Directors & Officers – Cyber Liability Review

In their paper Legal Risks on the Radar, Corporate Board Member and FTI Consulting Inc published the results of their survey of 11,340 directors and 1,957 general counsel where they ask for the top ten concerns for directors and general counsel.   Data Security was the number one concern for 55% of the general counsel and 48% of the directors.  Less than half (42%) of directors said their company had a formal written plan on how to deal with a data breach and 77% believed their company is prepared to detect a cyber breach.   If a director’s confidence that their company can properly react to a data breach did not come from a written plan, where did it come from?

A quick review of Chubbs’ A Canadian Guide for Directors and Officersreminds us that Directors and Officers are required to perform their duties with care, skill and diligence of a reasonably prudent person.  The business judgment rule in Canada provides that the court will defer to the business judgment of the directors if they took their decision in a reasonable manner and on an informed basis.  A written plan would go a long way to support directors should their governance come into question after a data breach.  Once management gets started on the plan they may find that they have some catching up to do when it comes to governance of data security.

The Electricity Subsector Cybersecurity Capability Maturity Model developed in support of the White House and led by the Department of Energy in partnership with the Department of Homeland Security is an example roadmap well worth review by directors and managers who want to get an idea of Cyber Security benchmarking.  With just a quick review of this model you get a sense of the scope of this issue.  For example one of the ten domains addressed in this model is Risk Management where there is a mapping of common practices.  These practices are further defined by their Maturity Indicator Levels so they can be applied in line with the organizations business objectives.  Management’s use of models like this can be of great help in satisfying directors that the “business judgment” criteria has been satisfied.

In managing cyber risk, risks need to identified and then mitigated, accepted, tolerated or transferred. For those risks that need to be transferred organizations need to buy a cyber policy as there is no coverage under your general liability policy.  Cyber policies are not standardized and wordings vary tremendously between insurers.  A presentation should include a detailed side by side comparison of features and available services to make sure that the solution is in line with your business objectives.

Gordon Collins is with Mitchell Sandham Inc, a (truly) independent company providing commercial, private client and financial services insurance.  His focus is on Commercial, Cyber & Executive Liability and he be contacted at gcollins@mitchellsandham.com or (416) 862-1750.