PUBLISHED ON: June 1, 2020
Never has senior management been faced with so many daily organizational threats stemming from computer-enabled perils. Risk management for protection of senior officers and the board has taken on new dimensions with unparalleled cybercrime and sweeping new data privacy regulations. The coronavirus pandemic compounds the challenge of maintaining computer security, as ever-growing numbers of workers follow directives to work from home.
INCREASING REGULATION AND OVERSIGHT
The enactment of regulations like GDPR overseas and the California Consumer Privacy Act in the United States has made cyber risk management increasingly difficult. Regulators now require that organizations have reasonably designed and implemented security around their online systems. The SEC continues to up the ante over board-level obligations to safeguard against cyber perils, fining some and admonishing others. In 2018, the SEC fined one public company $35 million for its failure to timely disclose (and refrain from “misleading” investors about) a massive hack of computer systems in which hundreds of millions of customer accounts were compromised. Subsequently, the same public company was forced to settle shareholder litigation for $80 million (in addition to significant legal expense incurred in defending itself, no doubt).
Previously, Home Depot had thwarted derivative shareholder litigation against it, winning a dismissal of the suit at the trial court level. Nevertheless, before appeals were heard, Home Depot relented, and ended up settling after its data breach prompted not only shareholder litigation, but consumer privacy litigation too. The seven figure settlement (of a case it had originally won) plus agreement to institute numerous cyber governance reforms at the executive level, portends a greater threat landscape for directors and officers.
THE NEED FOR D&O INSURANCE
Directors’ and officers’ insurance has already been called upon to cover the significant costs of defense representation against shareholders and regulators over cyber incidents. D&O insurance is absolutely essential when the cyber stakes rise for officer and director liability exposures. Organizations cannot solely rely upon dedicated (standalone) cyber insurance products. Directors and officers will still need their D&O insurance protection since many cyber policies may impose an express exclusion for securities claims. Thus, noticing a cyber securities lawsuit for coverage under a cyber policy will surely trigger a coverage fight with many cyber insurance companies….
Do you have other cyber-related questions you would like answered? Contact Joshua Gold.