- One does not need a crystal ball to foresee that cyber incidents are not only a risk under respective policies but likewise represent a significant liability exposure for directors and officers. In this context, I find the study published by The Economist Intelligence Unit (EIU) and Willis Towers Watson an interesting read. Based on polling of more than 450 companies globally about their strategies and challenges in building a cyber resilient organization, the survey in particular found that most companies feel they are well prepared when it comes to incident response.
This confidence that many executives place in their companies’ cyber- resilience abilities may not be surprising. However, I am not yet convinced that the majority of insured have already adopted adequate data risk management and IT security systems - which will be necessary to shield the company but also to protect the directors and officers against liability. In Germany, for instance, liability claims are frequently based on an alleged insufficient compliance organisation. And I am pretty sure that we will see more claims in connection with data breaches and cyber attacks in the future.
What should be done about such finding? I believe that insurers can play an important role as risk advisers, and the insured can much benefit from the assistance offered. While some complain about burdensome underwriting processes, it is this risk dialogue which is essential and should be in the interest of both, companies and their carriers. It is, however, important that this is not restricted to cyber policies- as pretty much the same risks create an exposure under a variety of covers, including D&O.
Highlights: In the past year, a third of the companies surveyed experienced a serious cyber incident – one that disrupted operations, impaired financials and damaged reputations – and most placed high odds on another one in the next 12 months. Many companies lack confidence in their ability to source talent and develop a cyber-savvy workforce. Executives cite the size of the financial and reputational risk as the most important reason for board oversight.