The New Threat to Your Officers and Directors: Cyber
The top brass at companies are increasingly being held accountable by partners and shareholders for
cyber attacks that occur under their watch, putting their directors’ and officers’ personal assets at risk when lawsuits ensue. While actions by officers and directors have always been held under scrutiny, the cyber threat expands their potential liability significantly, according to a new report by Fitch Ratings. And with new regulations that hold organizations accountable for cyber breaches and responsible for remediation, mitigation and recovery from cyber attacks, the onus is even greater now on your directors and officers if they are deemed negligent for failing to protect the company’s data. Companies and corporate boards have generally not paid as much attention to cyber security as to other corporate risks. However, the 2014 shareholder derivative suits faced by Target Corp. and Wyndham Worldwide Corp. have changed the litigation landscape. Fitch Ratings probably summed up the risk to directors and officers best in its report: “D&O-related exposures from cyber events arise through allegations that ineffective or negligent corporate governance and board oversight were contributing factors behind inadequate systems defenses and a breach that led to losses and/or a sharp decline in share value.” That warning means that board members can’t afford to not monitor their company’s cyber security efforts. Fitch noted that to date there had been no events that led to significant director’s and officer’s liability settlements, but the growing threat of cyber attacks “will create more potential for cyber-related D&O actions going forward.” If you have a board, you should already have director’s and officer’s liability insurance. Policies indemnify a firm’s directors and officers and/or the company itself for expenses and losses suffered in connection with lawsuits that accuse them of wrongful or negligent acts. For publicly traded companies, D&O policies mainly indemnify for securities claims, but for private companies, such policies generally contain no such limitation and may provide coverage when claims are brought by plaintiffs who are not shareholders – like customers, creditors and suppliers. The big question going forward is whether the typical D&O policy will continue indemnifying for lawsuits alleging personal negligence on the part of directors and officers. Already, some insurers include clauses in their policies excluding coverage for claims alleging negligence over cyber security. Now various insurers are developing new policies that are designed specifically to cover directors and officers for claims related to cyber breaches. D&O coverage will vary depending on the specific language of each policy. Cyber security and insurance advice There are a number of steps organizations can take to reduce the risk that their data is secured and not susceptible to being compromised. The board and management should work with competent outside vendors to handle their data and protect their systems, test their cyber security measures and ensure that the company has appropriate insurance in place, including cyber insurance and D&O liability insurance. To prepare for the aftermath of a breach, your board and management should be prepared to answer difficult questions about the actions they took to protect their company’s data. You should have the right insurance coverage that is specific to the risks in your industry and company. Without D&O coverage, directors and officers could be left on their own to defend against lawsuits and pay any potential liability. That risk is even greater for smaller companies that may not have the same resources to voluntarily indemnify directors and officers.
Pokémon Go and the Dangers to Your Business
The Pokémon Go craze has exposed people who play the game to new dangers that have previously not been associated with mobile phone apps. But while many of these perils are associated with individuals who actually play the game, companies also have a lot to lose because of the game. To play Pokémon Go, players follow their phone’s GPS, which leads them to various places in the real world where they encounter and capture in-game creatures called Pokémon. In their zeal to catch these virtual critters, players have been robbed at gunpoint after walking into alleyways, been shot at for trespassing on private property, been hit by cars after walking into traffic – and even fallen off cliffs. While these are all personal dangers, businesses also face risks, such as: • Workers’ compensation, if an employee plays the game while on the clock and gets hurt. • Data breaches, if employees who play the game on a company-issued mobile device download malware or are victims of phishing attempts. • Property liability, if players wander on to your business premises and are injured. Workplace safety – The highly addictive game cuts across many demographics in terms of usage and is putting people in danger if they play it and are not paying attention. And since most people have jobs, the same people who play Pokémon Go are also employees, including yours. As mentioned, many people have been injured playing the game. Already you must know that your employees are spending time on their smart phones doing things that are not associated with their jobs. It doesn’t take much stretching of the imagination to understand that employees will play the game while on the clock. If they play while driving on the job, they can not only injure themselves, but also add further liability if they injure someone else or damage a third party’s property. You may also have your own damaged property as a result. Cyber security – The game was created by a company called Niantic Labs, which is owned by Alphabet Inc., the parent company of Google. Problems at Niantic Labs have added to the security issues with Pokémon Go. Because of the company’s scalability problems, millions of users have had to download the app from third-party websites, where some of the software contains malware along with the game. One version of the malware, called DroidJack, is able to gain access to anything on your Android phone, including all of your e-mail, contacts and text messages. In addition, this malware can access your keystrokes, on-board microphone and camera. Now, imagine that an employee has downloaded the game onto their company-issued phone and that phone has as a result become a conduit for criminals to access your network. Other liability – Businesses also face potential liability, as Pokémon Go players wander premises where they can hurt themselves. Construction sites carry specific dangers to anyone not paying attention if they enter the property. These include open trenches, trip hazards and nails and other fasteners strewn on the ground. There was one report from Idaho of a Pokémon Go player wandering onto a farm and almost falling into a grain elevator. So, if you have another commercial facility and players wander in and fall and hurt themselves, you could be held liable. Even if you face a lawsuit and eventually win, it will still cost you mounds in defense costs. The takeaway You should work with your company counsel to develop policies to address the phenomenon. These can include forbidding employees from playing the game on a company-owned device, while driving or during work hours. You will also have to ensure that your properties are secure, especially after hours, to thwart overzealous Pokémon Go players from stepping onto your facilities and injuring themselves. If you have security on your grounds, you should alert them to stop players from wandering into unauthorized areas.
Despite Cyber Threat, Few Firms Train Staff in Security
Even the most up-to-date firewall and virus protection will not protect you against the biggest threat to your organization’s cyber security – your employees themselves. Despite this only 45% of companies train their workers in how to prevent breaches, according to a new report released by the Ponemon Institute, even though 55% of organizations surveyed said they believe they had had a security breach caused by a malicious or negligent employee. And, 66% of respondents said employees are the weakest link in their efforts to create a strong security environment. The report says also even when there is training, there are “critical areas that are often ignored.” According to the report: 49% said training included phishing and social engineering attacks. 36% said training included mobile device security 29% said the course included how to use cloud services securely. 67% said their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential cyber threats. With the obvious disconnect between employee training and the very real constant threat to any organization with a database, many companies are not doing enough on the personnel side to reduce the threat of cyber attacks, like hacking, malware and other malicious code. Experian Data Breach Resolution, which sponsored the “Managing Insider Risk through Training & Culture” report, had the following recommendations of what employee training should cover to protect a business from cyber attack. Basic courses should typically cover these topics: • Protecting paper documents • Securing protected data • Password security • Privacy laws and regulations • Data classification • Safe e-mail practices Advanced courses should typically cover these topics: • Phishing and social engineering, • Responding to a data loss or theft • Mobile device security • E-mail hygiene. Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain. There are new training technologies that simulate real phishing e-mails and provide simple ways to report potentially fraudulent messages. Experian also recommends that employers provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues. This could include a cash reward or gift card at a local coffee shop. Another approach to changing behavior is to have clear consequences for negligent behavior, such as inclusion in the next performance review or a mandatory one-on-one meeting with a superior. In addition to training, you should send regular messages to employees about security and privacy practices. If you have had a data breach, you should require your staff to retake cyber security training. A breach provides the opportunity for you to train your staff about the importance of carefully handling sensitive and confidential information. The stuff of cyber nightmares Negligent and malicious behaviors that keep security professionals up at night: • Unleashing malware from an insecure website or mobile device (70%) • Violating access rights (60%) • Using unapproved mobile devices in the workplace (55%) • Using unapproved cloud or mobile apps in the workplace (54%) • Accessing company applications from an insecure public network (49%) • Succumbing to targeted phishing attacks (47%). Insured protection While you may have strong firewalls and a solid employee training program, if you do incur a breach, the fallout can cost you. A cyber liability insurance policy can pay for recovery costs, the cost of litigation and fines and notification costs you may incur. Call us to see if a cyber liability insurance policy is right for your organization. The chances are extremely high that at some point, you will encounter some type of liability issue. With our experienced Cyber Liability Team, we can help you put the right coverage and procedures in place so you can focus on running your business with peace of mind that you are covered in this ever changing cyber landscape.