We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Cybersecurity: Considerations for Directors and Officers

Posted by Oliver Howell 29 September 2017

The Threat
Cyber risks are a constantly evolving phenomenon many directors and officers are struggling to keep up with. The recent case of a global provider of high-end cybersecurity consulting and advice – suffering their own data breach further demonstrates that no one is immune, no matter how sophisticated. The recent cybersecurity breach of a credit monitoring and reporting firm in the U.S. has demonstrated the devastating consequences which can manifest after a cybersecurity breach, with a wave of consumer class action lawsuits resulting, including (at least) one very large securities class action lawsuit touted by some to be the largest in history.

Here in Asia, we have seen several cybersecurity attacks in recent years:

  • Bangladesh – hackers stole USD81 million from the central bank by hacking into an official’s computer and transferring the funds to the Philippines
  • Hong Kong – the world’s fifth largest bitcoin exchange had USD65 million worth of funds stolen by cyber criminals; 6.4 million children personal data was leaked in a cybersecurity attack of a digital toymaker firm
  • India – 3.2 million debit cards from at least five banks were compromised as hackers introduced malware in the payment services systems
  • Japan – 7.9 million individual’s personal details were exposed when the country’s largest travel agency was compromised 
  • Philippines – 68 government websites were compromised, including the defacement, slowdowns and distributed denial-of-services
  • Singapore – 850 personnel at the Ministry of Defense had their personal details stolen in an attempt to access official classified information
  • Taiwan – 16 ATMs thieves installed three different malware programs into ATMs to steal more than USD2 million
  • Thailand – USD350,000 from 18 ATMs belonging to a local savings bank was stolen by an individual with a malware-equipped ATM card
  • Vietnam – an airline system was breached and the personal information of 400,000 frequent flyers was leaked online

Source: Cyber Risk In Asia-Pacific The Case for Greater Transparency

It is not therefore surprising that if you ask a director or officer of any organization anywhere in the world what keeps them up at night, chances are cybersecurity will rank as one of their top concerns. Cybersecurity has become a significant enterprise-wide risk that affects every organization and every individual within it – everyone has a stake.

What directors and officers are in for in the event of a cybersecurity breach?

Cybersecurity risks are now dominating boardroom conversations and the directors and officers have come to the realization that the potential liabilities arising from such risks for themselves, as well as their organization, are nearly unlimited. A cybersecurity breach can wreak havoc to an organization’s day-to-day business operations and financial strength. It can destroy an organization’s reputation overnight leading to customer attrition or worse, regulatory investigations. Additionally, if the organization’s stock is publicly-traded on an exchange, it can cause the share price to plummet, resulting in costly shareholder litigations. The threat is clearly exasperated if an organization has a listing on a U.S. exchange, where there is the impending threat of securities class actions by the investors and enforcements brought by the Securities and Exchange Commission (“SEC”), both has the ability to create a significant D&O liability issue. A securities class action requires the disclosure of bad news or misrepresentation that cause a loss to the investors in the form of a drop in the organization’s stock price, however some legal experts have already signaled an inevitable wave of D&O litigations following a cybersecurity event.

Considerations for Directors and Officers

Directors and officers are thus faced with the complex decision to how best to keep up with and implement new technologies within their respective organization to ensure they are as secure as possible from the omnipresent threat of cyber risk. It is a “no win” scenario for the directors, officers and their organization. By choosing to modernize their operations, they face the emerging risks of cybersecurity breaches and fraud. If they choose not to modernize, the organization may then become inefficient, obsolete and uncompetitive among its peers.  

Cybersecurity risks can also have a significant impact beyond technology. They can affect new business plans, capital investment decisions, mergers and acquisitions activities, product or service offerings, research and development processes, and many more.

Directors and officers perform this delicate balance and make prudent decisions under the scrutiny of external stakeholders. It is imperative that the boards and its directors and officers commit time and resources to educate themselves and their employees on the ongoing and dynamic cybersecurity threats posed in this current digital and connected age, they have a fiduciary duty to do so.

A Solution: Directors’ & Officers’ Liability Insurance
Directors and officers must understand the legal implications of cybersecurity risks as they relate to their organization’s specific circumstances, as a cybersecurity event can likely give rise to a Directors’ & Officers’ (“D&O”) liability action. In the event of a claim against them (or the organization itself for securities claims), there is good basis for cover under a D&O liability insurance policy.

Any cyber loss scenarios have the possibility of transcending from a cyber liability exposure to a D&O liability loss if fault is established against the directors and officers. Each director and officer must act in the organization’s best interests, adhere to the code of diligence, loyalty and obedience, and promote the organization’s success over the duration of their stewardship. This is their fundamental fiduciary duty to their organization, most notably to their employees, regulators and shareholders.

It should be noted that the cover is on the basis of protecting the directors and officers of the organization should they face allegations of wrongdoing, and not the cybersecurity event itself.

In Conclusion:
Directors and officers do not need to be “tech-savvy” in order to play an effective role in cybersecurity oversight. Just like any other business risks, it requires them to have an in-depth understanding of the organization’s business and strategy models, experience in leadership, sound business judgment, and more importantly, the ability for these directors and officers to identify those risks to accept or avoid, as well as which ones to mitigate or transfer through insurance.

Oliver Howell