Date: Thursday, January 11th, 2018 by Aneesah Atallah Frost.
Cyber risk is a multi-faceted and dynamic topic which is evolving as swiftly as the development in technology. In recent years, it has emerged as one of the tops risks faced by corporations and governments across the globe. As has been observed by experts in various fields, a single solution approach may not be adequate to address this risk but rather it needs to be approached from various angles to create an holistic response. We discuss below some of the key measures to be taken into consideration by a company and its board of directors
As is evident from the fallout of the high profile cyber-attacks in the recent years, the role of the board is critical in identifying and managing the cyber exposure so as to limit its impact on the business. For instance, the cyber-attack on the Target Corporation in the US in 2013 which affected over 41 million of the company’s customer payment card accounts resulted in settlement and other breach related expenses in hundreds of millions of dollars. Additionally, it led to drop in its share prices, reputational issues and derivative action against the directors. The recent Uber admission that it had suppressed a data breach by hackers has set in motion government investigations across the globe and the pecuniary, business and reputational outcome of this are still awaited. Therefore, any belief that IT security can be handled by the IT team of a company with an absence of adequate policy guidance and support from the board of directors, is a misnomer that, in the event of an attack, could have serious consequences on the balance sheet and reputation of the company.
From a legal perspective, the new Companies Act, 2013 in India has brought a sharp focus to the corporate governance practices. In particular, section 166 of the new Act for the first time lays down the fiduciary duties of the directors, for example, the duty of a director to act in good faith in order to promote the objects of the company for the benefit of its members, and in the best interests of the company, its employees, its shareholders, the community, and for the protection of environment.
Such a provision creates statutory grounds now available to the shareholders of a company and other affected parties to pursue relief if the directors have not acted in the best interests of a company. A recent derivative action brought by a shareholder of a company against its director for breach of duties, in the matter of Rajeev Saumitra v. Neetu Singh, has been upheld by the Delhi High Court. In this judgment the Court ordered the director to pay the undue gains realised as a result of breach its duties to the company. It is not hard to see the implications of this provision and the judgment and how the principles can be applied to matters involving breach of any duties by the directors. Additional relief is available to the shareholders by way of class action under section 245 of the new Act, albeit this provision is yet to be tested and, under section 241 of the new Act for minority shareholders (which was employed in the legal action brought by the minority shareholders of the Tata Group).
The regulators of the insurance and banking sectors in India have laid down the cyber securities practices that these industries are expected to adopt in order to protect the interests of the companies and their customers.
Tightening corporate governance practices across the board are putting in place a groundwork that can lead to serious legal implications in the event of breach of responsibilities. Therefore, in our view, a board cannot afford to ignore the legal, financial and reputational implications of a cyber breach, and it needs to be proactively involved in the management of this risk i.e. identifying the risks and putting in place a robust cyber security structure, training personnel to ensure correct compliance with procedures and ensuring that relevant insurance framework has been created.
For the leaders who are aware of the threats that surround them, one of the most difficult decisions to make is to figure out exactly how much money needs to be spent to make their company secure. What is that magic figure, if there is even one? What is the level of security that the company needs? How much needs to be invested in getting there? How do you as a leader track the investments that go into cyber security? Typically, chief executives complain about those in charge of IT security in their company asking for more funds to counter newer threats and to make fresh investments in security products. It is a huge concern for them considering the money that is being asked to be diverted is the money that could directly bolster the bottom line. There is absolutely no perceptible return from investing money into cyber security, until there is. What do we mean by that? Being a more secure company that demonstrably cares for user data and can repel attacks will soon become a selling proposition. With the glut of news of breaches, people are becoming aware of the perils of a digital world, and want to be associated with brands that are actively seen as protecting themselves and the interests of their users. Eventually, we expect this to be as crucial in the consumer decision-making process as the idea of trust which has come to define our choices when it comes to sectors like banking. Take the case of Singapore-based DBS bank that has invested massively into cyber security and clearly has benefited from making sure that the public knows that it takes cyber security investments seriously. Positioning itself early as a leader in cyber security, it has stolen a march over its rivals so much so that their advertising boldly makes the claim that they are “Asia’s safest”. In other words, cyber security is quickly changing from a good to have, to a must have spend in the P&Ls of organisations where they can further use to boost their top line.
Today, there is much fear-mongering on cyber security. Not all companies need to have the highest levels of cyber security. For example, a financial-services company would obviously always need to have a much higher level of security than a company that makes utensils. Measurability of cyber security will help companies identify the level of preparedness they must aspire to in relation to their sector. The broad heads of controls need to be put under people, process and technology to proactively secure, continuously monitor and reactively respond to cyber threats to a company’s technology stack.
In addition, to recognising the role of board of directors and robust security measures, the risk can further be minimised by placing adequate insurance policies. However, it would be important to bear in mind the need to create a bespoke insurance programme that addresses a company’s specific requirements rather than putting together a patchwork of insurance policies which may be entirely ineffective in the event of a claim and, to avoid the trap of price over quality of provider and suitability of coverage for the company.
Whilst cyber insurance has become a popular and obvious solution to cyber risk, it is also a product on which not all the advisers and providers have the skills and experience to properly advise as it is new and constantly developing. In a typical situation a company is likely to receive advice to augment the cyber insurance policy by other insurance covers such as crime and professional indemnity to ensure that different risk trigger points are picked up by such policies, or it may be a contractual pre-condition for a company. In such a situation, a clear temptation is to see how many of such covers can be blended to manage costs.
For example, a developing trend in a developed market like Australia is the blending of cyber insurance cover into professional indemnity and crime programmes. Such trends are also present in India. On the face of it, such an integrated product may seem to tick boxes. Companies believe they are saving on insurance spend and risk and insurance managers are able to respond positively when asked by their boards and senior management: ‘do we have cyber insurance?’.
We see this most commonly in the PI/Crime programmes of financial institutions but it also common with technology and telecommunication companies. While the ‘cost’ saving may make the blending attractive at face value, there can be serious issues for the client when it most needs the cover, as the product may not function as expected or even not be available at all. As background to this, it is important to appreciate that professional indemnity/liability claims usually have a long ‘gestation’ period between the notification and actually payment. In contrast, the same ‘gestation’ period for first party cyber losses (say breach notification costs or BI cover) can be a very short period of time (months sometimes).
As an example of what may happen, let’s take the example of a bank holding a $100m PI/Cyber/Crime tower with that annual limit being dictated by the terms of contracts in place with clients. The size of the limit is usually driven by the PI exposure. However, If there were to be a catastrophic data breach experienced by the bank or technology client (which has become increasingly common in recent times – just search ‘bank’ and ‘cyber breach’), leading to a loss under the ‘blended’ cyber/PI/Crime program, the loss could actually erode the entire tower in a matter of months. The result of this could be that the company no longer has ANY cyber, professional indemnity or crime cover available. This in turn will mean they are no longer complying with the contractual requirement to hold $100m Professional Indemnity cover. At worst, the client would be in breach of contract and its clients have the right to terminate. At best, the client may have to buy an expensive reinstatement of limit. For most companies and their management, losing major contracts or incurring significant extra spend as a result of poor insurance buying behaviour would clearly be outside shareholder expectation!
In addition to these covers, attention should also be paid to putting in place an adequate directors and officers insurance cover so that any claims made against the senior management are planned and managed. In view of the developments discussed above, it is also worth considering if we will start to see D&O insurers applying ‘failure to maintain cyber insurance’ exclusions on policies. In a situation where a loss related to a cyber incident has a material effect on shareholder value then litigation will ensue, especially if there is a lapse on the part of the board to insure against it. This is likely to be taken into consideration by insurers to manage their cyber exposure, which in our view could be on a scale as catastrophic as asbestos (in terms of potential effect on the insurance industry).
In conclusion, cyber threat is a very real one and is growing. It may be difficult to plan for and address all the complexities arising from this issue, however, in our view, proactive management involvement, adopting robust security measures and creating a bespoke insurance programme together with increasing employee awareness of the risk are some of the essential steps that will assist a company in planning for cyber risk in a pre-emptive and effective manner.
Contributions by: Joel Pridmore, Asia Pacific Underwriting Manager, Speciality, Corporate Insurance Partner, Munich Re Group, Saket Modi, CEO of Lucideus Technologies Pvt Ltd, Richa Shukla, Partner Khaitan Legal Associates.
Our vision and focus is to use the strength and depth of our company to help our clients reduce the time and money they spend on managing risk. If you need a global group of legal advisers, delivering a creative, commercial and specialist service, talk to Global Insurance Law Connect today.
Contact: +44 (0)20 7029 4238