Hamburger Evron & Co.

  • 08.02.2015, Cyber Attack: The Directors are Exposed to Claims, The Marker
     

The exposure of board members to personal liability includes not only risks relating to the actual cyber breaches, but also to the manner in which the company responded to the breach and dealt with it

Israel has no law providing in-depth regulation of cyber security, and the cyber policy of civilian and business entities is subject to the decision of the organization managers themselves. The question of what is the required degree of regulation and which mechanisms should be used for the civilian sector, is an open question. At present, there is no adequate response to the issue of cyber protection of the civilian sector. The main legislation in place is the Privacy Protection Law, and yet, the law is not up-to-date and, most certainly, is not suited to the cyber age. The law is based on the outdated assumption that there is a small number of databases which can be controlled. The Computer Law too suffers from similar deficiencies, and is not adapted to the cyber world.

Israeli regulators are well aware of the issue of cyber security, and yet the regulation in place is sparse. Cyber-attacks are usually expected, such that an omission by an organization and failure to prevent an attack could create exposure to liability for claims due to breach of the duty of care to injured parties. The question of whether cyber-attacks are expected is a question of fact, that is considered according to the circumstances of each case. The considerations include the risk caused, the degree of awareness of the realization of the cyber risk which the company should have, and the level of the means of protection taken by the company. In addition, it may be possible to sue the company for contractual causes of breach of contract between the company and its customers.

In such a state of affairs, the company’s officers are also exposed to claims. Recently, more and more derivative claims have been filed against directors on grounds of breach of fiduciary duties and the duty of care. A derivative claim is made in the company’s name and may be filed by a shareholder of the company. As part of the director’s supervisory duties, he must take reasonable measures to protect the personal and financial information of the company’s customers. The board members’ exposure to personal liability includes not only risks relating to the actual cyber breaches, but also the manner in which the company responded to the breach and managed its affairs "after the fact".

The cyber world is new to most directors and officers, and most of them have not yet accumulated the required experience and know-how in this area to properly fulfill their duties and protect the company’s digital assets. And yet, the directors have a duty to pose hard and complex questions to the senior management and IT personnel, and even consult with advisors and experts.

Is there any insurance against cyber-attacks? In principle, yes. The purpose of such insurance coverage is to mitigate the losses that could be caused as a result of various cyber events, such as information breaches, interference with the proper functioning of the business and harm to networks. The damage potential from cyber risks is huge, including severe damage to the company’s reputation and goodwill.

The cost of cyber events includes loss of sales, damaged goodwill, direct costs and losses, physical damage to property or persons, as well as “remedial” costs such as PR and crisis management, litigation expenses and settlement costs, regulatory fines, costs of providing information, costs of defending against investigations by state authorities, repair of the deficiencies in the systems that allowed the breach, including retaining experts and consultants, compensation for damage caused to customers and third party liability. This sort of insurance is specific to cyber risks. However, cyber insurance should be used merely as another tool in the “toolbox” of plans for handling cyber threats, rather than as a sole or sufficient means.

Companies are further advised to look into modifying each company’s existing D&O liability plan. On this issue too, professional legal advice is of high importance to promoting the best interests of the company and enabling the choice of the best policy.

The author is Head of Cyber and Technology at law firm Hamburger Evron