Increasing digital risks as well as the forthcoming new European privacy laws are placing cyber security high on corporate agendas. In addition to taking measures of their own and taking out a good cyber insurance, directors would do well to protect their liability too. After all, they can always be held personally responsible for any consequences resulting from a cyber crime or data leak.
Companies are collecting more and more data and working in the cloud more often. These evolutions have enabled companies to work more efficiently and boosted their customer friendliness, but have also increased their exposure to malware, viruses and hackers. Whoever falls victim to cyber crime risks incurring major costs ranging from overtime of IT staff, calling in additional professionals, the cost of crisis communications to the loss of revenue due to interrupted operations or production failure.
However, cyber incidents can also be caused by a human error. For example when an employee has placed a list with important customer information on an unsecured server, after which a hacker gains access to that list. Even if the intentions were good, the consequences are substantial. In the event of a data leak, you could, for example, face claims for damages from affected customers or suppliers.
Last but not least: the legal risks are also increasing. On 25 May 2018, the new European General Data Protection Regulation (GDPR) enters into force, which means that companies which take insufficient measures to protect their data or fail to report a data leak can face substantial fines.
Digital possibilities and their associated risks have generated many new responsibilities for companies. These responsibilities can be dealt with by taking the right security measures and taking out a good cyber insurance. Directors who fail to do so or postpone taking any decision in this respect are not only endangering their business, but themselves too. After all, it is not unthinkable for you to be held personally liable when a cyber incident is the (in)direct result of poor management,
as various international cases have proven. For example, the CEO of US retailer Target had to resign two years ago after a major (and partly covered up) credit card hack which had affected 70 million customers. It also happens closer to home. Several years ago in the Netherlands, a company responsible for the security of government websites was hacked. As a result of the hack, numerous fake SSL certificates were issued worldwide. SSL certificates can be used to copy legitimate websites. The company lost its credibility in one blow and was declared bankrupt shortly after. The new owners have succeeded in holding the original owners liable, because they had failed to inform the new owners of the company’s weak security during the acquisition.
It sounds like we’re stating the obvious, and yet it’s often forgotten: cyber security begins within the company itself. Map your data streams so that you know what information is being stored and whether it is correctly secured. Make sure you include the nuances and liability clauses necessary in the contracts you conclude with customers and suppliers. Finally, make sure your company software is up-to-date. Software suppliers are continuously building new patches for shortcomings or bugs in software. Installing updates on time can save you a lot of grief.
However, even the best security cannot rule out all the digital dangers. There is always a degree of ‘residual risk’, which is why it is essential to take out a good cyber insurance in addition to taking security measures. This insurance covers any possible financial claim as a result of cyber incidents and also provides advice and assistance. The IT specialists, lawyers and crisis consultants of Vanbreda Risk & Benefits provide immediate assistance to customers experiencing a hack, network failure or other cyber incidents. We are seeing more and more companies opting for a cyber insurance because their partners have insisted on it. Partners don’t want to be faced by a data leak or interrupted operations resulting from, for example, cyber crime.
As such, taking out a good director’s liability insurance is essential. This not only covers legal costs in case charges brought against a director, but also covers the compensation claimed from the director as part of the civil liability.
Case law shows that courts can hold directors personally responsible for commercial and financial mistakes they or their businesses have made. The increasing number of cyber risks, as well as the administrative burden which goes with it, have emphasized the importance of this insurance.