Cyber attacks: Directors' Liability
The risk of a cyber attack is material for the majority of businesses in the financial services industry today.
Such attacks are increasingly sophisticated, widespread and disruptive.
The solitary teenager hacking out of a sense of curiosity has been replaced by criminal gangs seeking improper financial gain. As a consequence, the financial consequences are increasingly significant.
This includes first party losses for the company incurred to restore systems, protect brand reputation and to compensate for business interruption. It also includes the costs of dealing with regulatory investigations and, increasingly, third party claims. As a consequence, cyber risk has quickly become established as a boardroom agenda item. Whether and how directors assessed and put in place protection against this risk will be under the spotlight following an attack.
There are many examples of how IT failures are having financial repercussions in the financial services sector. On 20 November, the Financial Conduct Authority ("FCA") fined a number of banks for IT failures. Shortly after the IT incident which occurred in June 2012, the FCA wrote to the chairmen of major retail banks to ask them to identify the steps they had considered at board level to assess and mitigate their exposure to IT risks.
The FCA and Prudential Regulation Authority recently initiated a second "Dear Chairman" exercise to assess how well banks are managing their exposure to IT risk and more specifically to what extent banks’ governing bodies have formally assessed the extent to which a bank is vulnerable to technology failure affecting services supporting retail economic functions. The problems that can occur when systemically important IT functions fail were well illustrated by the recent problems at the Bank of England.
The FCA identified the underlying cause as the banking group's failure to put in place adequate systems and controls to identify and manage their exposure to IT risks. As well as the fines levied against the banks by the FCA, significant costs were incurred as part of the investigation.
The Information Commissioner's Office ("ICO") is the organisation responsible for data protection enforcement. When data breaches have occurred, the ICO may choose to request undertakings as to future conduct given by a senior board member personally to ensure the company complies with its data protection obligations going forwards.
It will be critical for the board of a company to be able to demonstrate both that systems have been developed to minimise the risk of susceptibility to a cyber attack and a plan for dealing with one if it occurs. It will be equally critical to show that those systems have been properly implemented, stress tested and that employees are aware and compliant in practice. If not, claims may be brought against directors and officers, as we have seen with the recent major breaches in the US, and is now starting to happen in Europe.
Cyber liability insurance including data breach response services are now widely available. Consideration of such policies may be a requirement of acting in the best interest of the company.
Although liability following a cyber attack or IT failure may not have been in contemplated when many existing D&O policies were drafted, familiar issues will arise: of the costs incurred, which are defence costs as defined in the policy, and have they been incurred for the benefit of an Insured Person or for the Company Policyholder? Other factors to consider are:
What cover exists for the Company and what is available for the directors?
If there is insufficient cover for both, how is that tension resolved?
Are costs incurred in anticipation of a claim covered?
Should a bespoke cyber specific extension or endorsement be contemplated?
Is there a single claim arising from interrelated wrongful acts? If so, given the growing prevalence of cover on an any one claim basis, how will the primary and excess layers interact?
We wait to see how the European D&O insurance markets will react to these developing areas of risk.
Patrick Hill Graham Ludlam
Partner - London Associate - London
You can watch the DAC Beachcoft video series offering their international perspectives of Cyber risk by clicking the video link below.
You might also like ...
Cyber Risk legal update | January 2016
Newsletter | Cyber Insurance, Privacy & Data Security
A milestone has been reached in the world of data protection law. After three years of detailed discussions political agreement has been reached between the European Commission, Council and Parliament on the final text of the General Data Protection Regulation (the GDPR).
The GDPR will replace the Data Protection Directive 95/46/EC and therefore the UK Data Protection Act 1998 and will be directly applicable in all Member States without the need for implementing legislation. The legislative process will be complete once the text is formally adopted by Council and Parliament, which expected in the coming months. The GDPR will come into effect two years from formal adoption and is therefore anticipated to take place in the first half of 2018. Further detail about the key features of the GDPR is provided here.