Directors and Officers (“D&O”) are increasingly being held personally accountable for managing cyber risks. Once viewed primarily as an IT issue, cybersecurity failures are now recognized as governance failures, exposing directors and officers to legal, regulatory, and reputational consequences. Although legal responsibilities differ across jurisdictions, directors and officers are expected to treat cybersecurity as a key governance concern, showing proactive and diligent efforts to manage these risks. Failure to do so can result in significant personal liability, even if they have D&O insurance.
It is of utmost importance for D&O to demonstrate meticulousness and vigilance when carrying out their responsibilities in overseeing business operations, particularly in the realm of safeguarding against cyber threats. This requires them to:
D&O have a responsibility to remain loyal to the business, requiring them to give precedence to the business’ welfare over their own. This means that D&O must:
D&O hold significant responsibility for ensuring their business complies with data protection laws and regulations, particularly as they relate to cybersecurity. This duty has become a critical component of corporate governance due to the increasing complexity of cyber risks and the growing number of data protection frameworks globally. This includes:
Beyond legal obligations, D&O have ethical responsibilities, stemming from their role as stewards of the business.This includes:
The increased individual liability faced by D&O in the event of cybersecurity failures can be attributed to a combination of factors in the global regulatory and legal landscape. These shifts have broadened the range of duties expected from D&O, placing a greater burden on them to ensure that businesses have robust cybersecurity protocols in place.
Governments and regulatory bodies worldwide have enacted stringent data protection and cybersecurity laws, such as the NIS2, GDPR and the United States’ state-specific laws. These laws explicitly or implicitly impose responsibilities on D&O to ensure compliance, with non-compliance leading to both corporate and personal liability. For instance, the NIS2 Directive extends personal accountability to top management for failing to oversee and implement cybersecurity risk frameworks and incident response plans, potentially facing personal fines in addition to corporate penalties.
Regulators are imposing significant fines and penalties on companies for cybersecurity failures and are increasingly holding individual D&O accountable through personal fines, disqualification from serving as directors, or even criminal prosecution in cases of egregious misconduct. For example, in an unprecedented case in the cybersecurity industry, in 2023, the former Chief Security Officer of Uber was sentenced to three years of probation, 200 hours of community service, and a $50,000 fine for actively covering up a 2016 data breach from the FTC.
Increasingly, courts and regulators are interpreting the traditional duties of care and loyalty to include cybersecurity responsibilities. The result is that D&O are held personally liable for failing to meet their duties when cybersecurity weaknesses lead to breaches, financial loss, or regulatory violations. An illustration of this is the case of the Yahoo data breaches. Yahoo experienced two major data breaches that affected over 3 billion accounts. Despite knowing about these breaches, Yahoo’s management did not take adequate steps to disclose or address the vulnerabilities in a timely manner. On top of class action settlements to its millions of users, and penalties to the SEC, former D&O of Yahoo agreed to pay $29 million to settle a breach of fiduciary duty derivative lawsuit. The settlement marked the first time that shareholders have been awarded monetary damages in a data breach-related derivative lawsuit. In the past, such lawsuits have been dismissed by the courts or settled without payment to the shareholders.
Further, today, the occurrence and complexity of cyberattacks have seen a dramatic rise in recent years, heightening the stakes for businesses and their leaders. Ransomware, data breaches, and vulnerabilities in the supply chain have emerged as significant dangers, with cybercriminals utilizing increasingly sophisticated tactics. Consequently, D&O are now expected to take a more proactive approach in managing cybersecurity risks and ensuring their organizations are sufficiently prepared to combat such threats.
As the threat of cybersecurity increases, D&O insurance policies are adapting to address these changing circumstances. The days of D&O easily obtaining comprehensive coverage that shielded them from all types of liability are over. Insurers are now implementing exclusions or restrictions in their policies, particularly regarding incidents related to cybersecurity. This transition leaves D&O more exposed to personal responsibility in the event of a breach or cyberattack.
Insurance companies may now demand proof of strong cybersecurity frameworks being in place before offering coverage. Failure to demonstrate a serious commitment to cybersecurity may result in denial of D&O coverage or higher premiums due to the heightened vulnerability to cyber attacks in a given industry.
Numerous D&O insurance plans now include cyber exclusions that restrict or eliminate protection for lawsuits stemming from data breaches, ransomware assaults, or other cybersecurity incidents. For example, in the event of a data breach, the directors may discover that their insurance does not cover any legal expenses or settlements related to cybersecurity concerns if shareholders or affected individuals file negligence claims, leaving them unprotected.
This involves performing routine evaluations of potential threats, implementing suitable protective measures, and regularly training employees.
It is crucial for D&O to play an active role in supervising a business’ cybersecurity program. They should regularly receive updates on the cybersecurity status and take necessary measures to mitigate any potential vulnerabilities.
Ensure cybersecurity measures are well-documented by D&O, encompassing risk evaluations, security protocols, and training initiatives. This thorough documentation is instrumental in safeguarding against accusations of negligence.
By obtaining cyber insurance, you can protect your business from the financial burden of a cyberattack. This coverage includes legal fees, penalties from regulators, and the costs of notifying customers. It is crucial for directors and officers to guarantee that the company has sufficient cyber insurance in place.
It is crucial for individuals to guarantee that their D&O policies encompass all necessary protections for cyber-related risks, including inquiries, harm to reputation, and proper division of liability between personal and company losses. Furthermore, they must validate that their cyber policies adequately cover both regulatory repercussions and negligence in preventing breaches.
D&O are required to possess knowledge of the regulations and laws pertaining to cybersecurity in their industry. It is advisable for them to solicit guidance from specialists in this field, such as legal advisors and cybersecurity experts, to ensure effective management of cybersecurity issues.
By implementing these measures, members of the board and D&O can minimize their potential liability in the event of a cyber attack. It is crucial to keep in mind that safeguarding against cyber threats requires continuous effort, and D&O must remain vigilant in their endeavors to shield the business.
Sign up for a regular dose of news and updates from the legal landscape.
.png)
Get the latest updates about legal and privacy from experts in the field.
.png)
.png)
.png)