Cyber risks could be the next big trigger for lawsuits against directors, warns Aon at a recent seminar on data management held in the UK.
Directors could be held responsible for loss to companies and their shareholders if they failed their duty of care by not taking preventative measures against risks such as phishing, improper data manipulation or data loss.
According to Caroline Yeo, a Financial Institutions and Professional Risks Account Executive for Aon South Africa, a leading global insurer and risk management organisation: “The threat to directors is universal across all sectors as any company utilising technology as a platform or for business support is exposed. Financial institutions in particular need to be very concerned due to the dependence on the confidentiality of their data and the overall exposure relating to online banking.”
Yeo uses the example of a UK clothing retailer which now faces lawsuits by shareholders alleging that the company failed to prevent a hacker from obtaining details of millions of cardholders and it has already reportedly agreed to a multi-million pound settlement to banks for the same situation.
"Directors throughout the world are now being forced to consider the next big risks they may face and they are questioning how the nature of the threat is changing,” explains Yeo.
Over and above the direct loss from technology abuses, there are risks to the management of companies relating to how well they protect against the attacks. Aon is warning directors that they could find themselves being sued by employees or shareholders for not taking appropriate measures to prevent hacking, for example, or failing to provide back up for lost data. This is adding another layer of risk to directors who need to take action to protect the assets of their business against cyber crime or else face being sued.
“Cyber risks are pervasive. Among the measures we are taking to respond to these changing exposures, is the analysis of insurance policy language to maximise the potential coverage when a cyber risk materialises.”
Yeo concludes by cautioning that insurance should, however, be perceived as the last resort. Directors must look to prevent the cyber risks in the first place by firstly developing strong IT security defences and business continuity plans which are regularly tested, and then heightening awareness among the board to create a security culture with all departments and employee roles.