Cyber attacks: Directors' Liability
Published 11 December 2014
The risk of a cyber attack is material for the majority of businesses in the financial services industry today. Such attacks are increasingly sophisticated, widespread and disruptive. The solitary teenager hacking out of a sense of curiosity has been replaced by criminal gangs seeking improper financial gain. As a consequence, the financial consequences are increasingly significant. This includes first party losses for the company incurred to restore systems, protect brand reputation and to compensate for business interruption. It also includes the costs of dealing with regulatory investigations and, increasingly, third party claims. As a consequence, cyber risk has quickly become established as a boardroom agenda item. Whether and how directors assessed and put in place protection against this risk will be under the spotlight following an attack.
There are many examples of how IT failures are having financial repercussions in the financial services sector. On 20 November, the Financial Conduct Authority ("FCA") fined a number of banks for IT failures. Shortly after the IT incident which occurred in June 2012, the FCA wrote to the chairmen of major retail banks to ask them to identify the steps they had considered at board level to assess and mitigate their exposure to IT risks. The FCA and Prudential Regulation Authority recently initiated a second "Dear Chairman" exercise to assess how well banks are managing their exposure to IT risk, and more specifically to what extent banks’ governing bodies have formally assessed the extent to which a bank is vulnerable to technology failure affecting services supporting retail economic functions. The problems that can occur when systemically important IT functions fail were well illustrated by the recent problems at the Bank of England.
The FCA identified the underlying cause as the banking group's failure to put in place adequate systems and controls to identify and manage their exposure to IT risks. As well as the fines levied against the banks by the FCA, significant costs were incurred as part of the investigation.
The Information Commissioner's Office ("ICO") is the organisation responsible for data protection enforcement. When data breaches have occurred, the ICO may choose to request undertakings as to future conduct given by a senior board member personally to ensure the company complies with its data protection obligations going forwards.
It will be critical for the board of a company to be able to demonstrate both that systems have been developed to minimise the risk of susceptibility to a cyber attack and a plan for dealing with one if it occurs. It will be equally critical to show that those systems have been properly implemented, stress tested and that employees are aware and compliant in practice. If not, claims may be brought against directors and officers, as we have seen with the recent major breaches in the US, and is now starting to happen in Europe.
Cyber liability insurance including data breach response services are now widely available. Consideration of such policies may be a requirement of acting in the best interest of the company.
Although liability following a cyber attack or IT failure may not have been in contemplation when many existing D&O policies were drafted, familiar issues will arise: of the costs incurred, which are defence costs as defined in the policy, and have they been incurred for the benefit of an Insured Person or for the Company Policyholder? What cover exists for the Company and what is available for the directors? If there is insufficient cover for both, how is that tension resolved? Are costs incurred in anticipation of a claim covered? Should a bespoke cyber specific extension or endorsement be contemplated? Is there a single claim arising from interrelated wrongful acts? If so, given the growing prevalence of cover on an any one claim basis, how will the primary and excess layers interact? We wait to see how the European D&O insurance markets will react to these developing areas of risk.