150 employees from medium and large companies were surveyed, including directors and independent directors, risk managers, compliance professionals and lawyers, among others. The results of the interviews, collected in the study D&O: Personal Exposure to Global Risk, are clear: cyber risks and proper data management are the biggest concerns of today's executives.
In fact, in 40% of the participating companies, one of their D&O (directors and officers) had been involved in an investigation related to cyber-attacks or risks arising from leaks of sensitive data in the 12 months prior to the survey. For half of the respondents, data security breaches and risks arising from the European Union's General Data Protection Regulation (GDPR) are their main concerns. Not least because failure to comply with the GDPR can result in penalties of up to 4% of the group's annual turnover or up to 20 million euros.
In addition, a similar percentage of executives said that cyber-attacks are their second biggest concern. Cyber threats put the company's business continuity and reputation at risk and can pose significant liability risks to its executives. As a result, it is becoming increasingly common for company boards to place greater importance on mitigating and transferring the risks to which the organization is exposed.
The impact of a security breach or system failure exceeds the purely financial or economic consequences of the investigation and restoration of the company's systems, or the due notification of users and affected parties: other aspects related to reputation, possible fines and sanctions - both for the company and those responsible for it - or the drop in shareholder value due to doubts about the management of the company by its executives, are other key consequences to be taken into account.
D&O policies against security breaches
D&O policies are designed to protect the personal assets of senior management against potential claims arising from errors or omissions in their duties. For example, decisions involving IT systems, infrastructure, data management following the new General Data Protection Regulation (GDPR) or cybersecurity. In this context, it is becoming increasingly common, especially in the United States, for these policies to have specific exclusions related to privacy and cybersecurity-related claims.
Thus, property and personal damage exclusions that cover physical and moral damages following an attack or theft of sensitive data or terrorism exclusions that protect organizations and their managers from attacks perpetrated by "hacktivists" are becoming more and more common.
On the other hand, following the entry into force of the GDPR, D&O policies are adapting to the new regulatory framework. Thus, some insurance policies are beginning to expressly include in the definition of insured person the figure of the Data Protection Officer, which is mandatory in organizations that manage large amounts of data. On the other hand, policies have been adapted to the new sanctions regime and to the responsibilities arising from crisis management by executives following a cyber incident.