For Company Directors, Cyber Risks Generate Growing Liabilities

Cyber crime continues to be a prevalent and costly concern for businesses. The UK government’s 2024 cybersecurity breaches survey found that among the 50% of businesses that identified any cybersecurity breaches or attacks, 44% of businesses ended up being victims of cyber crime. Company directors are giving the problem increased focus as a result, with three-quarters of businesses reporting that cybersecurity is a high priority for their senior management. These figures are even higher for medium-size businesses (93%) and large businesses (98%).[1]

As part of company directors’ duty to act in the best interests of their business, they are responsible for embedding cyber resilience into all areas of their organisation – and they face growing liabilities if they do not.[2] The liabilities include regulatory fines and other penalties for failing to manage cyber risk, as well as class action lawsuits that can occur when cyber breaches result in the loss of critical data and damage to a company’s reputation.

“Directors have the duty to make sure they understand cyber risk and the controls needed to mitigate it,” said Graham Constable, managing director of Management Liability at Travelers Europe. “They need to have a cyber risk reporting framework in place, ensure board oversight of it, and confirm they have the right insurance policies in place to provide necessary protections in the event of an attack.”

Cyber insurance and directors’ and officers’ insurance have complementary but separate roles here. A cyber policy can respond to the cyber event and provide access to experts who can help contain risks in the moment and get the business back up and running. A directors’ and officers’ policy can protect a company’s leaders against potential follow-on litigation from regulators or shareholders if the organisation experiences an attack.

A shifting landscape for cyber liability

Post-breach litigation is an increasingly common occurrence around the world. The US, for example, is being proactive with litigation against companies that don’t have the appropriate cyber reporting framework in place. Since 2017, there have been 37 securities class action filings in response to data breaches.[3] In late 2023, the Securities and Exchange Commission (SEC) filed a landmark civil enforcement action against the software company SolarWinds, as well as its chief information security officer, alleging the company repeatedly misled investors by minimising the company’s cyber vulnerabilities and the ability of hackers to infiltrate the company’s systems.[4]

New regulation is aimed at holding companies more accountable.

“In just the past six months, the SEC introduced a cyber reporting framework that US-traded companies have to follow,” Constable said. “The US isn’t alone here either. In Australia, there has been an increase in litigation following cyber attacks.[5] As the risks grow in jurisdiction and frequency, they will continue to be important factors for boards to monitor and manage.”

That’s especially true if there are personal consequences for company directors following a cyber attack on their organisation. In a recent article for The Times, Lawson Caisley, a partner at the law firm White & Case, said it could become more common for UK directors to “face personal liability and regulatory censure as a result of their company suffering or mishandling a cyberbreach.” He cited two actions against company directors in response to their management of a cyberbreach and failures to protect the personal information of customers. “Given the repeated warnings over many years as to the responsibility of boards for cybersecurity,” he said, “we may now be at the stage where the UK authorities decide to follow the lead of their US counterparts.”[6]

UK directors who are attuned to their cyber risks – and have the systems and structures in place to manage them as well as possible – stand to protect themselves against such future liabilities. Further, they may also improve their chances of getting the insurance protection they need at the best possible terms.

“Through the onslaught of challenges company directors have faced over the past four years – a global pandemic, ongoing economic uncertainty, supply chain issues, inflation – cyber risk has persisted as threat actors have seized new opportunities to profit.” Constable said. “Perhaps now more than ever, boards must consider their cyber risks and make sure they have the appropriate protections in place before, during and after an attack to ensure their business can contain the problem and avoid the interruptions and distractions that can get in the way of running the business. As insurers, we’re looking to partner with companies who demonstrate their commitment to managing these risks.”

The information provided is for general information purposes only. It does not constitute legal or professional advice nor a recommendation to any individual or business of any product or service. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication.

[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024#:~:text=We%20estimate%20that%20UK%20businesses,in%20the%20last%2012%20months.

[2] https://www.ncsc.gov.uk/collection/board-toolkit/cyber-security-regulation-and-directors-duties-in-the-uk#section_4

[3] https://securities.stanford.edu/current-trends.html#collapse6

[4] https://www.dandodiary.com/2023/10/articles/cyber-liability/sec-files-cybersecurity-disclosure-suit-against-solarwinds-and-exec/

[5] https://www.herbertsmithfreehills.com/insights/2023-06/surging-cyber-incidents-regulatory-activity-and-class-claims-in-australia

[6] https://www.thetimes.co.uk/travel/destinations/north-america-travel/us/directors-face-personal-liability-over-cybersecurity-failures-dpfqnkz92