Cybersecurity: Considerations for Directors and OfficersAssistant Vice President, FINRO Practice at Marsh Senior Vice President, Asia Specialty Practice at Marsh
Cyber risks are a constantly evolving phenomenon that directors and officers have to grapple with. The recent case of a global provider of high-end cybersecurity consulting and advice suffering their own data breach further demonstrates that no one is immune, no matter how sophisticated.
The recent cybersecurity breach of a credit monitoring and reporting firm in the U.S. has demonstrated the devastating consequences that can happen after a cybersecurity breach, with a wave of consumer class action lawsuits resulting, including at least one very large securities class action lawsuit touted by some to be the largest in history.
Breaches in Asia
In Asia, several cybersecurity attacks have been reported in recent years. For instance, in Bangladesh, hackers stole $81 million from the central bank by hacking into an official’s computer and transferring the funds to the Philippines.
In Hong Kong, the world’s fifth largest bitcoin exchange had $65 million worth of funds stolen by cybercriminals; in another incident, personal data of 11.6 million people (including 6.4 million children) was leaked in a cybersecurity attack on a digital toymaker firm.
And last year in India, the banking system was hit when 3.2 million debit cards from at least five banks (including some of India’s largest) were compromised as hackers introduced malware in the payment services systems. Similarly, cyber breaches in Japan, the Philippines and Singapore have also been in the news in recent months.
This isn’t surprising, because when compared to the rest of the world, hackers are 80 percent more likely to target Asian organizations. It is, therefore, not surprising that cybersecurity will rank as one of the top concerns of a director or officer at any organization in the world. Cybersecurity has become a significant enterprise-wide risk that affects every organization and every individual within it.
Reputational and Legal Implications
Cybersecurity risks are now dominating boardroom conversations. D&Os have realized that the potential liabilities arising from such risks for themselves, as well as their organization, are very significant. A cybersecurity breach can wreak havoc to an organization’s day-to-day business operations and financial strength. It can destroy an organization’s reputation overnight leading to customer attrition or worse—regulatory investigations.
Cybersecurity is a significant enterprise-wide risk that affects every organization and every individual within it.
Additionally, if the organization’s stock is publicly traded, it can cause the share price to plummet, resulting in costly shareholder litigations. The threat increases if an organization has a listing on a U.S. exchange, where there is the impending threat of securities class actions by investors and enforcements brought by the Securities and Exchange Commission—both have the ability to create a significant D&O liability issue. A securities class action requires the disclosure of bad news or misrepresentation that causes a loss to investors in the form of a drop in the organization’s stock price. However, some legal experts have already signaled an inevitable wave of D&O litigations following a cybersecurity event.
Considerations for D&Os
D&Os are faced with the complex decisions of keeping up with and implementing new technologies within their respective organizations to ensure they are as secure as possible from the omnipresent threat of cyber risk. It is a “no win” scenario for the directors, officers and their organization. By choosing to modernize their operations, they face the emerging risks of cybersecurity breaches and fraud. If they choose not to modernize, the organization may then become irrelevant and uncompetitive.
Cybersecurity risks can also have a significant impact beyond technology. They can affect new business plans, capital investment decisions, mergers and acquisitions activities, product or service offerings, and research and development processes, to name a few.
D&Os perform this delicate balance and make prudent decisions under the scrutiny of external stakeholders. It is imperative that the boards and its D&Os commit time and resources to educate themselves and their employees on the ongoing and dynamic cybersecurity threats posed in this current digital and connected age.
D&Os’ Liability Insurance
D&Os must understand the legal implications of cybersecurity risks as they relate to their organization’s specific circumstances, as a cybersecurity event can likely give rise to a D&O liability action. In the event of a claim against them (or the organization itself for securities claims), there is good basis for cover under a D&O liability insurance policy.
Any cyber loss scenario has the possibility of transcending from a cyber liability exposure to a D&O liability loss if fault is established against the D&Os. Each director and officer must act in the organization’s best interests, adhere to the code of diligence, loyalty and obedience, and promote the organization’s success over the duration of their stewardship. This is their fundamental fiduciary duty to their organization, most notably to their employees, regulators and shareholders.
It should be noted that the cover is for protecting the D&Os of the organization should they face allegations of wrongdoing—not for the cybersecurity event itself.
While this may sound complex, in fact it isn’t. D&Os do not need to be “tech-savvy” to play an effective role in cybersecurity oversight. Just like other business risks, it requires them to have an in-depth understanding of the organization’s business and strategy models, experience in leadership, sound business judgment, and more importantly, the ability to identify those risks to accept or avoid, as well as which ones to mitigate or transfer through insurance.