Board governance must include cyber security risk management and insurance strategy
March 2016 | SPECIAL REPORT: INSURANCE COVERAGE
Financier Worldwide Magazine
Cyber security has become a core governance issue for boards as company after company has been rocked by cyber security incidents.
Board members have fiduciary duties, which generally require them to monitor and address corporate risks – including cyber threats. Boards must strike an appropriate balance between protecting their companies from cyber security risks, while at the same time ensuring profitability and growth in an increasingly competitive economy with demanding financial markets. This requires directors to make tough cyber security choices in a complex and unpredictable legal and regulatory environment, because guarding against every avenue of potential attack is neither feasible nor a cost-effective cyber security risk management strategy.
Underscoring the difficulty boards face, in December 2015, the Cybersecurity Disclosure Act of 2015 was introduced in the US Senate. If passed, this bill would require public companies to disclose whether any board member is a cyber security expert, and if not, why such expertise is not necessary. Moreover, in 2011, the SEC issued guidance providing that public companies should disclose cyber security risks in the risks factors of their SEC filings, including a “description of relevant insurance coverage”.
Increasingly, cyber security risk management decisions that companies make have the potential to expose board members to personal liability, and directors are now being scrutinised and examined with the benefit of 20-20 hindsight after cyber security events occur. In the last two years, for example, shareholders filed derivative suits against Target, Wyndham Worldwide and Home Depot directors following widely publicised breaches at those companies, alleging that the directors failed to implement sufficient cyber security measures. Even when these cases have little or no merit, they can still be costly to defend, and some state corporate laws (such as Delaware) place limits on the extent to which a company can indemnify directors from monetary damages in the unlikely event a shareholder plaintiff prevails at trial.
Boards, therefore, are looking to cyber insurance policies to help manage their companies’ cyber security risks, and board members are looking to D&O insurance to manage their own risks as they make the tough cyber security calls.
Responding to a cyber security incident can be extremely costly, even without accounting for the damage to a company’s reputation. Those costs often increase over time as a company defends itself against regulatory investigations, consumer and financial institution class actions, and other lawsuits that frequently follow major cyber security incidents. Indeed, Target’s data breach spawned litigation that resulted in a $10m settlement in class actions brought by its consumers whose information was compromised, and a $106m settlement in the litigation brought by the banks who issued the compromised payment cards.
The SEC and other regulatory regimes are increasingly focusing on cyber security issues. The SEC brought its first cyber security enforcement proceeding in September 2015 against R.T. Jones Capital Equities Management, and in December 2015 Wyndham Worldwide resolved a civil enforcement action against the Federal Trade Commission that arose from its data breach (in addition to the extensive civil litigation it faced). In this environment, where cyber security is no longer just an ‘IT issue’ and directors are expected to be prepared to combat cyber security risks, guarding against the dangers of cyber security threats should be a core component of every board’s enterprise risk management strategy.
Although cyber policies, unlike D&O policies, are not specifically designed to insure directors and officers, cyber policies may provide some protection to directors in the event of a cyber security breach. More importantly, cyber insurance helps protect corporate assets in responding to cyber security breaches, which helps directors fulfil their fiduciary duties.
For example, cyber policies may provide coverage for the costs of notifying customers that their data has been compromised, pay for forensic investigations to uncover the source of an incident, cover crisis management services to minimise reputational damage, and also cover any third party claims arising out of a breach. Given the widespread availability of cyber insurance in the marketplace, no director wants to be in the position of being asked by its shareholders after a cyber security breach why the company failed to consider or purchase adequate cyber insurance to protect itself.
Because cyber insurance is a relatively new product, cyber policies are non-standard policies, which allow room for negotiating and tailoring the policy to the company’s needs. During this negotiation, the company should communicate with the insurer regarding preferred law firms, PR firms and vendors to use in the event of a breach and obtain the insurer’s prior consent to the use those vendors. This will eliminate the need to seek consent when the company finds itself responding to a threat, allowing the company to act swiftly without wasting time waiting on approval from the insurer. Additionally, it is important to consider any exclusions and sublimits carefully.
For example, many policies include Payment Card Industry (PCI) exclusions or sublimits. PCI assessments are a key risk that any company accepting credit cards faces, so removing these types of exclusions is critical. Similarly, companies should pay close attention to exclusions for ‘terrorism’ and ‘punitive damages’ that could limit coverage. If directors work carefully with their risk managers to tailor a cyber policy to the company’s needs, they can help fulfil their fiduciary duty to ensure their company is prepared for cyber security events.
A well-designed D&O insurance programme can insulate directors from personal liability after a cyber security incident. D&O insurance protects the assets of directors and officers for loss arising from alleged wrongful acts, and should cover attorney’s fees incurred to defend directors against allegations of wrongdoing in the wake of a cyber security breach, even if the allegations have no merit and the lawsuit is dismissed.
One potential limitation of D&O policies is that they are designed to protect against ‘claims’ (i.e., lawsuits). Depending on the policy’s definition of ‘claim’, coverage may or may not be available to directors for shareholder derivative demands arising out of a cyber security incident that may precede a derivative lawsuit. D&O policies also may contain unexpected gaps for regulatory investigations targeting directors after a cyber security breach.
Even directors who are not the target of a regulatory investigation may be on the receiving end of subpoenas or ‘interview requests’, necessitating the retention of personal counsel to advise the director on any response. These investigations may never result in a formal ‘claim’, as defined in the policy, but they can be just as costly as a traditional lawsuit to defend. Even if a claim does ultimately accrue, pre-suit defence costs may not be covered, depending on the wording of the policy. Policy definitions and exclusions in D&O policies are negotiable, and directors should work closely with their company’s broker and outside coverage counsel at renewals to maximise their protection.
Directors also should ensure that their risk manager watches for the potential addition of ‘cyber security’ or ‘data breach’ exclusions to their D&O policies at annual renewals. Most D&O policies do not contain such exclusions, but as insurers have developed new cyber policies, they have increasingly inserted cyber exclusions in traditional property and commercial general liability policies, resulting in potential coverage gaps. Because cyber security losses can trigger unpredictable types of first-party and third-party losses, directors should proactively work closely with their risk managers to avoid hidden cyber exclusions in each line of coverage the company purchases.
Such risk management strategies are paramount in today’s world of cyber threats.
Phyllis B. Sumner, Meghan H. Magruder and Shelby S. Guilbert are partners at King & Spalding. Ms Sumner can be contacted on +1 (404) 572 4799 or by email: email@example.com. Ms Magruder can be contacted on +1 (404) 572 2615 or by email: firstname.lastname@example.org. Mr Guilbert can be contacted on +1 (404) 572 4697 or by email: email@example.com.
© Financier Worldwide
Phyllis B. Sumner, Meghan H. Magruder and Shelby S. Guilbert
King & Spalding