D&O liability in data privacy and cyber security situations in Latin America
October 2013 | TALKINGPOINT | RISK MANAGEMENT
FW moderates a discussion on D&O liability in data privacy and cyber security situations between Javier Mercado at AIG, Alex Guillamont at Kennedys, and Alejandro M. Guerrero at Marsh.
FW: In your opinion, what are the key risks to D&Os arising from data and security breaches in Latin America? Could you outline any recent ‘cyber liability’ cases of note?
Mercado: When an organisation has a network security or data breach the stakes can be high, and the repercussions include crisis management response costs, potential liability, fines and penalties, and damage to a company’s reputation. As high-profile breaches are becoming the norm, boards and executives in Latin America are becoming increasingly aware of the risks and elevating information security to an enterprise-wide –as opposed to IT-only – risk management issue. Unlike other risks, cyber liability cases regularly dominate headlines across Latin America. Prominent examples include cases in Mexico, involving financial institutions, and in Chile where healthcare providers have been attacked. However, many others are reported regularly. An interesting part of cyber liability is that although key risks are quantifiable, and damage calculators are readily available, the most damaging costs are related to reputation, which is difficult to calculate. Not only are clients lost, but breaches can lead to lost investor confidence, which could have serious consequences for the breached enterprise.
Guillamont: The risks arising from data and security breaches are constantly changing and transforming around the globe. However, the key risks for D&Os mainly consist of failure to prevent unauthorised access and the use of data, identity theft, and unauthorised information disclosure. Other key risks include the fraudulent use of information, data losses associated with intellectual property infringement, viruses and hacking as well as cyber-attacks such as the denial of service attack, which aims to make a system or network unavailable to its intended user. Such risks can result in the destruction, corruption or deletion of electronic data, theft of data and, to some extent, the diffusion of malicious codes from the victims’ own network or system affecting those of third parties. Online banking theft and hacking attacks tend to be the most common cyber liability risk in Latin America. Chile has seen a decrease in cyber-attacks whilst Colombia Mexico and Venezuela have increased their reported cyber-risks incidents related to online banking theft. Brazil, Panama and Argentina have also witnessed a rise in cyber-attacks. A case of note in Colombia is that of the prolific cyber-criminal called the ‘Tsar of cloning’ who was arrested recently for having committed online fraud by cloning more than 8000 credit cards. In Brazil, the official website of the National Federation of Federal Chief Police Officers was recently hacked by defacement which is a cyber-attack on a website that changes its visual appearance. It seems that the hackers obtained confidential usernames and passwords that were initially intended to prevent unauthorized access to such website. The hackers wrote a Montesquieu quote in Portuguese on the website that reads “whenever the savages of Louisiana want to reap a fruit, they cut the tree down at the root and catch it. Such is despoticgovernment”. At the same time, the number of cyber incidents targeting governmental systems infrastructures, especially by denial of service attacks, is also of particular notein Mexico.
Guerrero: In general, Latin American companies tend to be lenient when it comes to ‘cyber security’ and although appropriate firewalls and other security measures are properly set up executives, in general, believe such protections are sufficient in themselves and therefore disregard personal security practices when writing or transmitting confidential or sensitive information. The wide array of communication systems – such as email, whatsapp, linkedin, podcasts, facebook, twitter – have different levels of intrinsic security, and rules of distribution and publicity, creating an extraordinary exposure just a keystroke away. Most cases of cyber liability end with profound embarrassment, companies apologising, eventual loss of clients, or job terminations, however, certain recent cases have gone further with third parties demanding compensation for damages or reparation of reputational damage.
FW: What steps can D&Os take to prevent data breaches and cyber intrusion? What are the particular challenges and costs associated with mitigating these risks?
Guillamont: In conjunction with the government, the D&Os of private companies should approach cyber security data breaches from a preventative angle. The enactment and enforcement of adequate legislation by the governments as well as robust cyber security policies within private companies would assist the efforts on prevention. Such measures should be accompanied by the appointment of experienced cyber-crime prevention officers who can protect networks and manage cyber incidents as they unfold. Continuous support to increase the level of cyber security awareness within the company and citizens is another measure that would assist to tackle data breaches before they occur. The main challenge for both D&Os and governmental officials is to mitigate cyber-risks which are continuously evolving. Everyday companies and governments face tougher viruses, spyware and other malicious content affecting their cyber assets along with the unceasing development of cyber-attack techniques intended to breach data security. Another challenge for D&Os is the ability to coordinate the interaction of economic, regulatory, technological and managerial aspects of cyber-risks. The costs associated with cyber-risks range from legal fees, costs of security-monitoring systems, fines, penalties, indemnities to third parties, restoration and recovery of data as well as crisis management costs, including the cost of notifying third parties that a data breach has occurred.
Guerrero: The obvious actions relate to ensuring technological protection to avoid cyber intrusion, but clearly they are insufficient provided most cases are involuntary actions taken by the people themselves that in haste or disregard for potential exposures send messages in open public systems or to the wrong destination. Executive training under the concept that ‘every mail is public’ is the only way to warrant the highest level of protection for directors and officers.
Mercado: The board of directors has a fiduciary responsibility to ensure there is a robust corporate governance framework to protect the firms’ intellectual property and information assets. They do not need to be IT experts, but they should understand the magnitude of the information their company holds, where it is located, how it is protected, and the priority of the information for hackers. It is also suggested that they analyse the potential impact a breach could have on their organisation, and actively contribute to the design and implementation of a program to prevent breaches and prepare the organisation to respond properly if one were to occur.
FW: How should firms in Latin America respond when they fall victim to cyber-crime? What steps should D&Os in particular take in the early phase following such an occurrence?
Guerrero: Cyber crime is in itself only one of the potential exposures and perhaps the least of which D&O’s should consider. For that exposure the hiring of cyber specialists that ‘beef-up’ the security aspects of the internet and communications network is the most important aspect. However, having your network hacked is only the first part of the exposure. The content of the information accessed by far the most important factor that can create D&O exposure. The key is to add protection practices to all communications of sensitive or controversial information. Specific encryption, restricted delivery applications and other individual practices that D&O’s use grant a higher level of protection that firewalls can’t give. If a hacker accessed a mail that had a cooking recipe sent from one manager to another, the information is useless, however if they hacked into a strategic offense plan to gain market share, this information is extremely valuable.
Mercado: The company should have an incident response plan in place that provides a framework on how the organisation should respond to a breach. The plan should be tested regularly, and updated accordingly to ensure it is current. The incident response plan should include internal contacts that span the relevant departments within the organisation, including legal, marketing, IT, operations, and external contacts that may need to be brought in from a legal, computer forensics, and public relations perspective. Typically, an outside law firm is first engaged to coordinate activity between internal and external stakeholders and provide guidance on notification requirements and contacting law enforcement or relevant authorities. In Latin America and elsewhere, organisations that are prepared to respond when an event occurs are able to react faster, with minimal financial loss and less damage to their brand integrity and reputation than firms that are ill-prepared.
Guillamont: If a cyber-loss should occur, the company should have a support recovery protocol in place and a crisis management team ready to investigate the occurrence, report the incident to insurers, if any, and liaise immediately with governmental authorities if necessary or required. It is also a good practice to fully investigate and report internally on security breaches as an incentive to correct any security glitches in the future. However, it is not unusual for cyber breaches to go undetected for long periods of time. Thus, one of the best and usually most cost effective approaches is actually to work on risk prevention before the risk materialises because prevention normally lowers the cost of mitigating the consequences after the risk has occurred. Cyber-risk prevention enhances the defence of companies against cyber-attacks and mitigates damages that could grow exponentially given the large numbers of online users. As such, the companies of the region should evaluate their exposure to cyber-risks and determine their budget for cyber-crime prevention tailored to their business needs. This should be followed by strict security practices along with a reputable suite of security software, automated routine security scans of the systems, strict requirements for employees accessing the company’s database and the like. Currently, D&Os of companies in Latin America are increasingly aware of the need to seek advice from cyber-risk advisors like risk managers, insurers and lawyers before and after a cyber-risk incident.
FW: What legal and regulatory issues are affecting the ways companies manage data and approach cyber security? How constructive, in your opinion, is government guidance regarding cyber security risks and cyber incidents across Latin America?
Mercado: The legal environment regarding privacy in Latin America is evolving rapidly. The majority of countries are enacting or drafting data protection laws. Many countries have already implemented a series of data privacy regulations and some, like Brazil, are working to enact comprehensive data privacy laws. Unlike other global jurisdictions, the Latin American legal landscape can vary considerably from one country to another. Due to this lack of legal uniformity, companies should be aware of the laws and how they differ from one country to another. Management should review procedures and modify privacy practices to be compliant with each country’s regulations and requirements. This is especially important when companies have cross-border data collection, data storage and data transfers, which may create ambiguity across borders.
Guillamont: The increased frequency of attacks has led to improvements in cyber security policy by both the governments and companies of the region who have adopted cyber-crime frameworks and supported by expert advice. There are some countries like Brazil that approach cyber-risks as a national security defence issue, while others like Colombia focus on the economic impact of such risks. Mexico’s approach to cyber-risks is a mixture of both attitudes. For instance, Colombia became pioneer in the region by adopting a comprehensive national cyber security and defence strategy, followed by countries like Chile, Mexico, Panama and Peru. Brazil is currently considering passing a bill that would require foreign companies to store all data concerning Brazilian residents on servers located in Brazil as a consequence of the recent alleged espionage by the US government. Brazil is also currently discussing with Argentina possibilities to make joint cyber defence plans to protect data and privacy. Mexico is additionally focusing on stimulating specialised training for incidents response technicians whilst countries like Argentina and Panama are developing protection plans for their respective digital assets. Most countries in the region are fostering partnerships amongst them and with businesses to act together and coordinate their approach to tackle cyber-risks as well as working on increasing the awareness of cyber-risks, especially at the corporate level.
Guerrero: Although many governments have passed ‘information security laws’ related to cyber data, clearly companies cannot rely on government guidance for cyber security risks. Even if a company’s information is properly protected by laws, the breach of confidentiality that causes damage to a third party due to the content of the information that was made illegally public is still a liability that the company cannot excuse itself from. Recent cases involving Wikileaks and other illegal informants have proven that the source of the information, although illegal, does not limit in anyway the liabilities emerging from the content of the information that has gone public.
FW: What insurance solutions exist for D&Os, in connection to cyber security and data breaches? How aware are D&Os of the existence and the availability of risk transfer options? Are these options being discussed at the CIO and/or CFO level, or by the board of directors of Latin American companies?
Guillamont: Traditional property and general liability policies have proved to be insufficient to cover exposures arising out of cyber-risks. This gap in cover along with D&Os’ increased concern with cyber-risks in the region has led many major insurers to market policies adapted to cover technology exposures according to each company’s business operations and in connection with the specific roles of D&Os. This cover is being offered to all kinds of companies from businesses that merely have a website to software development companies. When it comes down to cyber-risks, there is practically no bullet-proof company. These policies mainly address the failure of D&Os to perform duties, specifically with respect to their obligations to protect the companies’ cyber assets. Such cover generally includes first and third party financial loss arising out of negligence of D&Os, as well as costs to settle or defend litigation from customers, employees or other claiming third parties as it could be the case for example when identity theft occurs as a direct decision or omission of a director or an officer. Such policies also tend to cover costs to settle regulatory investigations and response to regulatory laws as well as costs intended to protect the image of the company as a result of the D&Os’ negligence in respect of damages caused to the public or customers by cyber-risks. D&Os are generally aware of the risks arising out of hackers and cyber-criminal activities mainly due to the publicity impact it has on their business, let alone the financial impact that a loss of such nature would cause to the finances of the company. Insurers have started to raise awareness amongst D&Os of the importance to transfer such risks that may be mistakenly understood to be covered under general liability or crime policies.
Guerrero: It is becoming customary to see certain limited endorsements in D&O policies, however they are not absolutely necessary. Cyber crime should be protected by cyber risk insurance. The liability arising for revelations of internal communications, should be considered, from a D&O perspective, in the same way as any D&O’s declaration. If it causes, truly or potential damage to a third party, it should treated as any form of erroneous act committed by a D&O.
Mercado: Although cyber insurance has been around for over 20 years, in Latin America it has only been introduced recently and, while in its initial phase, it is growing exponentially. The good news is that Latin America is benefiting from the evolution of cyber insurance in global markets and the product today provides robust protection for security and privacy liability, event and crisis management, network interruption, and cyber extortion.
Carnegie Mellon releases a report every two years that discusses how D&Os are managing cyber risk. One of the surprising findings in the most recent version is that, despite the financial impact that breaches can cause, 57 percent of boards are not reviewing insurance coverage for cyber risk. Many organisations remain unaware that cyber insurance is available, and cyber exposures are not typically covered under traditional insurance policies. It’s important for boards to discuss potential exposure with their insurance brokers to make sure they’ve addressed coverage gaps.
FW: What are your predictions for the cyber security landscape over the next 12-18 months? Doexpect any further regulatory or legislative changes, and what will be the impact on D&Os?
Guerrero: Due to cases that are becoming public, I believe the most important step forwards will be for firms to upgrade their executive training in the use of technological communications and personal security concerns, when any statement or information is transmitted.
Mercado: We expect to see incidents continuing to evolve as criminals use multi-prong attacks to gain access to systems. This is a global trend from which Latin America is not immune, and the increase in hactivisim, coupled with state-sponsored activity – advanced persistent threats – creates a dangerous environment for businesses. To ensure organisations are protected, we also expect board of directors and C-level executives to get ahead of the curve by proactively assessing and addressing their cyber exposures before regulators respond with additional oversight and network security and privacy mandates and become further compelled to assess fines and penalties against organisations that have been breached. Cyber security will continue to evolve and be a topic of further discussion in all board of directors and top management agendas across Latin America for the foreseeable future.
Guillamont: Players in the cyber security landscape have the difficult task of keeping pace with cyber-criminal organisations that constantly evolve their techniques and share their experiences and mistakes on a cross-border basis. As such, governments and D&Os concerned with cyber-risk should be constantly vigilant to monitor the ever-evolving tactics and adjust their defences and risk-transfer methods accordingly. In the long run, the apparent lack of interest that university students seem to have for technology-related careers, if one looks at the enrolment figures, may worsen the already low percentage of skilled and trained personnel required to address cyber-risks in Latin America. On the other hand, the region has become a safer and more attractive environment for professionals of other parts of the world so there may be a brain drain from Europe and Asia to Latin America if local companies are prepared to offer competitive salaries. Latin American governments are investing more on cyber security despite the budgetary constraints and shortage of specialised knowledge. It is expected that governments throughout the region will mainly focus on raising the awareness of secure cyber habits. Governments are also expected to continue their efforts to coordinate information sharing devices among public agencies and private companies, for which D&Os’ involvement will be pivotal.
Javier Mercado is regional vice president at American International Group, Inc. (AIG), leading the Financial Lines business for Latin America. He oversees D&O, Cyber, Professional Indemnity, and ancillary management liability lines for the region. Mr Mercado is a CPA, Certified Insurance Counselor, has an MBA from the University of Central Florida, and has attended executive programs at Northwestern’s Kellogg Graduate School of Business, in addition to Wharton’s Mergers and Acquisitions Program. He can be contacted on +1 (786) 777 7497 or by email: email@example.com.
Alex Guillamont is the head of the Miami office of Kennedys for Latin America and the Caribbean. His expertise includes policy drafting, coverage and claims advice for insurers and reinsurers writing a wide variety of risks in the region, including Financial Institutions and cyber-risks. Mr Guillamont has received several industry awards, including LATAMIR Power 50 for the Latin-American insurance sector most influential professionals. He can be contacted on +1 (305) 371 1111 or by email: firstname.lastname@example.org.
Alejandro M. Guerrero is managing director of Marsh and chief operating officer for Marsh Argentina. He is also regional Financial & Professional (FINPRO) leader for Latin America & Caribbean and a member of Marsh's FINPRO Advisory Board. Mr Guerrero studied Law at the University of Buenos Aires and has been in the insurance industry for over 26 years. His experience in the D&O, Professional Indemnity, and Financial lines of insurance have earned him great recognition with insurers and clients throughout the region and world. He can be contacted on +54 11 4320 5928 or by email: email@example.com.
© Financier Worldwide
Guerrero at Marsh