Cyber Liability for Directors and Officers

Home For Business Risky Business Podcast Cyber Liability for Directors and Officers

Paul Martin & Colin Rooke discuss the implications of cyber liability for corporate directors.

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, the business commentator on CKOM. Joining me today, Colin Rooke, the commercial risk reduction specialist with Butler Byers.

Colin, a lot of times we’re talking about the operational imperatives, if I can use it that way. We’re guiding senior management in businesses that you need to do this, you need to do that. Today we’re going to maybe step it up even one level higher and talk to those who … and this is often owners of businesses or senior executives, but people who carry the title of corporate director. Tend to think of that in the context of bank directors and stuff, but really just about every company has directors. So there are certain duties, obligations, and responsibilities that come with that. This takes us back to that good old world that we always seem to be talking about, and that’s cyber. Can you talk to me about what are the cyber liability implications for carrying the title corporate director in terms of your duties and fiduciary responsibilities as a director of a corporation? Is there some linkage there? Is there something we need to be talking about?

Colin Rooke:

Yeah, absolutely. For anyone that’s active on a board of directors, as director or an officer, if they’re working for or with an entity that has a cyber liability claim, what is commonly unknown is the responsibility that the board has to ensure that, again, that the entity is cyber secure. So what we’ve done is we’ve put together a guide for directors and officers, to ensure, one, that they know what they need to know as a board when it comes to cyber liability, cybercrime, and then really, two, how to get what they need done from the organization. What are the implications to the board? Then what can they do about it? Then what documents do they need? Which is different than other guides we’ve talked about. A lot of the tools I’ll say that we discuss, they’re for the organization, they’re for the business. Incident response plan, and we have those, but in this case, it’s from a board level. What policies? What procedures? Incident response plan is in there, but what are we even asking for? How do we get it done? Who’s involved? Who do we bring to the table? Who do we bring to the board? Do we need a cyber expert on the board? Do we look for that internal champion? What are our requirements? That’s what this guide covers.

Paul Martin:

If I got this right, it’s basically the checklist for corporate directors to, say, make sure that you’ve asked management about all of these things and that there are mitigation plans in place so that if there is a breach of some kind and your organization comes under the scrutiny of evaluators, you as a director can say, “Hey, we looked at this. We discussed it. We did our job. We did our duty. We still suffered the breach, but we were responsible and we were ahead of the curve on thinking about this.” Is that a fair description?

Colin Rooke:

Yeah, absolutely. That’s what we’re after. Really, the point is to avoid lawsuits aimed at the board. Whether there’s directors and officers insurance in place or not, again, the board is held to a higher standard. The reverse of what you just said there is imagine if there is a breach and the general manager says, “We’ve talked to the board about cyber in insurance and cybercrime, and they were neither here nor there, and we didn’t really pursue it.” Then you speak to the board and the board admits, “We really didn’t know much about it. We’re not really aware of the types of threats that we need to be looking at, the types of sensitive information we may have. So we didn’t place anything or recommended or do anything, but frankly it’s because we know very little about the subject.”

Paul Martin:

Now, one of the themes that you and I talk about in this program is making your business a better, more attractive and appealing to the insurance industry. I want to be a good customer so they give me better rates, better coverage, better treatment. This really falls into that category, doesn’t it? If you are on a board, one of your duties is to make sure you run a solid ship, and this is one way to do that.

Colin Rooke:

It is. If you’ve been on the buying end of a director’s and officer’s policy in the last three years, and certainly in the last 18 months, you’ll know that the premium for this type of coverage has gone up exponentially. Then coupled with that, you’re looking at restrictions, removal of coverages. You’re looking at higher deductibles. You’re looking at endorsements that, again, are removing coverages that were previously there. It’s all around the if the board can’t show that they’re a board worth ensuring, you’re going to be on the losing end of market adjustments. They’re going to treat you as average, at best. So it’s really important for our customers, for us to be able to say, “They’ve done a high level assessment of the board effectiveness,” which we talked about probably a year ago on this show.

We review the board. We walk through, “Is the board effective,” across all levels, and we’ve got a great tool there that, again, we’ll ask for every policy procedure of tracking of minutes. It’s a great package, but when it comes to cyber reliability and due to the frequency and severity of the losses … Which interesting statistic, 2.9 million US dollars are stolen every minute now due to cybercrime. The breach occurs. Fingers get pointed. For example, first question, has the board adopted any written cybersecurity policies, procedures, or internal controls? What tools have they implemented to deter cybersecurity events? If you don’t have an answer for that, you’ve got a problem.

 

Paul Martin:

I’m assuming that there’s some sort of personal exposure here to corporate board members if they can’t answer these questions effectively. That seems to be one of the areas that you see the law moving towards is to hold the individuals who sit on boards of directors personally liable for some things. You get it for payroll and for unpaid obligations to the federal government, for tax withholdings and that kind of stuff. Is there a risk that board members personally could be carrying some liability here?

Colin Rooke:

Yeah, absolutely. Certainly, if you’re on any board, you want to make sure there’s a director’s and officer’s policy in place because that is the nature of a claim against the board, is that each individual is being held personally liable for the decisions they’ve made. If you could imagine, on a typical board, you ask or hire people to join the board based on unique traits they may have, to create a well-rounded group. Not every board and, in fact, most boards will not have a cybersecurity expert or even someone from the IT field that would say they’re a cybersecurity expert. It’s just not feasible for most boards to do that. So you’ve got this onus to know a lot more about cybersecurity than the group’s expertise would allow. So who helps the board?

For example, who notifies the board that it’s their requirement to either hire or appoint a chief information officer? If you don’t have someone that’s well versed, where do they find that info? This guide says, “Do you have this? This is why you have to have this. It can be paid or volunteer, but it must be done. In the event there is a breach, you’re going to be asked, ‘Who is it? Who’s been monitoring cyber protocols?’” This guide will walk you through everything. One, it defines the role and then walks you through everything you would need to work on to be effective as a board.

Paul Martin:

All right, we’ve got to take a little break here, Colin. We’re into something that’s really quite fascinating and far more far-ranging and more far-reaching than people would expect. I’m looking forward to carrying on this conversation right after this. You’re listening to Risky Business Commercial Insurance with Butler Byers. I’m Paul Martin, back after this break.

Welcome back to Risky Business Commercial Insurance with Butler Byers. Paul Martin here, and joining me, Colin Rooke, the Commercial Risk Reduction Specialist at Butler Byers. Colin, just before the break, we were talking about potential liability that may fall personally on a director of an organization in the event of a cyber attack. It’s this kind of a new nuance or twist that’s coming out of these cyber insurance realm. But I’m curious. We’ve been talking about this in the context of corporate boards. Many people who will be listening to this will be participating on volunteer boards or charitable boards or foundations and trusts and that kind of thing. Do the same set of rules apply there if you’re on the board of your church committee or whatever? You’ve got financial data of the congregants. Most organizations are out raising money. You’ll have financial banking records and that kind of stuff of your donors. Are these the kinds of things that are going to get captured in this if you’re just running the local 4-H club?

Colin Rooke:

Yeah, absolutely. That’s why the threat is so real is that, again, you take a small nonprofit or the church board. You may not have the luxury of hand-picking the experts that your congregation needs to effectively run the church. Often, it’s just a select group of very dedicated people, individuals that want to volunteer their time for the betterment of the congregation. Yet suddenly you’re called to task and you need to understand what operational risks, what legal risks, and what financial risks are there when it comes to cybersecurity. Again, where do you get this information? Who helps you if you don’t have the luxury of being able to either appoint or hire someone to navigate you through this? Even on the hiring end, if you’re not well-versed in cybersecurity, who do you hire? Who do you ask? Where do you find this person? How do you know if the person you’ve reached out to even knows what actually is required of you at the board level? That’s why this topic is so important. And another.

Paul Martin:

That’s why this guide that you’ve made available, basically free of charge, it’s available to anybody. It could be really an important source of information for people who have not given this any thought.

Colin Rooke:

It really is. For example, we’ve talked about educating the workplace when it comes to cybercrime and that almost all forms of cybercrime are human error. Yet recent survey shows four in 10 Canadians in the workplace have never received any cybersecurity training at all, meaning not even a, “Do you know what a virus is? Do you even know what cybercrime is?” I mean nothing. If you look at those stats, 40%, is every board in Canada now effective if so many people are saying, “I have absolutely no idea what it is or how it affects me in any way.” Then you think about just the public at large being asked to volunteer their time with, for example, the subject of the smaller nonprofits or the church congregation. Now these 40% who’ve had no training whatsoever, if they’re serving on a board, how are they held responsible for educating the organization that they’re working on behalf of?

Paul Martin:

There’s going to be some chill with this, Colin, in that why would I go sit on a board of a charity or my local minor hockey association if this is the kind of risk that I am going to run as an individual, personal risk? It’s not enough that as a hockey board member, I get yelled at by the parents because, “My kid doesn’t get enough ice time,” but now I’ve got this potential legal liability that’s hanging over my head. I guess I’m asking, is this guide that you’ve provided, is it one tool that can be used to turn down the temperature on that chill or raise the temperature on the chill, if I can use that metaphor to just say make people more comfortable and willing to accept, say, an appointment to a board of directors?

Colin Rooke:

I think this guide, coupled with our board effectiveness guide should appease any concern that most, I’ll say, potential or even current board members would have. Depending on the nature of the organization, you’re held to different standards as the board, but if you’re using this guide, this cybersecurity guide with our board assessment, it is going to cover things like, do you have a basic director’s and officer’s policy that protects the members? There is a shocking amount of boards that do not carry this basic coverage. Then once you start educating those individuals on the board that even though they’re volunteering for the local hockey association, are you aware that your personal assets are at risk? They don’t. If there’s some guide you can access that says, “These are my responsibilities, but these are also the items that must be in place on any board,” I think you can join up with a little less angst.

Paul Martin:

Yeah. I guess at the end of the day, I’m curious about where this all comes from. I guess if I’m the mind of hockey board and you think, “Why would we be subject to this,” if you’ve got the records and finances, the organization accessed by computer, you’re pretty much vulnerable. You imagine a hockey association that gets held up for ransomware. You can’t pay for your arenas. You can’t pay for your officials, nothing, travel. You can start to see the implications of that. But I can’t help but think that a lot of times we think this is out there and it’s something I guess it’s floating around, but it doesn’t affect me. In fact, it does. In a way, if you look at the conflict going on in Eastern Europe, Canada’s intimately involved in that battle as a supplier to the Ukrainian side, and many of these attacks are coming from the Russian side. Canada is being attacked by Russian cyber criminals. This is almost like a war footing we need to be on here.

Colin Rooke:

Agreed. There’s a lot of cybercrime dollars being funnelled to Russia at the moment. It’s not going away. The stats show that it’s not going away. It’s not lessening at all. Frankly, Canadians aren’t even getting all that better at deterring, meaning the level of deterrent is not exceeding the rate at which the sophistication of the cybercrime grows. So it’s so important that everyone do their part to at least minimize, make their life difficult, know what you should do, and prepare the organization for that.

Paul Martin:

Colin, fascinating subject and far more wide-ranging and reaching than the average citizen really understands. I think that if there’s a storyline here today that we pass along, it’s that, yes, you too can be victimized by this. You need to be aware, and you need to arm yourself about the threats of cybersecurity and the challenges that are there, particularly if you’re just trying to be a good citizen and help some organization in your community. There’s liable to be some obligation attached to that.

You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. This is Risky Business. I’m Paul Martin. Thanks for joining us. Talk to you next time.