A poorly managed cyber incident could land a company’s directors in court and cause significant reputational damage. Middle market companies may benefit from reviewing their insurance policies to ensure they’re suitably covered. The days when the internet was seen as the next wild west may have faded – connectivity now comes in our phones, cars and TVs, and most of us rarely log off. But with that easy familiarity comes a dangerous complacency. Cyber security is now a worldwide concern yet analysts fear that, across many different industry sectors, some company directors are failing to take their responsibilities seriously by delegating security to IT departments, when it should be of critical concern to the board.

Facing the jury

Recent examples of how serious attacks can be are legion – from the very public exposure of stolen customer passwords and compromised accounts at Apple, Facebook and Sony, with all the associated brand damage and loss of trust, to the stories lawyers and executives mention off-the-record, including espionage by competitors leading to lost contracts and market failures.

Employees arguably pose the biggest cyber threat

If a cyber breach happens, directors could find themselves having to demonstrate in a court that they had done everything they could to take cyber risk seriously, to protect their company and therefore their customers’ data.

Viruses and hacking are perceived as the biggest cyber threat

Self-interrogation

Directors should be able to demonstrate suitable prevention and management of data breaches and ensure they are covered for all aspects of a cyber-event.

Interrogate your coverage

Good directors and officers insurance is essential. But to be effective, directors really need to interrogate and understand the product that they are buying. Key points to clarify are:

  • Exactly what is covered by your insurance and what is excluded from cover? Where are there gaps, and how can they be breached? Is this appropriate?
  • Are the policy limits appropriate for your risk profile and does the product specifically cover – or exclude – data breaches?
  • What kind of event would trigger cover and what are the reporting protocols? What needs to be reported? And to whom and how?
  • Does your policy cover derivative shareholder actions? Who controls the directors’ defence in the event of a claim?
  • In the event of a regulatory investigation, how broad is the cover?
  • How are payments prioritised?