As we have discussed throughout this series, there is a whole universe of potential privacy and cyber risks not understood at a board level, and company directors must wake up to cyber threats or risk litigation from all sides. Company directors also need to wake up to the fact that their D&O policy may not fully cover them in the event there is a shareholder lawsuit as a result of privacy breaches or cyber-attack. Most board members do not know about a somewhat obscure exclusion lurking in most of their D&O policies: A privacy exclusion that is often buried in the bodily injury exclusion. Also, many D&O policies have a professional services exclusion that may also inadvertently end up excluding coverage for claims against board members for failing to properly oversee security and privacy, leaving the board vulnerable.
The trend towards board liability has been slowly building. As we have described in our 5th Day of Privacy post, the Securities and Exchange Commission (SEC) broke new ground by issuing guidancein response to concerns that it was hard for investors in public companies to assess securities risks run by those companies if they failed to disclose data breaches in their public filings. The specific disclosure areas addressed were:
-
Pre-attack exposure analysis
-
Cyber incidents
-
Exposure to the company in description of business
-
Legal proceedings
-
Financial statement implications
A year later, in October of 2012, Apple shareholders made a demand on Apple’s Board of Directors to provide a report regarding how Apple and its board oversee security and privacy risks. When we see shareholders of a company like Apple with one of the highest market caps in technology demand security risk assessments from their boards, it should be a wakeup call for other businesses and board of directors to understand why security and privacy issues are so critical.
The starting point is the same as it is in relation to any other form of significant business risk, i.e. directors are generally under a duty to gain a basic but sufficient understanding of the nature of all such risks. In the realm of cyber risk the particular challenge for boards is that the universe of potential cyber risk is broader than it is in relation to many more tangible risks such as health and safety.
Directors should be asking:
- What are the risks? Internal and external?
- Is the company covered?
- Am I covered? Can I get covered?
- What additional insurance products are available?
Can the D&O policy language be customized to help prevent gaps in coverage?The trend towards privacy and cyber risk being a board issue will only continue in 2014. Board members need to think about ringing in the New Year with an objective legal assessment of both their risks and what protections may be available to protect both the company and themselves.