Why the GDPR means you need more cyber & directors’ and officers’ insurance
Last year was a record-breaking year in terms of cyber claims, totalling more claims than the previous four years combined, according to recent industry research. However, researchers predict that cyber claims will rise now more than ever as a result of the General Data Protection Regulation (GDPR). Due to the GDPR’s strict regulations and hefty non-compliance fines, the consequences your business may face in the event of cyber-attacks and data breaches are at an all-time high.
Apart from the need for increased cyber-insurance, researchers also predict that the GDPR will cause a surge in directors’ and officers’ (D&O) insurance claims. The GDPR essentially places direct responsibility on directors and officers to prioritise cyber-security throughout their organisation. Failing to do so could make them personally liable. To protect your directors and officers, consider adopting the following best practices:
- Approach cyber-security as an organisation-wide risk management issue, not just an IT issue.
- Understand the legal implications of cyber-risks.
- Ensure adequate access to cyber-security expertise and encourage regular discussions on cyber-risk management.
- Set an expectation that management will generate a cyber-risk management framework with proper staffing and budget.
- Discuss cyber-risk in terms of which risks to avoid, which to accept, and which to mitigate or transfer through insurance.
Cyber Liability Insurance
Possible exposures covered by a typical cyber policy may include:
Data breaches – Increased online consumer spending has placed more responsibility on companies to protect clients’ personal information.
Business/Network Interruption – If your primary business operations require the use of computer systems, a disaster that cripples your ability to transmit data could cause you or a third party that depends on your services, to lose potential revenue. From a server failure to a data breach, such an incident can affect your day to day operations. Time and resources that normally would have gone elsewhere will need to be directed towards the problem which could result in further losses. This is especially important as denial of service attacks by hackers have been on the rise. Such attacks block access to certain websites by either rerouting traffic to a different site or overloading an organisations server.
Intellectual property rights – Your company’s online presence, whether it be through a corporate website, blogs or social media, opens you up to some of the same exposures faced by publishers. This can include libel, copyright or trademark infringement and defamation, among other things.
Damages to a third-party system – If an email sent from your server has a virus that crashes the system of a customer or the software your company distributes fails, resulting in a loss for a third party, you could be held liable for the damages.
System Failure – A natural disaster, malicious activity or fire could all cause physical damages that could result in data or code loss.
Cyber Extortion – Hackers can hijack websites, networks and stored data, denying access to you or your customers. They often demand money to restore your systems to working order. This can cause a temporary loss of revenue plus generate costs associated with paying the hacker’s demands or rebuilding if damage is done.
Directors’ and Officers’ Insurance
Unlike liability policies that provide cover for claims arising from property damage and bodily injury, a D&O policy specifically provides cover for a ‘wrongful act’, such as an actual or alleged error, omission, misleading statement, neglect or breach of duty.
A D&O policy provides defence costs and indemnity cover to the entity listed on the policy declarations, which may include:
- cover for individual directors and officers;
- reimbursement to the organisation for a contractual obligation to indemnify directors and officers that serve on the board; and
- protection for the organisation or entity itself.
Indemnification provisions are typically included in the charter/bylaws of a company. While an important risk component, small to medium-sized enterprises or not-for-profit organisations often do not have the financial resources to fund the indemnity provisions, making the bylaws hollow. A D&O policy can provide an extra blanket of security in the event of a covered loss.
For more information on the need for increased cyber and D&O insurance, contact Lockyers today.