03 August 2022

Treading the Tight Rope Between Cyber Risk Mitigation and Good Governance

Submitted by Teresa Settas

Liabilities arising out of the Protection of Personal Information Act (POPIA) as well as King IV have a direct correlation to Information Technology (IT) risk management. Insurance solutions in both the cyber and Directors & Officers (D&O) liability space have evolved to keep pace with the changing digital and technology risk landscape, supporting board and C-Suite executives in navigating the complex risks that stem from a volatile cyber threat landscape.

South Africa’s regulatory environment has changed radically in the last five years. King IV became active for companies in the 2017 financial year, while the Cybercrimes Act was legislated in 2020, shortly followed by POPIA in 2021. The focus is squarely on data privacy and the liability that emanates from cyber related crimes - both of which have fundamentally transformed the liability landscape for all directors and officers.

“The King IV report put IT governance under a microscope, and POPIA added a liability component onto the misappropriation of client and customer data. Essentially it means that if an organisation suffers a cyber breach, the directors and officers of a company are likely to face investigation as to the IT governance and data privacy controls and whether these were up to standard,” saysZamani Ngidi, Cyber Solutions Client Manager at Aon South Africa.

“With regulated data privacy acts and corporate governance codes such as POPIA and King IV, shareholders are also stepping in and seeking action against directors and officers in their personal capacity, for perceived failure to appropriately deal with a cyber-related incident which has an adverse impact on the share price,” Zamani adds.

The objective of the King IV Report is to:

  • Promote corporate governance as integral to running an organisation and delivering governance outcomes such as an ethical culture, good performance, effective control and legitimacy.
  • Broaden the acceptance of King IV by making it accessible and fit for implementation across a variety of sectors and organisational types.
  • Reinforce corporate governance as a holistic and interrelated set of arrangements to be understood and implemented in an integrated manner.
  • Encourage transparent and meaningful reporting to stakeholders.
  • Present corporate governance as concerned with not only structure and process but also with an ethical consciousness and conduct.

Principle 12 - contained within the King IV report - specifically requires the governing body of an organisation to govern technology and information in a way that supports the organisation in setting and achieving its strategic objectives.

Recommended practices include:

  • 13 (b) – Integration of technology and information risks into organisation-wide risk management.
  • 13 (c) – Arrangement to provide for business resilience.
  • 13 (d) – Proactive monitoring of intelligence to identify and respond to incidents, including cyber-attacks and adverse social media events.
  • 13 (e) – Management of the performance of, and the risks pertaining to, third-party and outsourced service providers.
  • 13 (i) – Compliance with relevant laws.
  • 16 – The governing body should consider the need to receive periodic independent assurance on the effectiveness of the organisation’s technology and information arrangements, including outsourced providers.
  • 17 (c) – Disclosure of actions taken to monitor the effectiveness of technology and information and how the outcomes were addressed.
  • 17 (d) – Planned areas of future focus.

How this translates into cyber as a D&O risk

The best defence in mitigating D&O risk is to transfer the risk through D&O insurance. The cover that a D&O liability insurance policy provides is an absolute necessity when it comes to the protection of the personal assets of directors, officers and other employees charged with supervisory and managerial responsibilities. These individuals can be held liable for wrongful acts which may occur in their day-to-day management activities of the business or entity. The main purpose of a D&O policy is to offer financial protection for investigation and defence costs together with awards for a valid claim for the individual directors and officers in their personal capacity.

D&O insurance typically has a ‘failure to insure’ exclusion, this exclusion precludes coverage for claims made against insureds when claimants suffer losses resulting from failure to purchase insurance coverage, provided such coverage was available (IRMI,2022).

“The interpretation of this wording from the perspective of King IV, means that aD&O policy will most likely not respond to protect the responsible director(s) or officer(s) if a company decides not to purchase or investigate the purchase of cyber insurance to assist in the fulfillment of principle 12c (business resilience); especially if the nature of any subsequent investigation finds that the decision was critical to the finding or failure,” Zamani explains. 

Although South Africa has not yet seen cases of this nature, the regulatory framework is laid out and is consistent with what has been observed in the US and EMEA. The following examples provide an indication of the severity of shareholder lawsuits:

Filing Date Organisation Description Status Source
July 2018 Facebook
  • Allegations include failure to disclose impact of GDPR
  • Announcement led to $120bn decline in market cap
  • Securities Class Action filled on March 2018
$100 million settlement SEC.gov | Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced From Misuse of User Data
September 2017 Equifax
  • Hackers breached its consumer database and accessed millions of records containing personally identifiable information.
$149 million settlement Equifax’s $149 Million Data Breach Settlement OK’d (Corrected) (bloomberglaw.com)
January 2017 Altaba (Yahoo!)
  • Data breach resulting in the theft of personal user data due to Yahoo’s failure to encrypt its users’ personal account information.
  • $350 million purchase price reduction following two breaches.
  • Securities Class Action filed on January 24, 2017.
$29m derivative settlement June 2019.

$80m securities claim settlement March 2018

Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement - The New York Times (nytimes.com)
Yahoo offers $80m to settle data breaches lawsuit | ITWeb
January 2015 Anthem
  • Data breach resulting in the theft of medical data of approximately 37.5m people.
  • In June of 2017, the Securities Class Action was settled.
$115m settlement Anthem Agrees to $115 Million Settlement Over Data Breach - Bloomberg

“Making informed decisions in this space requires concrete data and analytics from a seasoned cyber risk expert, who will guide you in taking the necessary steps to protect data and hold partners and suppliers to the same standards. It is essential to work with a specialised cyber risk broker and advisor who has the necessary experience, to help you map out the cyber risks facing your business and its directors and officers - putting the necessary processes, risk mitigation and protection in place is no longer an optional exercise, in a world that is exponentially impacted by cyber and technology threats,” Zamani concludes.

-- ENDS --

About Aon
Aon plc (NYSE: AON) exists to shape decisions for the better— to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business

Visit www.aon.co.zafor more information.

Follow Aon South Africa on TwitterFacebookand LinkedIn.

Find our latest Insightsfrom a local point of view.

Hear from Aon’s expert advisors in The One Brief.

Aon South Africa’s Impact Report.