PWC’s 24th CEO Survey released earlier this year, revealed the escalating prevalence and severity of cyber-attacks, along with changes in governance expectations, director liabilities, and regulatory reform is seeing business leaders place significantly more emphasis on their organisations’ cybersecurity and risk management strategies, with around 80% of CEOs surveyed strengthening their cyber security and privacy infrastructure in response.
Why are business leaders concerned?
Critical infrastructure, the subject of Government reform at the end of 2020 – is particularly important for ASX listed companies and their directors. It is not just cyber policies being affected, with some (Directors & Officers) D&O insurance policies containing new ‘Cyber Endorsements’, which can include affirmative language responding to wrongful acts or in some cases, exclusions or remain silent altogether. In turn, this is placing more pressure on boards to build and implement robust governance strategies to protect their shareholders and ultimately, their bottom line / share price in the event of an attack.
Directors can be held responsible for not acting to progress a company’s cybersecurity framework and may be punished if they are found to have failed to ensure a company has an adequate cybersecurity risk management plan in force, not responded in a reasonable time frame to a known data breach, or failed to respond altogether.
Risk mitigation through Cyber and Directors & Officers Insurance (D&O)
A typical D&O policy will provide coverage for individual directors (often including the board), for wrongful acts, errors and omissions arising from their professional conduct acting in their capacity as a director – which could include those matters relating to a cyber incident. 'Dishonesty/Misconduct' exclusions may prevent cover for claims arising from misconduct, such as wilful breach of statute, dishonest conduct, or fraud. In rare circumstances, a wilful blindness to cyber-related legislation could trigger exclusion(s).
Whilst the area of potential D&O exposures to cyber-related claims continues to evolve, it is critical to ensure your organisation has sufficient D&O limits of liability. In addition, our preference is to ensure insureds incorporate affirmative language where possible, to avoid ambiguity should a D&O claim arise from a cyber incident occurring. Areas for directors to consider within their insurance program include:
Investigation of cyber circumstances – costs incurred investigating any circumstance resulting from a cyber event where litigation is anticipated.
Investigation costs – regulatory investigations arising out of a cyber incident, and at full policy limits.
Insured individuals (policy language) – all persons (including, but not limited to Managers and Chief Technology Officers) who are involved in significant cyber-related decisions and implementation on behalf of the company.
Shareholder litigation – shareholder actions brought against the organisation arising from a cyber-related incident and subsequent disclosure (e.g., following a stock drop).
Policy holders must also ensure there is no broad cyber exclusion sitting across the policy, which could nullify cover.
Fiduciary Duties and Business Continuity
The Australian Information Commissioner (OAIC) recommends that organisations implement a data breach response plan (BRP / Business Continuity Plan). In the event of a security breach, such as a cyber-attacks or theft of data, if the board can demonstrate that not only were they aware of a cybersecurity risk, but they also activated a framework to mitigate that risk, it is less likely to risk breaching their fiduciary duties under both the Privacy and Corporations Act. A good approach is to address the following five areas of cybersecurity management with experienced IT professionals:
Identifying and developing an understanding of the overall cyber risk landscape which can include data management, operational environment, and an effective risk management strategy.
Protecting and deploying safeguards for threat actor entry control.
Detecting and allowing timely discovery of breaches and anomalies.
Responding and implementing plans to effectively manage cyber incidents and subsequent damage control.
Recovery -enabling the organisation to resume operations as soon as possible.
Embedding cyber risk management practices in the workplace
While cybersecurity is recognised as an essential part of a business’ risk management strategy, PWC’s report highlights that organisations have work to do in training their staff to identify and manage cyber risks. Find out more about protecting your systems from cybercrime from Honan’s Head of Information Technology and member of the Zoom Customer Advisory Board, Stuart Madden.
With you all the way
To learn how D&O and cyber security policies can be tailored to meet your business’ specific needs, please feel free to reach out at any time.
Protecting cash flow, guarding against late and/or non-payments from customers, and securing your company’s own creditworthiness is critical to business sustainability. This article looks at two key ways you can limit your liquidity risks: credit reports and trade credit insurance.
Honan Insurance Group Pty Ltd (Australian Financial Services Licence no. 246749, ABN67 005 372 396) is an insurance broker acting as agent for insureds and intending insureds. Honan is not an insurer. The information on this website has been prepared without taking into account your objectives, financial situation or needs. Any advice provided on this website is general advice only. Before making a decision to purchase an insurance policy, please read the relevant Product Disclosure Statement to make sure the policy is right for you. Insurance cover is subject to policy terms and conditions including policy limits and exclusions.
From time to time, Honan may act under a binder arrangement with an insurer. When this happens, Honan is authorised by the insurer to issue certain insurance policies on the insurer’s behalf. When Honan does this it acts as the agent for the insurer and not for any insured person. We will let you know when we are acting under a binder. You can view the Product Disclosure Statements for the insurance policies we issue under a binder arrangement here. A copy of the Target Market Determination for each policy is also available on this website.
Copyright 2022 Honan Insurance Group Pty Ltd ABN: 67 005 372 396. All rights reserved.