How your client’s directors could be blamed for cyber losses

Cyber risk awareness is on the rise among corporate directors, who could face liability risk if they are accused of being lax on governance.

“Corporate clients are more likely to be aware today, compared to a few years ago, of the personal liability risk of boards in the event of cyber breach or attack,” Brian Rosenbaum, national cyber leader of Aon Canada, said in an interview.

Corporate boards could potentially be named in a lawsuit by plaintiffs alleging a breach of fiduciary duties based on a failure to exercise due diligence in ensuring there was proper governance and proper policies and procedures in place to manage cyber risk, added Rosenbaum.

He spoke to Canadian Underwriter after Aon released its 2019 Cyber Security Risk Report Wednesday.

Corporate directors need to set the tone for their companies in preparing for cyber incidents, Aon suggested in the report. “Cyber security oversight continues to be a point of emphasis for board directors and officers, but recent history has seen an expanding personal risk raising the stakes.”

Some lawsuits have been filed in the United States against corporate boards for failing to properly disclose cyber risk as required by securities laws, Rosenbaum said.

“We haven’t seen that here in Canada yet,” he said. “But in my view, it’s only a matter of time before there are some attempts and maybe some successes, and I think that directors on Canadian corporate boards have stood up and noticed.

“Our boards in Canada and our executives in Canada have taken notice that there is a steady stream of attempts in the U.S. to blame the board when things go awry from a cyber perspective.”

One of the most common causes of cyber breaches is employees, Aon said in the report. To mitigate this risk, companies need strong data governance and to communicate cyber security policies throughout their organizations.

There has been a noticeable increase in demand for cyber insurance policies, Rosenbaum observed.

“I have been in this game for 15 years,” he said. “When I first started talking about cyber, a lot of people thought, ‘That’s really interesting but I don’t have the exposure,’ or ‘We don’t really want to buy the insurance.’ Now I think most businesses are aware that there is a specific type of insurance called cyber insurance that insures a number of risks in the cyber realm.”

Such coverage general includes losses related to the compromise of confidential personal information or sensitive commercial information such as intellectual property of third parties.