We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X

Risk in Context

Cyber Breaches: More Than Your Business Systems Are at Risk of Disruption

Posted by Eleni Petros September 07, 2017

The consequences to your company following a cyber breach may go beyond business interruption, with the potential for significant risk to directors and officers. Many companies affected by the recent Petya/GoldenEye cyber-attack have struggled to lift sales and recover, and, as recent cases have shown, have even seen the departure of top-level executives.

While resignations may be a coincidence, the effect that a cyber-attack has on a company can be significant, potentially resulting in millions in lost sales, as well as the cost of re-building systems and securing systems to a higher standard to prevent future attacks. 

Cyber breaches not only cause business interruption, but can also shine a spotlight over how adequately the company’s board manages cyber risk.  Therefore, disruption at board level is not unexpected.

Checking Your Directors and Officers Liability (D&O) Cover in Light of Recent Attacks

Global companies often have multiple regulatory regimes and operating environments to take into account when determining their obligations and approach to cyber risk.  Management boards should develop appropriate strategies that take these factors into account.  However, it is becoming clear that such strategies must be more than a box-ticking exercise — the management of cyber risk should now be an intrinsic part of day-to-day life for management boards. 

In order to adequately protect the directors and officers of your company in the event of cyber incidents, it is critical to ensure:

  • The D&O insurance will respond in the event of litigation alleging traditional claims for breach of fiduciary duties relating to a cyber event.
  • The limits of liability, including non-indemnifiable side-A limits, have been reviewed and are sufficient. A D&O policy should ideally provide cover to all senior individuals of the company involved in cyber-related decisions and provide broad cover for regulatory investigations.
  • You should beware of cyber extensions — these may actually diminish cyber cover for directors if not worded appropriately.

Companies of all shapes and sizes have fallen victim to cyber-attacks. Any failure by the management board to do their part in supporting a comprehensive cybersecurity programme and continually monitoring and reviewing it could lead to its members facing personal liability for breaches of fiduciary duty to the company.

 

Eleni Petros