Unraveling Responsibility: Exploring Executive Liability in Business Cyber Attacks
Download MP3A very interesting article was published today in the Wall Street Journal about cyber liability insurance and how corporate boards may be overlooking some risk. This goes for Fortune 500 companies that have a full board of directors, but also for small and medium companies that have executive boards, or maybe even not just executive managers.
Here's what happens when you think about cyber liability insurance or cyber risk. Many executives don't come from a technical background. You probably have an IT department, maybe a cyber department, and they do great work. They're going to do things like manage your websites, manage your technical development, and maybe write code or write programs. Many of those people are not in upper executive or board positions. What does that mean? Well, some of the strategic decisions that a company would make based on technology are second-hand or third-hand. The executive or the board member will go to the IT department, get some feedback, or maybe go to another manager who has a direct report to the IT department and get some feedback. But the strategy of business operations may not come directly from that.
It says directors with professional experience in cybersecurity represented two percent of directors on the boards of S&P 500 companies. And those are large companies; those are companies that have a large IT department. What you're also going to find is that it's increased sharply to two percent. The amount of cybersecurity expertise is low when boards are under increased scrutiny for security failings.
Here's the problem: if you are a company that has a board of directors or you are on the board of directors and you do not have cybersecurity experience when there is a security failing, they're going to look at you and say, Well, why didn't you get the right consultation from somebody who knows what they're doing? Even if you're an executive at a company and your company gets hacked, you have a cyber event, you have a ransomware event, or somebody gets your customer data and sells it on the dark web, they're going to ask you, What did you do to prevent it? And you say, Well, I talked to my IT guy. Well, when they look at it from a regulatory standpoint and find out you didn't have cyber liability insurance, you didn't have proper protocols in place, or maybe you didn't put in some best practices that most companies use, that may invalidate some of the protections you have individually or that your board has because you didn't use some of the normal things that people do.
Look, your IT department can do a great job, but they're not out there in the marketplace, seeing what all the risks are. They change from week to week. So even if you have the best tech guy, IT guy in the world or a CTO, they're gonna know what things they read about or what things happen to your company. They may not know all the risks and losses that happen to other companies. The cyber insurance writers, the company Underwriters, know what all the attacks are all over the world, all over the country. So when a new type of cyber attack is developed and it comes out every week, they're going to know about it from another company, and they can put protections in place for your company.
So be aware that this lack of knowledge in this one particular area of business management, which is cybersecurity, may not be as common in companies, especially at a higher level. Every company has IT people, I get it, and cyber defense people, but the strategies they put in place may not be part of the planning for business development, company development, capital management, or security regulatory involvement. And if those decisions are made in the absence of or blindness to cybersecurity, that may create not only losses but also liability for those who didn't take that into account.
You can get more information on our website, riskcoverage.com, and just be aware that the landscape's changing and risks are increasing dramatically. These hackers are coming up with new ways of attacking your systems, and look, MGM and Caesars in Las Vegas got hit last month, so if they can get hit, anybody can get hit.
