{"id":791,"date":"2016-01-25T16:10:50","date_gmt":"2016-01-25T16:10:50","guid":{"rendered":"http:\/\/54.201.249.27\/?p=791"},"modified":"2016-01-25T16:10:50","modified_gmt":"2016-01-25T16:10:50","slug":"directors-cant-plead-ignorance-as-cyber-exposures-multiply","status":"publish","type":"post","link":"https:\/\/blackopspartners.com\/directors-cant-plead-ignorance-as-cyber-exposures-multiply\/","title":{"rendered":"Directors can’t plead ignorance as cyber exposures multiply"},"content":{"rendered":"

Directors can’t plead ignorance as cyber exposures multiply<\/h2>\n

Information and a solid response plan are essential for corporate directors and officers as cyber liability issues evolve.<\/p>\n

\u201cThis is an extremely dynamic risk area. There’s always more learning we all have to do,\u201d said Rob Yellen, executive vice president of FINEX North America at Willis Towers Watson P.L.C. in New York. \u201cHow boards will deal with it will be interesting this year. Maybe they’ll have nonvoting board members with cyber expertise; having the right expertise and having something the board can tap into is important.\u201d<\/p>\n

\u201cAs cyber security exposures continue to evolve, the responsibility of protecting an organization from key cyber exposures has shifted away from the (information technology) department and toward the board of directors,\u201d Christian Hoffman, national practice leader of Aon Risk Solutions’ financial services group in New York, said in an email. \u201cAs data breaches continue to occur, the responsibility and expectation of the board of directors will only increase.\u201d<\/p>\n

Most directors and officers liability insurance policies do not specifically exclude cyber-related claims, but corporate officials must understand the nature of the risk they face. And because cyber risk mutates quickly, corporate executives and directors must stay current on the effect of cyber exposures on their organizations.<\/p>\n

\u201cBoards always have to deal with the most important issues facing a company,\u201d said Donna Ferrara, senior vice president, managing director and management liability practice group counsel at Arthur J. Gallagher & Co. in Wyckoff, New Jersey. \u201cWhat’s more important to business than technology, after people?\u201d<\/p>\n

Boards and executives ignore technology-related exposures at their own peril, experts said.<\/p>\n

\u201cI don’t think there are any hidden cyber liability risks anymore,\u201d said Neil Posner, a partner at law firm Much Shelist P.C. in Chicago. \u201cThere may be corporate officers and directors out there who do not fully appreciate those risks, but I don’t think it takes a lot of work to figure out what those risks are. What it really means, it would be very difficult for a corporate director and officer to defend himself or herself on a ground that, “I just didn’t know,’\u201d he said.<\/p>\n

Mr. Posner cited \u201cspear phishing,\u201d which typically is an email that appears to have been sent by a person or business the recipient knows as an example of such risks. He said hackers use this to extract credit card and bank account numbers, passwords, and similar information. Other risks include malicious code and malware that create vulnerabilities in computer systems, which can result in data theft, damage to files and, in some cases, the systems themselves.<\/p>\n

Robert Parisi, managing director and national cyber risk product leader at Marsh USA Inc. in New York, agreed that cyber risks may be \u201cunderappreciated\u201d by boards of directors. They include reputational risk and vicarious or contingent risk stemming from reliance on third parties such as cloud computing providers, he said.<\/p>\n

But the level of board awareness has increased \u201cdramatically,\u201d said Mr. Parisi. \u201cI think it’s become very clear to pretty much every director, every officer that cyber risk is something they have to deal with.\u201d<\/p>\n

\u201cWe’ve seen boards becoming very aggressive in trying to attract talent that can manage these issues,\u201d he said. \u201cYou haven’t until now found many boards seeking people who understand and handle technology issues.\u201d<\/p>\n

Board members and officers need to rely on risk management, IT and legal departments to understand their cyber risks, said Mr. Posner. \u201cThat’s a shared responsibility.\u201d<\/p>\n

Boards need to have \u201ca full and current grip on the issue,\u201d said Tony Galban, Chubb Ltd.’s Warren, New Jersey-based senior vice president and D&O global product manager. \u201cYou want them to be comprehensively informed, and you want them to be currently informed,\u201d he said. \u201cYou don’t want cyber to be a once-a-year board discussion.\u201d<\/p>\n

The U.S. Senate also may get involved in the issue.<\/p>\n

Sens. Jack Reed, D-R.I., and Susan Collins, R-Maine, introduced the Cybersecurity Disclosure Act of 2015, S. 2410, late last year. According to Sen. Reed’s office, the bill would have each publicly traded company include in its U.S. Securities and Exchange Commission disclosures whether any member of the company’s board is a cyber security expert, and if not, why such expertise is not necessary. No action has been taken on the bill.<\/p>\n

Mr. Galban said one challenge is that board directors typically don’t speak the language of cyber technology. \u201cCustomers have said getting someone to speak to the board who can inform and keep their attention can be a challenge,\u201d he said.<\/p>\n

Boards should provide oversight and supervision of a company’s cyber security risks and vulnerabilities, among other things, and develop a proper risk and security assessment that will quantify risk, identify meaningful risk metrics and convey the effectiveness of risk mitigation options, Mr. Hoffman said.<\/p>\n

If a director or officer becomes the target of a liability action stemming from a cyber issue, D&O liability insurance can respond.<\/p>\n

Marsh’s Mr. Parisi said he is not aware of any D&O policies that exclude cyber per se, but they also would not provide the same coverage as a formal cyber liability policy.<\/p>\n

\u201cIf it’s a cyber event that has a material impact on the company, that would flow through the same way as if it were a financial or physical catastrophe,\u201d Mr. Parisi said.<\/p>\n

But Willis Towers Watson’s Mr. Yellen said there could be exceptions.<\/p>\n

\u201cOne place you could end up having trouble is the terrorism exclusions, whether that applied to the acts of hacktivists and others,\u201d he said.<\/p>\n

Originally posted on BusinessInsurance.com<\/a><\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Boards should tap risk managers’ expertise to understand risks. Information and a solid response plan are essential for corporate directors and officers as cyber liability issues evolve.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[8,10],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts\/791"}],"collection":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/comments?post=791"}],"version-history":[{"count":0,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts\/791\/revisions"}],"wp:attachment":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/media?parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/categories?post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/tags?post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}