By Simone Petrella, Chief Cyberstrategy Officer, N2K
Target’s board of directors can finally breathe a little easier. After an extensive two-year investigation, on July 7 a U.S. District Court judge dismissed the shareholder derivative lawsuit filed in connection with the company’s 2013 data breach.
Directors predominantly rely on directors’ and officers’ (D&O) insurance to cover the cost of compensation claims made against a business. And if the legal experience of Target and other large-scale breaches has taught us anything, it’s that there is plenty of precedent that data breaches can lead to a D&O claim. Typical D&O policies don’t explicitly mention cyberattacks, but in the case of large, public companies, most claims are submitted under their D&O polices when they allege the ‘wrongful acts’ of the directors and officers.
What’s a board to do?
In the face of these challenges, both expensive and detrimental to a company’s reputation, what’s a board to do? These shifts in legal claims have led many in the insurance industry to speculate future D&O policy language will specifically exclude claims out of a cyber incident, or at least require stricter standards for accountability of directors in exercising appropriate governance and oversight, relative to cybersecurity risks in their organizations.
This has highlighted the need for the board to be educated about the real risks of cyber incidents in order for them to make informed and actionable decisions. Just like any other business matter, they need to be comfortable with cyber issues and feel informed and empowered to make considered business judgments on how to avoid, accept, transfer, or mitigate those risks.
How we address the issue
One of the ways we at N2K are working to address the global issue of cybersecurity is by educating boards and executives, and helping them build a baseline literacy in cybersecurity issues. These issues impact all of their other enterprise risks, so it’s vital the board and executives can understand and evaluate the updates they receive from their management teams. Boards that are literate on cybersecurity are remarkably more capable of accurately assessing risks to their own company, as well as evaluating the board’s real risk of shareholder and derivative security suits.
Ultimately, boards that can demonstrate their literacy and integrate it into their business decisions relative to cybersecurity risk can offer more protection and assurances to their shareholders and insurers that they have met their fiduciary duties.
In turn, if boards truly become more educated, insurers and providers of D&O policies can begin to demonstrate a true understanding of the real risks directors and officers face in preparing for a worst-case cybersecurity incident, meaning they can more accurately and confidently write language and determine the type of exclusions or inclusions that should be in D&O policies.