For Company Directors, Cyber Risks Generate Growing Liabilities

Cyber crime continues to be a prevalent and costly concern for businesses. The UK government’s 2024 cyber security breaches survey found that among the 50% of businesses that identified any cyber security breaches or attacks, 44% of businesses ended up being victims of cyber crime. Company directors are giving the problem increased focus as a result, with three-quarters of businesses reporting that cyber security is a high priority for their senior management. These figures are even higher for medium-size businesses (93%) and large businesses (98%).[1]

As part of company directors’ duty to act in the best interests of their business, they are responsible for embedding cyber resilience into all areas of their organisation – and they face growing liabilities if they do not.[2] The liabilities include regulatory fines and other penalties for failing to manage cyber risk, as well as class action lawsuits that can occur when cyber breaches result in the loss of critical data and damage to a company’s reputation.

“Directors have the duty to make sure they understand cyber risk and the controls needed to mitigate it,” said Graham Constable, managing director of Management Liability at Travelers Europe. “They need to have a cyber risk reporting framework in place, ensure board oversight of it, and confirm they have the right insurance policies in place to provide necessary protections in the event of an attack.”

Cyber insurance and directors’ and officers’ insurance have complementary but separate roles here. A cyber policy can respond to the cyber event and provide access to experts who can help contain risks in the moment and get the business back up and running. A directors’ and officers’ policy can protect a company’s leaders against potential follow-on litigation from regulators or shareholders if the organisation experiences an attack.

A shifting landscape for cyber liability

Post-breach litigation is an increasingly common occurrence around the world. The US, for example, is being proactive with litigation against companies that don’t have the appropriate cyber reporting framework in place. Since 2017, there have been 37 securities class action filings in response to data breaches.[3] In late 2023, the Securities and Exchange Commission (SEC) filed a landmark civil enforcement action against the software company SolarWinds, as well as its chief information security officer, alleging the company repeatedly misled investors by minimising the company’s cyber vulnerabilities and the ability of hackers to infiltrate the company’s systems.[4]

New regulation is aimed at holding companies more accountable.

“In just the past six months, the SEC introduced a cyber reporting framework that US-traded companies have to follow,” Constable said. “The US isn’t alone here either. In Australia, there has been an increase in litigation following cyber attacks.[5] As the risks grow in jurisdiction and frequency, they will continue to be important factors for boards to monitor and manage.”

That’s especially true if there are personal consequences for company directors following a cyber attack on their organisation. In a recent article for The Times, Lawson Caisley, a partner at the law firm White & Case, said it could become more common for UK directors to “face personal liability and regulatory censure as a result of their company suffering or mishandling a cyber breach.” He cited two actions against company directors in response to their management of a cyber breach and failures to protect the personal information of customers. “Given the repeated warnings over many years as to the responsibility of boards for cyber security,” he said, “we may now be at the stage where the UK authorities decide to follow the lead of their US counterparts.”[6]

UK directors who are attuned to their cyber risks – and have the systems and structures in place to manage them as well as possible – stand to protect themselves against such future liabilities. Further, they may also improve their chances of getting the insurance protection they need at the best possible terms.

“Through the onslaught of challenges company directors have faced over the past four years – a global pandemic, ongoing economic uncertainty, supply chain issues, inflation – cyber risk has persisted as threat actors have seized new opportunities to profit.” Constable said. “Perhaps now more than ever, boards must consider their cyber risks and make sure they have the appropriate protections in place before, during and after an attack to ensure their business can contain the problem and avoid the interruptions and distractions that can get in the way of running the business. As insurers, we’re looking to partner with companies who demonstrate their commitment to managing these risks.”

This document is provided for general informational purposes only. It does not, and it is not intended to, provide legal, technical or other professional advice, nor does it amend, or otherwise affect, the provisions or coverages of any insurance policy issued by Travelers. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome. Furthermore, laws, regulations, standards, guidance and codes may change from time to time and you should always refer to the most current requirements and take specific advice when dealing with specific situations. In no event will Travelers be liable in tort, contract or otherwise to anyone who has access to or uses this information.

Travelers operates through several underwriting entities in the UK and Europe. Please consult your policy documentation or visit the websites below for full information.

travelers.co.uk                                            travelers.ie

[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024#:~:text=We%20estimate%20that%20UK%20businesses,in%20the%20last%2012%20months.

[2] https://www.ncsc.gov.uk/collection/board-toolkit/cyber-security-regulation-and-directors-duties-in-the-uk#section_4

[3] https://securities.stanford.edu/current-trends.html#collapse6

[4] https://www.dandodiary.com/2023/10/articles/cyber-liability/sec-files-cybersecurity-disclosure-suit-against-solarwinds-and-exec/

[5] https://www.herbertsmithfreehills.com/insights/2023-06/surging-cyber-incidents-regulatory-activity-and-class-claims-in-australia

[6] https://www.thetimes.co.uk/travel/destinations/north-america-travel/us/directors-face-personal-liability-over-cybersecurity-failures-dpfqnkz92