A recent report by the House of Lords and House of Commons on cyber security and the U.K.’s critical National Infrastructure (the joint report) stated: “It is the duty of all board members to get a little more technical – by educating themselves about the basics… of cyberattacks, cyber risks and cyber defences.”.
What does this really mean and what are the consequences for directors of failing to adequately heed this warning? Also, what role does insurance have to play in mitigating these risks?
For any company that relies on computers (that is, just about any company), cyber risk is real, serious and unavoidable. Given that all company directors are legally obliged to promote the success of the companies they serve and, in doing so, to exercise reasonable skill, care and diligence, ignorance of the nature and extent of these risks is dangerous.
English courts have repeatedly made it clear that directors are not permitted to delegate their supervisory function. In other words, they must not leave it to others to ask the right questions in order to satisfy themselves that the company is being run as it should be.
Equally, courts have made it clear that directors are not guarantors of good outcomes and that their conduct should be judged by reference to facts of which they were (or should have been) aware at the time.
The benefit of hindsight must not be applied. What this means in practice is that by asking the right questions (and following up where appropriate), directors are creating for themselves the very planks of their individual liability defences in the event of a cyber incident.
Due care and diligence
So, what are the right questions? After all, cyber security risk can have an impact on share value, mergers and acquisitions activity, pricing, reputation, culture, staff, information, process control, brand, technology, and finance along with just about anything else. Fortunately, there are some excellent resources available not least from the UK Government specifically aimed at company boards.
How claims are brought
If directors fail to heed cyber risk, how can the company on whose board they sit claim damages? Unsurprisingly perhaps, it is the US courts that have led the way in this area.
The mechanism most commonly applied is the derivative action, in which claimants (who are usually minority shareholders) assert that the directors have damaged the company’s interests by making it vulnerable to cyber-attack or privacy breach and should therefore, be made defendants in proceedings which the company should be required to commence against them.
Although such actions are complex and rarely come to trial, they can be expensive to settle. The Yahoo data breach case, for example, resulted in a settlement payment of $29 million.
If the company becomes insolvent, it is not derivative actions which directors will face but they may instead be vulnerable to attack by the liquidators using the company as a vehicle to bring breach of duty claims against directors on behalf of creditors.
Much will depend on the facts of each case but it may be possible to evidence a link between the company’s collapse and its vulnerability to cyber-attack based on directors’ failings.
Apart from their non-delegable duty to supervise a company’s activities, directors and other employees need to be alive to the risk that they will be targeted (or impersonated) by cyber criminals keen to pillage the company’s assets.
A recent report by Verizon confirms a trend toward so called social engineering crimes also known as ‘fake president’ scams in which urgent requests (not infrequently received on a Friday afternoon) are made to transfer funds on the basis of telephone or email instructions. Many companies have fallen victim to this kind of fraud, although some are detected by vigilant employees operating effective systems and controls.
To what extent does insurance provide a solution?
It is necessary to distinguish between insurances aimed at protecting the company’s balance sheet in the event of a cyber incident and directors and officers liability insurance, the aim of which is to protect the directors themselves from personal liability.
Taking the former first, it is possible for companies to insure themselves against the threat of cyber-attack and data loss although terms and conditions vary widely and insurers are not prepared to provide unrestricted cover.
It is not possible to generalise as to the nature and extent of cover available and specialist advice should be sought. Interestingly though, in a recent case concerned with cyber risk, the Court of Appeal went out of its way to stress the importance for directors of giving proper consideration to the question of insurance.
In the case which concerned the Morrison supermarket chain, the company was held vicariously liable for the criminal acts of its former employee in maliciously publishing personal data belonging to its employees on the internet. In answer to Morrison’s submission that this result was unfair, the Court of Appeal said this:
“There have been many instances in the media in recent years of data breaches on a massive scale. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts.
The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result.
The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…”
The extent to which insurance really does provide a valid answer to the Doomsday or Armageddon scenarios will depend. But there is a further dynamic in play here, of which directors would do well to take account.
The Prudential Regulation Authority’s stance on silent cyber risk
A director could be forgiven for not appreciating at first glance why a number of recent statements from the Prudential Regulation Authority (PRA – the prudential regulator for insurance business underwritten in the UK) directing insurers to properly manage their own silent cyber risk exposure has any bearing on his or her duties to the company they serve.
Silent cyber risk, otherwise known as ‘non-affirmative cyber risk’, is cyber risk that is neither expressly included in nor excluded from insurance policies (the corollary is that ‘affirmative cyber risk’ is cyber risk that is expressly included in insurance policies e.g. a specific cyber insurance policy).
In response to a request from the PRA that regulated insurers should be able to identify, quantify and manage both their affirmative and non-affirmative cyber risk exposure in the policies they issue, several insurers have already sought to ensure certainty in the policies they issue by either excluding silent cyber risk or affirming the extent of any cyber coverage.
What are the potential implications of reliance on silent cyber cover?
Many companies are now purchasing affirmative cyber risk insurance, for example, through a standalone cyber policy or via amendments to their traditional insurance policies.
For those companies that do not currently purchase affirmative cyber cover, there is naturally an uncertainty as to the extent of any cyber cover in their existing insurance programme.
Reliance on silent cyber cover within traditional insurance policies increases the prospects of a coverage dispute as insurers may question the intent of the policy in the event of a loss caused by a cyber peril (for example, a cyber-attack).
For example, is a business interruption loss caused by a cyber-attack covered in a property policy which neither includes cyber as a covered peril nor excludes it?
In a live claim situation there is scope for dispute. Indeed, there are a growing number of cases in which losses arising out of cyber perils are being disputed by insurers of traditional policies which do not include affirmative cyber cover.
How do these developments in silent cyber affect directors?
What do these developments mean for directors? As insurers of traditional risks come under increasing pressure from the PRA to provide a clear position on their silent cyber exposures in the policies they issue, directors will increasingly need to understand the full extent of their company’s cyber risk and where the gaps in cover emerge.
As silent cover in traditional insurance policies is phased out, companies relying on silent cyber cover in those policies will be forced to act. Put it another way, deferring addressing what can be complex issues will increasingly not be an option.
While insurers go through the process that is being required of them, directors will need to consider whether their company’s cyber risk is being covered affirmatively or silently.
In the event of the latter, directors should consider whether they are content to maintain the status quo (mindful of the uncertainty this gives rise to) or whether they wish to seek affirmative cyber cover.
Cyber risk and D&O insurance
The good news is that, to date, insurers who have expressed an affirmative view on their appetite to cover silent cyber risk when it comes to D&O insurance have said they are willing to provide the cover.
The less good news is that this does not mean it is safe to assume that all cyber related exposures are in fact covered in D&O policies. With this in mind we have created the following checklist:
- Check exclusions carefully for unintended consequences. For example, exclusions for professional services, property damage, prior claims and circumstances, and fines and penalties all have the potential to remove useful and legitimate cyber cover.
- Check definition of loss for hidden restrictions and limitations on cover for example pollution which could be an effect of a cyber incident.
- Check wrongful act definition for restrictions on capacity in which cover is offered.
- Seek loss mitigation protection in the event of an incident.
- Check regulatory investigation protection is suitable.
- Understand and, if necessary, tailor the demarcation and allocation provisions as between the entity and the individual depending on the size of the exposure.
- Be aware that sub limits can be disguised as ‘add-ons’ even where these are expressed as additional limits.