What could a director's liability be following a cyber breach?
Written by Candice Sutherland (@Lady_Liabs)
A breach is an incident in which sensitive, protected or confidential information is either stolen, copied, transmitted, viewed or used by an unauthorised party.
This data could belong to the company itself (intellectual property) or could be third party (clients, suppliers, contractors) or employee private information which is exposed either electronically or in paper format.
In 2017, the phishing rate in South Africa was the highest in world and one in every 785 e-mails was a phishing scam. According to the Ponemon "2017 Cost of Cyber Breach Study" South Africa showed the following alarming statistics:
* R1 632 is the average cost per lost or stolen record.
* The total average cost of a cyber breach was R32 million.
* Malicious attacks (43%) and human error (29%) caused most cyber breaches.
Ultimately, a company's financial, reputational and operational success rests on the board of directors and these directors undertake to manage the business with due care, skill and diligence. Expenses such as incident response and remediation costs could be crippling for any business, but perhaps the most onerous would be the consequential loss of bottom-line revenue as well as the reputational damage to client, customer, patient and employee relationships.
It is extremely difficult, if not impossible, for anyone who doesn't work full-time in cyber security to keep up with the ever-changing threat landscape and directors are being named as defendants in costly and intrusive litigation. A statement or claim of an insufficient understanding of the risk would not be a reasonable defence.
* Fiduciary duties: Directors fiduciary duties have been codified by the Companies Act No 71 of 2008 (Companies Act) and a breach of these duties could lead to claims being brought against directors and executives in their personal capacity. The Companies Act further states that any person who contravenes any section of the Act is liable to any other person for any loss or damage suffered by that person as a result of that contravention.
* Right to privacy: Depending on the nature of the contravention, directors may face fines, administrative fines, penalties and even imprisonment according to the Protection of Personal Information Act 3 of 2013 (POPI).
* Regulatory action: Depending on the regulatory framework and industry within which the company operates, complaints can be made to the Companies and Intellectual Property Commission who will then investigate and allow action to be taken against a company or its directors.
* Technology and Information Governance: According to Principle 12 of King IV, the board must ensure that the IT responsibilities are: managed; appropriately resourced; and sufficiently defined.
* Clients: Clients affected by a cyber breach can hold the business' management and board of directors accountable on the basis that they failed to address weaknesses and loopholes in their systems.
* Shareholders: Following a breach, shareholders can sue directors for the decline in share price, the costs involved as well as reputational brand damage.
A few corporate governance steps that the board could implement to protect their directors are:
* Board meetings. Ensure that cyber security and data privacy matters are appropriately addressed at board meetings this could include but should not be limited to:
* ensuring an understanding of data security legislation such as POPI, GDPR etc, and how they impact the organisation;
* seeking expert advice around technical upgrades;
* implementing reporting and monitoring requirements in the event of a breach; and
* the appointment of competent and qualified staff members such as a CPO, CIO, data security officers.
* Employee education. It is reported that 29% of cyber breaches were caused by human error. Maintaining a high level of cyber awareness and implementing strong security practices decreases the possibility that attacks such as phishing scams are successful.
* Disclosure obligations. Understand your disclosure obligations as failure to do so will increase the risk that clients may bring an action against the Board and the company.
* Breach planning. Ensure that staff are properly prepared for a cyber breach, for example have printed copies of your breach response plan readily available (not only saved electronically, should there be a denial of service attack you would not be able to access your systems).
* Intrusion detection. Do you have systems, software and personnel available to detect a breach promptly?
* Vulnerability scans or penetration tests. Hire third-party consultants to audit your systems and ask for recommendations to improve your network.
* Insurance. A fundamental aspect of good corporate governance and a resilient risk mitigation program would include cyber insurance policy as well as a D&O policy to protect the personal assets of directors.
Cyber insurance, more than any other insurance, allows access to the correct channel of service providers needed to recover fully from a cyber incident. The triggers of the ITOO cyber policy are: a privacy breach or a network security breach and the policy will provide cover for:
* Costs to respond to a systems security incident, including incident triage, forensic investigation, legal, crisis communication, public relations and credit monitoring;
* Costs to restore, re-collect or replace data lost, stolen or corrupted due to a systems security incident;
* Defence and settlement of liability claims arising from compromised information;
* Defence and settlement of liability claims resulting from a system security incident affecting systems and data as well as causing harm to third-party systems and data;
* Loss of income and increased cost of working as a result of a systems security incident;
* Fines and penalties to the extent insurable by law;
* System downtime and consequential loss of earnings; and
* Costs to investigate and mitigate a cyber extortion threat and if required, costs to comply with a cyber extortion demand.
A directors and officers (D&O) policy is structured as follows:
A. Directors and officers: Provides cover for non-indemnified events i.e. protects a director against personal liability or expenses not paid for by the company, and advances defence costs.
B. Company reimbursement: Reimburses the company when the company has indemnified a director for an insured event, including any defence costs and expenses.
C. Company securities: Cover for the entity where it is joined as a defendant with the directors in respect of actions relating to breach of securities regulation.
(An officer is defined as any employee in a managerial or supervisory capacity as well as the company secretary).
Please speak to your insurance broker about obtaining quotes from ITOO Special Risks for these products.
ITOO is a special risks underwriting management agency focused on liability, special and emerging risks underwritten on the Hollard Insurance licence. www.itoo.co.za.