Cyber risk: an increasing concern for senior management
April 2015 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
“Cyber threats are an urgent and growing danger.” This statement – made in January 2015 by President Barack Obama in a high-profile speech about cyber security – highlights the fact that cyber risk has recently become a matter of global significance.
High-profile data breaches, coupled with increased governmental focus on tackling existing and emerging cyber risks, mean that cyber is at the forefront of the corporate agenda in 2015. Its importance is also evident from the way in which boardrooms are now considering cyber risk as one of their highest risk management priorities.
As well as being vital for the survival of businesses, company directors and senior executives should be aware that failure to properly manage cyber risk could also lead to personal liability – and that protection from this potential liability is of critical importance.
The expanding scope of cyber risk
A broad range of cyber risks has emerged in recent years. Many organisations are now being affected by data breaches, with prominent examples including the recent breaches affecting large US retailers. High-profile losses of data stored on portable devices have also grown in prominence and have attracted extensive press attention. Governments, legislators and regulators are also taking steps to implement laws which will hold data controllers to higher standards than ever in terms of cyber risk, the most obvious current example being the proposed EU General Data Protection Regulation.
These issues can have serious consequences from a legal, regulatory and financial perspective. Cyber risk has therefore rapidly evolved from being a peripheral area of concern into a critical business issue, which needs to be tackled at board level.
Cyber exposures facing senior management
Individuals occupying senior management roles are subject to a number of obligations and duties, whether enshrined in statute or more generally under law. At the top level, these individuals have a duty to act in the best interests of the company and, from a regulatory perspective, they need to ensure that the company has proper policies and procedures in place as well as adequate systems and controls.
What this means is that, when a cyber incident occurs, the conduct of senior managers is increasingly coming under the spotlight. As well as damage to the organisation’s business operations and reputation, third parties could suffer loss and look to senior management as well as the company itself to recover that loss. These claims may allege a breach of duty of care or breach of confidence arising out of a loss of client or customer data. Board members can also be exposed to shareholder derivative actions for breach of duty if a cyber risk is not mitigated and a cyber incident causes a drop in the organisation’s share price. Directors of US retailers that have suffered data breaches have been the subject of derivative actions of this nature.
In these circumstances, regulators might also be minded to investigate the organisation’s affairs and bring enforcement action against senior management for failure to adequately mitigate cyber risk.
In terms of the scale of the risk, a recent government-backed report suggested that 81 percent of large organisations in the UK suffered a security breach in the last year and that the average cost of these breaches doubled over the same period. While claims against senior management have traditionally been less common in the UK than in the US, this high security breach rate and increased financial impact could lead to more claims against senior management materialising in the UK in future.
It is therefore vital that senior managers protect themselves as far as possible from the potential liabilities which they face arising out of cyber risk.
Protection of senior managers
Risk mitigation. The first – and most important – consideration for senior management is to ensure that cyber risk is mitigated to the extent possible before any issues arise. This will improve the organisation’s risk profile and will, as a consequence, reduce the risk that senior managers might incur some of the personal exposures and liabilities described above.
In particular, those occupying senior management roles need to consider a number of issues. The first is whether they are aware of the full scale of the cyber risk that the company is facing. For example, does the way the company does business make it particularly vulnerable to cyber-attacks? What impact will data protection legislation have on the company’s business – for example, if it handles customer or employee data? The second issue is whether appropriate cyber security and risk mitigation measures have been put in place to deal with the cyber risk that has been identified. For example, is an information security policy in place? Has the company instituted a disaster recovery plan and an appropriate cyber risk mitigation plan? Finally, they need to consider whether the risk mitigation measures described above could be improved or optimised. Have the measures been stress-tested to indicate how well they might work in a crisis situation?
To minimise cyber risk as far as possible, senior managers will also need to work closely with their risk managers and information security officers to ensure that effective measures are in place and are being adhered to.
Protection from liability. Even in circumstances where all reasonable steps have been taken to mitigate cyber risk, there always remains a residual risk of exposure for the company as well as for senior management. In a world where technology is constantly evolving, there is no way of eliminating the risk altogether. There is also no way of preventing regulators from investigating or preventing parties from bringing claims, even if those claims are ultimately without merit. The cost of dealing with such claims or regulatory investigations can, however, be significant. An increasing number of companies are therefore looking to the insurance market to off-lay the risk through specific cyber insurance policies. As far as senior managers are concerned, it is also important to be able to rely on alternative means of protection, including: (i) a contractual indemnity from the company; or (ii) in circumstances where such an indemnity will not respond, directors’ and officers’ liability insurance, which may cover many of the cyber-related liabilities which a senior manager could incur.
In the event that these two methods of protection are in place, senior managers should ensure that their terms operate harmoniously, in order to maximise the level of protection.
In a global economy that is more reliant than ever on technology, managing cyber risk is now fundamental to the continued operation of almost every business. Failure to manage the risk could not only result in regulatory action and third party claims, but the consequent reputational damage could have a significant impact on a company’s share price. In turn, senior managers are subject to an increased risk of personal exposure and liability. While the risk cannot be completely eliminated, those occupying senior positions in the world’s largest organisations are now more focused than ever on putting in place appropriate preventative measures and protective steps to mitigate the constantly evolving cyber threat.
Ffion Flockhart is a partner and Steven Hadwin is an associate at Norton Rose Fulbright LLP. Ms Flockhart can be contacted on +44 (0)20 7444 2545 or by email: firstname.lastname@example.org. Mr Hadwin can be contacted on +44 (0)20 7444 2290 or by email: email@example.com.
© Financier Worldwide
Ffion Flockhart and Steven Hadwin
Norton Rose Fulbright LLP