Security Officer (CISO) position. CISOs help executives understand cyber risk by implementing the right security controls (and establishing the needed budget to do so) while promoting a culture of defense. Establishing such a position does not remove an executive’s responsibility in managing cyber risk. Most CISOs are quick to note that managing cyber risks is a part of every member of the enterprise. Company executives have the opportunity to strengthen and support the CISOs initiatives to drive cyber security awareness, tools and strategies throughout the organization.
Who’s Got You Covered?
In addition to managing cyber exposures and preventing attacks, executives have to take into account how they can help their companies to minimize financial loss after a cyber incident and successfully recover from other potential damage such as harmed reputation and loss of customers’ trust. The right insurance coverage is integral in this recovery.
Cyber insurance is the first insurance coverage that’s called to mind. And it’s on a growing number of minds. According to a recent study — “Cyber Insurance Market — Global Opportunity Analysis and Industry Forecasts, 2014-2022” — by Portland, Oregon-based Allied Market Research, the global cyber insurance market, dominated by North America, is expected to generate $14 billion in gross premiums by 2022. The market is growing at a compound annual growth rate of nearly 28% as insurers expand coverage to other regions. The current worldwide market size is around $3 billion, according to various estimates.
A cyber policy alone is not adequate protection against shareholder suits. Cyber liability policies cover losses related to handling a breach or security incident– the cost of notifying affected individuals whose personal information may have been compromised, associated credit monitoring, forensic investigation costs, public relations, litigation defense and more. While an Errors and Omissions (“E and O”) policy may provide coverage from an error or omission in providing services, or from professional liability negligence, a standalone cyber policy will not provide coverage arising from the loss of use of tangible property. They may not apply to shareholder derivative suits or investigations of management either. Additionally, they cover the corporation, not the individual directors and officers. Last, general and cyber liability policies may be exhausted before shareholder claims and government investigations are commenced.
Directors and officers (D&O) policies are likely to provide defense against breach-related suits where an executive or board members’ action or inaction on cyber issues are called into question.
Given the variety of losses and liabilities potentially triggered by a data breach, one should not assume that a single policy will provide complete protection. Additionally, policyholders need to consider sublimits, exclusions and provisions that may seem unclear, such as language defining the scope of exclusions for damage to electronic equipment. Policyholders also have to be wary of exclusions relating to employment practices, bodily injury and personal/advertising injury.
Cyber security is every employee’s responsibility but it is a growing directive for company executives. While we have not seen the stream of successful D&O lawsuits aimed at holding executives responsible for breaches, we should anticipate that stakeholders will seek greater accountability as cyber risks escalate. Given what we are learning about cyber risks and how we can protect our companies, there will be more reasons for stakeholders and the courts to address how executives manage their company’s cyber exposures.
John Coletti is XL Catlin’s Chief Underwriter for Cyber & Technology. He can be reached at firstname.lastname@example.org or +1 212 915 6835. Ray Santiago is Senior Vice President of Underwriting, Professional. He can be reached at email@example.com or telephone: +1 212 915 6707