An expert in company director insurance has warned that the new mandatory breach notification laws come with a pricey consequence for Australian companies and their directors.
Wotton + Kearney's Andrew Moore said businesses face a heightened risk of litigation for data breach or cyber attack that negatively impact company share prices – a risk further heightened by the “high standard of care” mandated by the court on company directors to ensure they “appropriately” manage risks and act in the best interests of shareholders.
"There should be little doubt that such risks include cyber risk," Moore told The Australian Financial Review
. "While these types of breaches in the context of cybersecurity have not yet been heard and tested by the courts, it is only a matter of time before this occurs in light of the new mandatory breach notification."
The breach notification laws, enforced in early 2017, require Australian organisations to inform customers if their systems have been hacked or if a network flaw left private customer data exposed.
"The suggestion that protection against a cyber attack lies with a company's IT department and not also with the board of directors is misconceived," Moore told AFR
. "Following a data breach or cyber attack, a company is exposed to the risk of litigation brought by shareholders against directors or officers for failing to implement adequate security measures ... resulting in losses sustained by shareholders through decreased share prices."
In FY2017, the Office of Australian Information Commission received 114 voluntarily-reported cyber breaches, including a November breach that exposed more than 25,000 of wealth giant AMP's staff expense claims, plus the personal details of almost 50,000 Australian workers.
The event didn't seem to financially affect AMP, however, as its share price, which was sitting at $5 the day the market was alerted to the breach, climbed to $5.05 the next day.
The corporate watchdog released a 2015 report urging company directors to determine when they have appropriate board-level oversight of cyber risks, AFR
"The ramifications for directors and officers for failing to meet obligations can result in disqualification and, therefore, ensuring cyber risks are properly managed by company directors and not just referred to the IT department is imperative for the future viability and continuity of a business," Moore told the publication.
Joel Pridmore, Munich Re's Asia-Pacific underwriting manager, said directors and officers' insurance policies have a wide definition of "wrongful act."
"The policy will usually respond unless there is a specific exclusion," he told AFR
. "The potential costs of data security breaches can be significant and companies must not assume their standard, existing insurance policies cover them for cybersecurity and data breaches."
This report comes amid increasing pressure on D&O insurance market, which saw a 300% spike in premiums, in response to the skyrocketing number of share price-related class actions lodged against Australian businesses, AFR
D&O policies costing Australian companies, big-time
D&O risk: No chance for sexual harassment to be hidden any more