This is Part I of our feature on D&O Liability Insurance
DIRECTORS AND OFFICERS (D&OS) have ever-increasing duties and obligations resulting in ever increasing liability exposure, including fines, penalties and damages. D&Os need to ensure that indemnities from the company and their D&O insurer extend to those exposures. D&O insurers need to ensure the wording and pricing of their policies account for these everincreasing exposures. This article looks at topical issues arising out of those exposures.
The continued rise of cyber
Cyber risk appears in the top three risks in any management risks survey, which is unsurprising given that a significant percentage of companies say they have been a_ ected by some form of cyber incident in the last 12 months.
D&Os have two principal areas of cyber risk exposure:
1. Claims by shareholders (either on their own behalf for losses arising from a reduction in share price following a cyber incident, or on behalf of the company via a derivative action for losses incurred by the company by reason of the D&O’s negligence); and/or
2. Claims by customers as victims of any breach of privacy/data incident.
In the US, high-profi le shareholder claims have alleged:
1. A breach of fi duciary duty and duty of care by D&Os in not taking su_ cient steps to protect their company from a cyber attack, particularly if they knew of the inadequacies of its systems or should have known;
2. Wasting of corporate assets by exposing the company to investigations and other censure;
3. Misleading representations as to the company’s cyber and privacy protection systems and/or in respect of their subsequent breach; and
4. Unjust enrichment of D&Os for e_ ectively being paid while not doing their jobs properly.
It is not difficult to see how such actions could be brought against D&Os in Australia, particularly given our strict liability misrepresentation laws which require no intent to mislead or deceive, and our consumer-friendly class action regime and plethora of litigation funders.
Conversely, customers whose data/privacy has been breached have had difficulty bringing claims because of the need to establish actual (rather than theoretical) loss arising from the cyber breach. Class actions in the US have failed on that basis. In the UK, however, the courts have recently allowed an individual to claim compensation even if they have suffered no financial loss, which will undoubtedly be utilised in future claims involving cyber matters, such as the recent TalkTalk incident.
In Australia, there are two proposed pieces of legislation that would increase D&Os’ cyber exposure:
1. Federal legislation creating mandatory reporting obligations within 24 hours of a cyber breach. While the obligations are proposed to be on the entity only, it has to be expected that consequential obligations could ultimately flow through to the D&Os; and
2. The NSW legislative committee recently proposed that NSW “take the lead” and create a statutory tort for serious invasions of privacy which would alleviate the need to prove actual loss. While the chances of this occurring may be slim, it clearly evidences a legislative intention to progress this area of law, which should be acknowledged by all D&Os and their insurers in managing future liabilities.
D&Os have to be fully appreciative of cyber risks affecting their business, and create, monitor, adhere to and update relevant applicable procedures and safeguards. Currently, D&O insurers provide automatic cover for D&Os’ cyber liability; however, with the increasing risk it remains to be seen whether that will continue.
To be continued...
