Cyber attacks and cyber crime against businesses are increasing every day. Michael Murphy explains cyber insurance cover

In Brief: To combat and decrease the risk of exposure to protect company interests, companies should review policies and procedures and their cyber insurance to ensure that they will have a holistic, multi-faceted response in place in the event of a cyber attack or data breach.

Directors of Irish companies need to be mindful of their statutory and fiduciary duties to conduct appropriate risk assessments and ensure that all appropriate steps are taken to protect their company’s interests. This is particularly important after a cyber event has had a material adverse effect upon the company’s profitability or share price and where such decisions may subsequently be reviewed by shareholders.

Media attention has tended to focus upon cyber attacks which compromise a company’s ability to carry out everyday operations through ransomware attacks, denial of service attacks and flaws/errors in software systems given the devastating implications of such attacks for companies. However, cyber risk can also arise from the processing and storing of data and information by electronic means. Companies will be aware of the increasing phenomenon of spear phishing attacks combined with social engineering. This has resulted in the misappropriation of very significant sums of money from companies. Whilst companies have understandably concentrated upon the theft of funds, where a company’s personal data is also compromised by such an attack (e.g. spyware/automated forwarding of emails to the fraudster), a greater number of companies than ever before are suffering data breaches (both deliberate and inadvertent) which are likely to give rise to regulatory fines and civil compensation claims against the company in the context of the General Data Protection Regulation (GDPR) which came into force on 25th May 2018.

Actions a company can take

Companies should work closely with their solicitors and insurance brokers to ensure that their cyber crime policy wording meets their requirements and that the levels of cover are adequate. Standalone cyber insurance policies tend to provide cover for regulatory fines ‘where insurable at law’. Company directors should review the adequacy of their existing Directors & Officer cover to respond to the evolving cyber risk. By also having appropriate updated internal policies and procedures committed to proper governance, companies should be able to ensure that they have a holistic, multi-faceted response in place in the event of a cyber attack or data breach.

GDPR considerations

Policies guided by the insurance policy which include notification of the breach to the Data Protection Commission within 72 hours are particularly important as, in the aftermath of a cyber attack or data breach, company directors tend to be in a vulnerable position with a lot of chaos, turmoil and possibly even recriminations. There can be significant implications under the GDPR for failing to make the notification to the Data Protection Commission in a timely fashion. The GDPR provides that having a documented procedure for compliance with the GDPR and cooperation with the Data Protection Commission, if a data breach arises, are key mitigating factors in the context of any award that the Data Protection Commission will make against a company. Bearing in mind that such fines can be as high as €20m or 4% of a company’s global turnover, and can be covered by cyber policies where insurable, it would be inexplicable for any Irish company director not to afford active consideration to the benefits of cyber crime insurance.

What we can do to assist

With the evolving cyber threat in mind, we have developed a multi-faceted Data Protection and Cyber Risk unit to assist company directors and senior managers with their governance responsibilities, including proper cyber mitigation strategies and ensuring that there is an adequate level of insurance protection in place. Should you require any assistance in this area, please contact any member of the Data Protection and Cyber Risks unit.