This article was produced in partnership with CNA Canada.
Insurance Business connected with Andre Linsky, underwriting manager – management liability at CNA Canada, to discuss the convergence of D&O and cyber risk.
Directors and officers (D&O) face the risks and potential consequences of cyber exposures now more than ever. The risk of management liability in the face of a cyberattack is not a case of ‘if’ but ‘when’ for organizations across Canada and worldwide. As companies start to realize the enormity of the exposure – thanks to some high-profile data breaches and a dramatic uptick in ransomware and cyber extortion attacks - cyber has now gained a top priority spot on the boardroom agenda.
D&Os have had to navigate through a more complex cybercrime arena during COVID-19. The pandemic ushered a 360-degree shift in business operations, and many companies switched to remote operating models almost overnight. This urgent transformation intensified commercial cyber risk and placed an extra onus on business leaders, including boardroom directors and officers, to ramp up their companies’ cybersecurity.
Part of that meant ensuring that all employees working remotely had adequate cyber risk controls and training to recognize and avoid phishing scams, social engineering, and other employee-centric attacks.
“In the current cyber risk environment, it’s important for boards of directors to allocate enough effort and funds to cybersecurity,” said Andre Linsky, underwriting manager – management liability, CNA Canada. “If boards of directors fail to pay attention to this, they could be held liable for not sufficiently protecting their companies against cyberattacks. In North America, insurers have seen an increase in claims for breach of fiduciary duty by directors and officers of companies, related to cyber events.
“There are high expectations on boards of directors regarding rapid disclosure when cybersecurity events occur. Stakeholders will hold directors and officers liable for failing to comply with the different disclosure requirements that regulators require today. Directors and officers could encounter lawsuits for failing to purchase the appropriate insurance products - for example, cyber insurance. Cyber losses can be impactful, and, in the worst-case scenario, they can trigger insolvency risk, which is one of the main exposures in D&O liability insurance.”
Stakeholders often want full transparency when a cyber event occurs. They want to know what risk management procedures an organization had in place to prevent incidents from occurring, as well as details of the organization’s incident response mechanisms. Directors and officers could be held liable if their actions pre-, during, or post-incident do not meet stakeholders’ required standards.
While the challenges are great, there are many ways for directors and officers to mitigate their cyber liability, according to Linsky. He said: “Organizations should allocate funds and effort to cybersecurity by hiring experts in the field. They should implement a thorough cyber incident response plan and organize training for employees to enhance cybersecurity (against phishing attacks, social engineering etc.). Directors and officers are recommended to use a third-party firm to conduct a cybersecurity audit and implement the recommendations to mitigate the risk of cyberattacks.
“It’s important for directors and officers to make cybersecurity a business priority. Maintaining a hands-on approach, even with the guidance of an expert, is necessary to protect the business and ensure regulations are followed. By doing so, directors and officers avoid potential incidents and limit their liability if the strategy is not properly executed.”
There are various insurance products that directors and officers can use to protect their companies against cyber exposures, including D&O, crime and cyber insurance. Purchasing the right insurance products can help directors and officers to mitigate their liability exposure.
In November 2020, CNA Canada launched Epack 3, a modular management liability, technology and professional liability, cyber media and crime policy. The claims-made policy features easy-to-read policy language and a flexible policy structure, with eight optional coverage parts: directors & officers liability, employment practices liability, fiduciary liability, non-profit directors & officers liability, technology & professional liability, cyber liability, media liability and crime.
Any insured who opts to take cyber liability coverage gains access to a wide array of resources via CNA CyberPrep, a proactive program of cyber risk services designed to help companies take a holistic approach to cyber threat identification, mitigation and response.
“From a D&O standpoint, it is important to protect the business from growing exposures – more so with the prevalence of data breaches. Businesses that collect personal records or private information are liable to ensure the data is kept safe,” Linsky emphasized. “Things are going in the right direction. Underwriters today are faced with additional questions from the D&O perspective regarding coverages in the event of a cyber incident, confirming more awareness of the risks than ever before.”