Leaders have a duty-of-care for preventing, mitigating and transferring the risks of a cyber attack.

Large enterprises like Target, Sony and Home Depot may have grabbed headlines for cyber attacks, but small to mid-size businesses are the most exposed and the easiest prey. That’s because small businesses have fewer resources and may falsely believe that hackers only target large organizations. Last year, small organizations accounted for 85% of data breach claims,[1] and breaches of less than 10,000 records cost on average $4.66 million.[2]

As if such frequency and severity were not enough to cause concern, cyber liabilities now extend from the computer room to the executive leadership up through to the boardroom. The boards of Target, Google, Wyndham were sued after recent data breaches and c-suite officers of these companies were fired for not anticipating and preventing breaches – all because of lack of preparation for or inadequate response to data breaches. Such lawsuits and firings could be catastrophic for officers and boards, if they do not have enough cyber insurance as well as directors and officers (D&O) coverage to protect the firm and indemnify themselves.

“Executive leadership of every company regardless of size, has a duty of care toward all stakeholders. As a result, the responsibility for preventing or responding to a cyber breach ultimately sits upon their shoulders. And that responsibility creates personal liability,” said Arturo Perez-Reyes, Cyber and Technology Leader and Senior Vice President, HUB International. “If a company is sued by any stakeholder, and it doesn’t have enough capital or insurance to protect the firm or indemnify the C-suite and board, then they could lose their personal assets, like homes, college funds, retirement accounts, etc.”

Start from the top

Companies often start at the bottom with operational efforts to minimize losses by simply buying preventive controls like firewalls or anti-viral wares. Fewer firms set up mitigation controls like continuity and disaster plans or incident response plans, and even fewer have ever tested them or transfer cyber risks in contracts or via insurance.

Consequently, many firms would not meet a general “reasonableness” standard for preparedness like the latest NIST or FTC advisories suggest. As a result, boards and officers could be made to look negligent in a court of law.

Boards need to do three things. 1) Check to make sure that your D&O coverage is adequate. Does it have exclusions for failure-to-maintain underlying insurance or specific carve outs for cyber risks? The former are common; the latter new. 2) Check to make sure that the firm has cyber coverage. Most firms do not. And many policies are not worth owning. Hence you need to consult a qualified cyber insurance broker like Hub with dedicated experts for insurance placements, incident-response and claims handling. 3) Exercise a duty-of-care that shows how officers of the company avoid, prevent, mitigate and transfer cyber risk. Then document evaluations and decisions.

Officers must assist the board in its evaluation of cyber risks by: 1) Getting on the right side of the law. Study relevant regulatory regimens--state, federal and international laws that might apply to your physical and electronic stores of personally identifiable information (PHI) or personal health information (PHI). 2) Adopt the latest best practices advocated by the FTC, NIST, industry groups or regulators.[3] 3) Evaluate the potential for unexpected losses and place sufficient insurance. 

Operations Personnel need to execute plans. The best hackers do not hack systems or wares, they hack people.

These “wares” are powerful enough to bring down the most sophisticated nation states. They are sometimes designed to steal; other times to destroy. What these tools can mean to employees is pillaged bank accounts. What they mean to employers is losses of money, trade secrets and competitive advantage. 

Putting it all together

If the officers and board members do all of the above well, they not only defend the firm, they defend themselves. For example, in the Wyndham v. Palkon decision a New Jersey federal court dismissed a shareholder claim alleging that the company’s board and directors did not take adequate steps to prevent an information breach after Wyndham executives provided detailed information of 14 quarterly meetings prior to the attack where cyber security, policies and security enhancements were discussed. In addition, they showed that the company’s audit committee had investigated the breaches and hired a tech firm to recommend security improvements.

The lesson is clear. Any size company whose executives pro-actively work together and document their steps at managing risk both before and after a cyber attack will be able to show that they have exercised their responsibility for stakeholders.

 “It is more important than ever for management teams to work together – from the C-suite to the board and operations personnel,” said Michelle Lopilato, senior vice president, Director of Cyber and Technology Solutions. “Taking the necessary steps to avoid, prevent, mitigate and transfer new and emerging risks will ultimately safeguard the company and its executives.”


 [1] NetDiligence Cyber Claims Study 2014

 [2] Page 10, Ponemon Institute and IBM: “2015 Cost of Data Breach Study-US”

 [3] For example, see the latest FTC publication: “Start with Security: A Guide for Business”