We hear about new cyber-crime incidents on a daily basis. Thrill-seekers and professional criminals lay digital siege to companies of all sizes, and they target corporate networks especially. These networks regularly endure incursions that target sensitive documents and intellectual property; still, directors and officers often fail to treat cyber security with the same gravitas as other corporate risks.
If personnel fail to recognize the potential impact of a cyber-attack and plan appropriately, this oversight not only exposes the company to financial losses resulting from the incident itself, but can also expose the company, individual directors, and officers to management liability claims not covered under standard cyber-insurance policies.
Directors and officers have oversight responsibility to an organization. When a major failure of corporate responsibility occurs in the form of a significant loss that could have been mitigated or transferred by insurance contract, shareholders, state and federal authorities, and the public at large may take aim at management.
As companies increasingly rely on networks, the Internet, and telecommunications to run their enterprises, they must beef up their defenses against digital incursions. Along with loss of proprietary data, firms can also suffer from business interruption (supply chain, daily transactions, lack of communications during critical junctures) as well as reputational risk. After a major hacking event, shareholders and other outsiders will look at the “duty of loyalty” and good-faith exercise of diligence that was done on behalf of the corporation.
Corporate managers and the directors who are responsible for oversight need to codify in their organizations loss control matters that directly relate to cyber risk. They must also understand that failure to adequately exercise their fiduciary duties to the corporation could result in personal legal action against directors and officers.
Certain strategies can help leaders protect both themselves and their company from losses due to cyber-attacks. First, appropriate policies and procedures should be adopted by management and approved by the board to minimize the likelihood or potential impact of a cyber incident. The policies should encompass all the known aspects of the current risks and preventive actions, as well as state and federal guidelines and statutes. Second, have a strong cyber insurance program in place. Last, a management liability policy—also known as directors’ and officers’ coverage—could be vital in the event that litigation calling management’s judgment into question occurs after a cyber-attack.
We’re all aware of hacking. It’s in everyone’s best interest to stop it before it occurs. But if all else fails, a great insurance program that also incorporates protection of the management team would be invaluable.