In the event of a major data breach, directors are likely to face legal action, having to prove they did everything they could to take cyber risk seriously

Part of a technology risks series supported by
AIG

Cyber

By neglecting cyber security and leaving their network to be looked after by the IT department, many company directors could be placing themselves in serious danger.

In the event of a major data breach, directors are likely to face legal action, having to prove they did everything they could to take cyber risk seriously and protect their company. For this reason, cyber is no longer an issue directors can delegate to someone else.

Of particular note is the risk of derivative shareholder lawsuits. These are already happening frequently in the US and there is a fear that many multinationals do not yet understand their exposure to this threat. The expectation is that they will emerge in Europe soon.

In June 2014, Dennis Palkon, a shareholder of Wyndham Worldwide Corporation, filed such an action against that company’s board of directors in response to three data breaches between 2008 to 2010. Similar shareholder claims have been lodged against the retailers Target and TJ X Companies (owner of brands such as TK Maxx).

These kinds of cases assert that directors are personally responsible for internal failures to prevent, respond to and report data breaches effectively. Of course, in such circumstances, many board members may take some comfort from their directors’ and officers’ cover – but exactly how these policies will respond is unclear. Some may contain exclusions around privacy that may limit or deny cover.

In this environment, risk managers need to make sure that they are working with their brokers and insurance partners to constantly re-examine and interrogate their cover to identify gaps.

In addition, when a major cyber event occurs, the main risk is of brand damage and no insurance policy can cover for a damaged reputation. In addition, individuals who have been affected – namely shareholders – may see this as a third-party attack and take action.