With a rise in high-profile cyberattacks – in particular, some huge data breach announcements in recent months – it’s imperative for brokers to be pushing cyber policies on their customers.
But in addition to just buying a policy, what else can you be advising the directors and officers (D&Os) of your insured clients about to help keep them safe from suffering data breaches, and safe from facing subsequent legal repercussions?
Celebrate excellence in insurance. Join us at the Insurance Business Awards in Chicago on October 26.
Stephanie Resnick, office managing partner of law firm Fox Rothschild’s Philadelphia office and chair of its directors’ and officers’ liability and corporate governance practice group, said that corporate America is under an almost constant state of cyber war – so they need to be all over their cyber liability.
“Companies face constant cyber threats ranging from corporate espionage and the piracy of proprietary information, to digital thieves stealing funds from online accounts,” she said.
“Data breaches involving consumer information are among the most dangerous threats to companies, due to the extensive customer information held,” Resnick said. “Potential injuries to the company’s customers by the wholesale release of such information, harm to the company’s good will, and the extensive liability to which D&Os are exposed should all be significant concerns.
“Following a breach, companies and D&Os may face individual and class actions from affected consumers, employees, and financial institutions as well as shareholder derivative actions and government investigations.”
However, D&Os can mitigate their exposures. Resnick and fellow Fox Rothschild attorney, John C. Fuller, here outline some steps D&Os can take to better protect themselves:
Determine proper insurance coverage
“In selecting the proper amount of coverage and the proper deductible, the company must start with an analysis of its information assets. Determining whether the company maintains consumer information, proprietary trade secrets, or confidential client documents will inform both the types of cyber threats the company will likely face and the appropriate scope of a cyber insurance policy.”
Understand the company’s technology
“As companies’ computer systems and digital defense structures continue to become increasingly complex, D&Os must stay personally informed of corporate technologies. If questions of liability arise, D&Os who do not have an understanding of the security measures implemented may have breached their fiduciary duties, particularly if a company has not followed the appropriate data breach protocol.”
Respond to every digital security incident
“Following a breach, a central question will be whether there were systemic failures that allowed the breach to occur. Significant to such a determination is the company’s prior responses to threats and the evolution of its digital security in the face of known threats. Therefore, companies should have appropriate protocols in place under which all known or potential threats against the company, including irregularities or anomalies which may be exploratory efforts by cyber criminals, are fully documented.
“Several government agencies have taken increased interest in the adequacy of companies’ defenses to cyber threats. D&Os must be aware of their obligations to report even small breaches of their cyber security to industry-specific agencies.”
Minimize human error
“Often, it is the people, not the machines, who are the most vulnerable aspect of a company’s digital security measures. Therefore, education for D&Os and all employees regarding the company’s data breach protocols, phishing and other email scams, and the importance of keeping passwords and other account access information secure will help the company properly implement its polices and effectively defend against cyber threats and potential liability.”
Related stories:
Expert says new rules put more liability on D&O in cyber risk management
Reducing chance of cyber breaches is the first step in cyber security