November 09, 2022 Blogs 11 min read

The unknown risk for D&Os - when cyber risks lead to personal liability


DO bliog

Devastating ransomware attacks, far-reaching data breaches, plus vigilant data protection authorities and the ever-growing digital threat landscape – it seems to be the perfect recipe for cyber risks to emerge as one of the top liability risks to directors and officers. But what are these cyber risks we’re talking about and what danger exactly do they pose? Read on to find out the answers to these questions, and more importantly, how to protect yourself and your organisation from similar threats.

Cyber risk has never been more on the agenda than it is today. According to this years’ Allianz Risk Barometer, cyber incidents rank first in the list of top 10 global business risks for 2022, outranking the COVID-19 pandemic and broken supply chains concerns – and rising by a jaw-dropping 44% since 2021 in total. But it’s not just businesses that can be affected by cyber incidents – these very same risks pose a significant danger to a company’s directors and officers too. The numbers don’t lie; 65% of directors and risk managers globally rate the risk of cyber attack as “very significant” or “extremely significant” to them or their business, according to the latest Directors’ Liability 2022 survey from Willis Tower Watson (WTW) in partnership with law firm Clyde and Co. 63% of respondents also said the same of data loss. Notably, although cyber extortion was only presented for consideration for the first time in this year’s survey, it has immediately shot to the third place on the list, with 59% of respondents citing it as a “significant risk”. Cyber risk is no longer purely a technology issue, left for your I.T. teams to be dealt with; it can affect directors and officers personally.

The many costs of cyber risk

Directors and officers are ranking data loss and regulatory fines amongst the top 4 of their concerns, and with good reason: an annual study conducted by IBM Security and Ponemon Institute revealed that the average cost of a data breach in 2022 reached an all-time high of $4.35 million, seeing a 2.6% rise from 2021. One of the reasons behind such a substantial figure lies in fines imposed by the EU's data protection authorities for failure to properly secure customer data. The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws. Under the GDPR, fines imposed can mount up to £18 million, or 4% of an organisation's worldwide turnover – whichever is higher.

In addition to the hefty regulatory fines we’ve just mentioned, there might be significant costs that are likely to be incurred by the victim organisation that include bringing in third-party cyber forensics to investigate the cause of the incident, implementing enhanced security measures to prevent a breach from happening again, and notifying and liaising with those affected by the breach. There are indirect costs as well, such as reputational damage, that can impact the company’s bottom line for years.

With cyber risk now being recognised as a board-level issue, when a company suffers such substantial losses, it's not as rare for its senior-level management members to come under fire too. If a cyber attack hits their business and impacts its customers, employees, shareholders, and other parties, directors and officers can have claims arise against the company and them personally if they have made a decision or taken an action that’s construed as wrongdoing by a third party or shareholder. Without D&O insurance coverage in place, the senior management team of a breached organisation who may face disqualification, civil proceedings or prosecution, will potentially have to cover the cost of compensation.

In the UK, directors of public companies bear responsibility for compliance with the GDPR regulations.Failing to do so could make them personally liable. The situation gets even more complex for regulated entities. In the UK financial services sector, the Financial Conduct Authority closely scrutinises boards, and will take action if a director fails to discharge their regulatory duties as a result of their lax approach in risk management.

C-suite and compliance

These costs and responsibilities are scary, and it’s no wonder that regulators are starting to pay attention. The SEC have proposed rules to enhance and standardise cybersecurity incident reporting. There is a large amount of increased regulatory scrutiny on businesses’ c-suite that may not have previously built cyber risk management into their governance. This is not just a discussion for the directors involved in the governance of data, but for the entire c-suite as something that has a material impact on the value of the business concerning investors. The SEC requirements are also focusing on transparency regarding cybersecurity expertise on the executive level, evaluation of the company’s cyber risk management strategy, and the procedure for disclosing cyber security incidents.

The latest proposal from the SEC requires that “registrants must disclose material cybersecurity incidents in a current report…within four business days after the registrant determines that it has experienced a material cybersecurity incident.” This is a rapid turnaround, and most organisations are understandably adverse to reporting a cyber breach that could affect their reputation and value to investors. It’s therefore in the interests of the board to implement an effective and proactive cyber risk management strategy to minimise the fallout of any successful cyber breach, and respond quickly and according to the SEC guidelines.

The consequences of unchecked cyber risk

One of the continuing D&O litigation trends in the U.S. over the last several years has been the increased occurrence of shareholder derivative actions and cyber-related securities class action lawsuits against directors and officers for alleged failure to take adequate steps to prevent a breach.

A stark example of how easily data security incidents can translate into D&O claims happened just a few weeks ago in early October. A plaintiff shareholder filed a securities suit against payment technology company Block Inc. and its officers, following the firm’s announcement earlier this year that a former employee had improperly accessed and downloaded company reports in December 2021. In its 8-K report filed with the SEC in April, the firm in particular emphasised that the stolen information didn’t contain customer usernames, passwords, social security numbers or any other sensitive personal data. That statement contradicted a consumer class action lawsuit that was filed at the end of the summer against the company on behalf of the customers, whose data was compromised as a result of the internal data breach.

The result was not long in coming. A plaintiff shareholder filed a securities class action lawsuit against Block, its CEO, and the CFO, on the 11th of October. The complaint purports to be filed on behalf of a class of investors who purchased Block securities between November 4, 2021 (the date on which the company filed its Form 10-Q – a comprehensive financial performance report – in which the company made certain statements about its data security protocols) and April 4, 2022. The complaint alleges that during the class period, the defendants failed to disclose to investors the lack of adequate security protocols restricting access to customer sensitive information, and that, as a result of the breach, the firm was likely to suffer significant financial and reputation damage. It also mentions that the defendants made false and misleading statements and downplayed the severity of the incident.

Apart from extensive regulatory investigation, civil proceedings, and risk of disqualification, a director’s failure to understand and prevent risk can also entail criminal action under certain circumstances. For instance, in the US, directors and officers have faced criminal charges for insider trading after selling company stock before a data breach was disclosed to the public. The UK is not too far removed from this possibility with the Data Protection Bill introducing personal directors’ liability. The bill incorporates provisions from the Data Protection Act 1998, establishing that if an offence is committed by a particular company “with the consent or connivance of or attributable to neglect” of a director, that director as well as the company will be guilty of a criminal offence.

As the legal landscape of cyber risk and liability continues to evolve, directors and officers should take into consideration that the preventative steps they need to take will not only protect their businesses but will also protect themselves. A professionally placed D&O policy should have a response plan in place in case you are faced with cyber-related claims or investigations. However, as cyber risk management experts, at KYND we've always believed that prevention is better than cure. The main focus should be on preventing cyber attacks from happening in the first place.

If you’re on a board, how can you effectively mitigate your cyber liability exposure?

In order to avoid potential wide-ranging career damaging implications like the ones we’ve just discussed, you should enhance your cyber resilience oversight and be proactive by:

Adopting cyber risk management as a process, not as a one-time solution
As the first important step in preventing cyber-attacks from happening, boards should allocate funds and channel effort into a proactive cyber risk management strategy. Continuous, comprehensive visibility into an organisation’s risk profile will enable you to stay on top of potential weak spots and remediate vulnerabilities before they become attack vectors for opportunistic cybercriminals. Given the severity of the rise and impact of supply chain attacks in today’s interconnected world, particular attention should be paid to third-party service providers that your company may utilise, whose inadequate cyber hygiene could potentially become a loophole for accessing the organisation’s systems and network. To mitigate the risk of cyber-attacks effectively, you should perform cyber due diligence before onboarding new partners or suppliers and then implement an ongoing threat monitoring and alerting capability over their entire lifecycle.

Designating the right professionals responsible for your cyber security strategy
Being aware of the latest trends and emerging threats in cyberspace can become an easier, more effective task for you as a director if you appoint a board member directly responsible for the oversight of the company’s digital health. Some businesses decide to bring on a cyber expert just for this purpose, whilst others take it one step further and appoint a dedicated cyber security committee to oversee overall cyber and data security strategies, and ensure regular reporting of the company’s cyber risk management progress. You should also consider appointing a chief information security officer to help you develop, implement and enforce security policies to protect your valuable data.

Establishing a top-down culture of cyber hygiene
By ensuring you implement a thorough cyber incident response plan and organise training for all your staff to enhance their general cyber security awareness, you and your employees will be able to recognise and steer clear of prevalent digital perils such as phishing emails, social engineering, and other employee-centric methods of attacks. We also recommend for directors and officers to consider involving a third-party firm to conduct regular cyber audits and implement the necessary recommendations to lower the risk of cyber incidents.

Implementing disclosure controls and procedures
If your business is a public company, you’ll have to ensure that you have effective disclosure procedures in place that will enable your company to make accurate and timely statements relating to cyber incidents. You should also consider adding a technical expert to your disclosure committee procedures, or include regular consultations with trusted advisors.

Obtaining adequate cyber and D&O covers
Transferring the risk via cyber insurance is an important part of an organisation’s effective approach to cyber risk management; it provides a safety net to your organisation, as it serves as a financial buffer against catastrophic loss and the substantial costs associated with a cyber incident, as well as providing valuable post-breach support. The level and scope of cover should be carefully evaluated to ensure the cyber coverage meets the specific needs of your organisation and that those within the company who will be first notified of a cyber or data protection breach know how to access the policy.

In addition to securing adequate cyber cover, you should also get D&O insurance. This type of insurance is intended to help respond to any claim or investigations against executives personally that may arise from decisions and actions taken as a part of their duties, including in the event of a cyber incident.

Following these crucial steps will not only help you protect your company from and respond to the ever-growing cyber threat landscape, but they will also support due diligence defence if cyber attacks lead to regulatory investigations or litigation against you personally.

How KYND can help

Sadly, cyber-attacks only continue to grow in frequency, severity and complexity - and no business is immune. To keep yourself and your company secure from this growing menace, you must make cyber resilience a top priority and ensure there is a proactive risk management strategy in place before it’s too late. This is where KYND’s next-generation cyber risk management technology steps in.

KYND provides continuous round-the-clock monitoring and alerting as part of our preventative approach to cyber risks. Our friendly team of cyber experts also offer personalised remediation advice to help improve your cyber posture and reduce the risk of falling victim to a cyber-attack, in easy-to-understand, jargon-free language that you don’t need to be an IT expert to understand.

If you would like to find out more about how KYND’s effective cyber risk management helps you prevent falling victim to a devastating cyber attack, and avoid opening yourself up to liability, get in touch with our friendly team.

Share this article
Join the newsletter

Accreditation & Features