With the increasing prevalence of cyber breaches worldwide, it is essential for directors of companies to be aware of the personal liability risks they may face as a direct result of cyber breach. The regulatory environment places a heavy burden on directors which merits consideration.
Pierre Lombard, head of claims: financial lines, cyber, motor fleets and A&H at Santam Specialist Solutions, and Omar Ismail, claims specialist: financial lines and cyber at Santam Specialist Solutions
With technological advancements, cyber security threats, tightening regulatory frameworks and heightened shareholder expectations, directors operate in a uniquely high-risk landscape. The South African Information Regulator highlighted in a report of the 2024/25 financial year that more than 2,374 security compromise notifications were received by the regulator.
That is an average of 198 notifications per month. With breaches being so prevalent, it is incumbent on directors to weigh all risk transfer mechanisms, in addition to the required risk management processes, to establish a culture of responsible corporate governance.
When faced with a cyber breach incident where personal identifiable and sensitive information is compromised, directors need to be cognisant of their responsibilities in terms of legislation. Under the Protection of Personal Information Act (POPIA), the regulator has the authority to call for and conduct investigations, assessments, information requests, compliance monitoring and enforcement actions.
If the regulator finds that the provisions of POPIA have been contravened, it may take corrective action. These range from directing that certain processing activities be changed or that specified controls are implemented within a defined period to issuing administrative fines of up to R10 million, as well as pursuing criminal prosecution against directors and “Information Officers” for serious or repeated non-compliance.
Where sensitive information or data is compromised, affected individuals or entities may seek to hold the company and directors liable for damages suffered as a result of the compromise of their personal information. We’ve found that claims of this nature are costly and often involve claims against directors personally.
The Companies Act 71 of 2008 codifies the fiduciary duties of directors and places particular focus on directors’ duty of care, skill and diligence based on a reasonable expectation of someone in their position. A breach of these duties could result in a director being held personally liable for loss, damages, or costs sustained by the company.
In the context of the modern business, which is asymmetrically exposed to cyber threats, these duties extend to ensuring proactive steps are implemented to protect the interests of shareholders from foreseeable harm; and to identify, assess and mitigate material risks as well as implement mechanisms to transfer such risk.
These duties are also reflected in King V, which is increasingly used as a yardstick against which the conduct of directors of listed entities are measured, and accordingly, the extent of their personal liability.
The following insurance policies, which may provide protection and assistance to companies and directors in complying with their duties once a cyber incident has occurred, may be considered as part of a company’s risk strategy:
* Directors & Officers Liability Insurance (D&O). Decisions taken in times of crises are often subject to scrutiny, by regulators, shareholders, and other stakeholders. Even if directors acted reasonably and prudently, these decisions may be tested. A D&O policy provides directors with access to legal representation and advancement of the costs incurred to present available defenses and avoid personal liability. Where directors are found to have fallen short of their fiduciary duties, and an award for damages is imposed on their personal assets, the policy will indemnify a director against those damages claims subject to the terms and conditions of the policy.
* Cyber Insurance policies provide companies with access to experienced incident response providers to overcome the crises and to advise directors on how to manage the incident and restore operations. The policy also assists the company to meet its regulatory obligations and to recover from business interruption losses.
When used together, these policies provide a synergistic shield: one protects the corporation from the operational and financial harm of cyber incidents, while the other protects the individual decisionmakers whose governance duties are increasingly scrutinised when such incidents occur.
In contrast, their absence creates both organisational and personal exposure that can become catastrophic.