Directors could be held responsible if they fail in their duty of care to mitigate cyber risks, warns broker

Cyber risks could be the next big trigger for lawsuits against directors, warns Aon at a seminar on data management for UK companies.

Directors could be held responsible for loss to companies and their shareholders if they fail their duty of care by not taking preventative measures against risks such as phishing, improper data manipulation or data loss.

The threat to directors is universal across all sectors as any company utilising technology as a platform or for business support is exposed.

Said Aon: ‘Financial institutions need to be very concerned due to the dependence on the confidentiality of their data and the overall exposure relating to online banking. In a recent example, a clothing retailer now faces lawsuits by shareholders alleging that the company failed to prevent a hacker from obtaining details of millions of cardholders and it has already reportedly agreed to a multi-million pound settlement to banks for the same situation.’

Tom Sheffield, technical director at Aon, commented: ‘In addition to concern over the subprime crisis, situations like the NHS losing patient data and HMRC mislaying over 25 million records of child benefit claimants have provoked directors to think about the next big risks they may face and they are asking us how the nature of the threat is changing.

“Aon said insurance should be perceived as the last resort.

‘On top of the direct loss from technology abuses, there are risks to the management of companies relating to how well they protect against the attacks. We’re warning directors that they could find themselves being sued by employees or shareholders for not taking appropriate measures to prevent hacking, for example, or failing to provide back up for lost data. This is adding another layer of risk to directors who need to take action to protect the assets of their business against cyber crime or else face being sued.

‘Cyber risks are pervasive. Among the measures we are taking to respond to these changing exposures, is analysing insurance policy language to maximise the potential coverage when a cyber risk materialises.’

Aon said insurance should be perceived as the last resort, directors must look to prevent the cyber risks in the first place by:

• developing strong IT security defences and business continuity plans which are regularly tested;

• heightening awareness among the board to create a security culture with all departments and employee roles.