A definition of cyber security, which fits well with how a director might think about it, is ‘the digital or human measures you can take to reduce the risk and harm to your company’s information and information-based systems through theft, alteration or destruction’.
The need for cyber security doesn’t broaden the duties of directors defined in the Companies Act 2006. However, it is yet another way in which a breach of duty may manifest itself.
The fundamental risk posed by cyber has always existed but, in this case, it is the loss of information or theft of intellectual rather than physical property. The method by which it may be suffered is what has changed. In days gone by, the garden variety bank robber would have marched into their local branch, brandishing their shotgun and, if successful, would re-emerge with the loot. These days, the thief could be sitting at home watching Eastenders while simultaneously fleecing a bank for millions of pounds, probably more than most bank robbers could physically carry.
A recent Deloitte survey (involving 100 directors of Fortune 2000 companies) highlighted that boards were not actively addressing this element of risk. This could be for any number of reasons possibly through a lack of understanding of the issues or through feeling that cyber exposure is not relevant to their company.
At the risk of propagating a stereotype board members, perhaps in the twilight of their careers, may not be completely au fait with the potential havoc a cyber breach could wreak on their business.
Those who climbed the corporate ranks before the world became as interconnected as it is today may not appreciate the threats accompanying the opportunities afforded by new technology. However, it is now more important than ever for boards to be equally aware of the risk posed by cyber perils to their business as they are of strategic, regulatory and financial risks.
This doesn’t mean that every director needs to be able to outwit the hackers. Responsibility can take the shape of appointing a board member to be responsible for this aspect of risk, or making it a key element of internal audit reporting. No self-respecting company would be without a CFO keeping an eye on the balance sheet, so why should cyber security command any less attention? Ultimately, a board of directors is jointly and severally liable, so as a collective they need to be confident that they understand this risk.
While directors should assume that cyber risk is relevant to any company, whatever its business, there are some factors that increase the likely severity of a cyber breach. These include a reliance on intellectual property (IP), reliance on online services, pursuit of takeovers and, perhaps most obviously, the retention of the personal information of customers and employees.
How does this translate in to a D&O claim? Surely this is what cyber insurance is for? With cyber still not bought as widely as it perhaps ought to be, employees and customers who’ve had their data stolen, or shareholders whose investments have tanked following a cyber breach, may look to a company’s directors as the culprits.
The directors of US retailer Target found out the hard way. Having been advised to buy a larger limit of cyber, they decided against it and were held liable as directors as a result.
Naturally the exposure is heightened for US-listed companies where, for example, a falling share price after a company’s prize piece of IP has been stolen will invite the entrepreneurial legal profession in the USA to go looking for a mistake, for someone to point the finger at who can pay the damages.
So, while cyber is an exposure you’d perhaps more immediately associate with online businesses, a director of any business is potentially exposed to its impact, so should make sure that their company has the right levels of cyber and D&O cover.
For more information contact Graham Preston firstname.lastname@example.org or on 020 7953 6739