Directors and Officers tough at the top
Directors and Officers are today, facing a challenging environment. With tightening regulation and emerging technologies, executive liability is increasing, especially in the cyber arena. And despite an ever increasing series of cyber-attacks on businesses – a quarter are reporting a breach at least once a month – only 17% of firms have had their staff undertake cyber security training in the past twelve months.1
With this increase in severity of attacks and the related business interruption cost to a business, directors and officers are under pressure to adapt procedures to ensure complete oversight of cyber security under the increased risk of cybercrime. Not doing so could leave them, or their data protection/information security officer to exposure, leading to claims related to misconduct, breaches of duty or negligence.
Rules around data protection are becoming more stringent. The penalties for non-compliance are severe and are increasingly having an impact on businesses. A cyber incident not only results in financial damage, from the cost to rectify the issue to business interruptions costs – but also potential reputational and regulatory action.
There are a wide range of scenarios in which a director or IT Security/Data Protection Officer could be considered negligent and taken to court. One example is a vulnerable network being compromised, leading to business interruption, property damage or loss of/theft of customer data.
Growth in outsourcing and cloud computing is also creating exposures – with only 13% of businesses setting a minimum cyber security standard for their suppliers – a breach could result in litigation if the directors failed to ensure appropriate due diligence.
The introduction of the General Data Protection Regulation (GDPR) in 2018 will increase directors and officers liabilities for data breaches or personal data misuse in Europe. France and Italy have already taken steps to make directors liable if they fail to take reasonable measures to prevent a data breach. With some uncertainty around this area within the UK, there is potential for a case to be made that a director gave insufficient attention to cyber security.
To mitigate the increase in exposure in this area, directors should have a superior risk management culture, including encouraging sophisticated cyber and IT risk management. Cyber security should be recognised as good business practice rather than an IT issue; with a culture that emphasises customer confidentiality.
Some insurers, including Allianz Insurance, have extended the definition of insured persons to include data protection officers under their Directors & Officers (D&O) covers. This reflects the changing needs of the market and included in the proposition is the addition of a new Employment Practice Liability helpline, which can provide legal advice on typical employment matters or grievance issues.