I would like to request a quote for
Risk & Innovation
Liabilities arising out of the Protection of Personal Information Act (POPIA) as well as King IV have a direct correlation to Information Technology (IT) risk management. Insurance solutions in both the cyber and Directors & Officers (D&O) liability space have evolved to keep pace with the changing digital and technology risk landscape, supporting board and C-Suite executives in navigating the complex risks that stem from a volatile cyber threat landscape.
South Africa’s regulatory environment has changed radically in the last five years. King IV became active for companies in the 2017 financial year, while the Cybercrimes Act was legislated in 2020, shortly followed by POPIA in 2021. The focus is squarely on data privacy and the liability that emanates from cyber related crimes - both of which have fundamentally transformed the liability landscape for all directors and officers.
“The King IV report put IT governance under a microscope, and POPIA added a liability component onto the misappropriation of client and customer data. Essentially it means that if an organisation suffers a cyber breach, the directors and officers of a company are likely to face investigation as to the IT governance and data privacy controls and whether these were up to standard,” says Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa.
“With regulated data privacy acts and corporate governance codes such as POPIA and King IV, shareholders are also stepping in and seeking action against directors and officers in their personal capacity, for perceived failure to appropriately deal with a cyber-related incident which has an adverse impact on the share price,” Zamani adds.
The objective of the King IV Report is to:
Principle 12 - contained within the King IV report - specifically requires the governing body of an organisation to govern technology and information in a way that supports the organisation in setting and achieving its strategic objectives.
Recommended practices include:
How this translates into cyber as a D&O risk
The best defence in mitigating D&O risk is to transfer the risk through D&O insurance. The cover that a D&O liability insurance policy provides is an absolute necessity when it comes to the protection of the personal assets of directors, officers and other employees charged with supervisory and managerial responsibilities. These individuals can be held liable for wrongful acts which may occur in their day-to-day management activities of the business or entity. The main purpose of a D&O policy is to offer financial protection for investigation and defence costs together with awards for a valid claim for the individual directors and officers in their personal capacity.
D&O insurance typically has a ‘failure to insure’ exclusion, this exclusion precludes coverage for claims made against insureds when claimants suffer losses resulting from failure to purchase insurance coverage, provided such coverage was available (IRMI,2022).
“The interpretation of this wording from the perspective of King IV, means that a D&O policy will most likely not respond to protect the responsible director(s) or officer(s) if a company decides not to purchase or investigate the purchase of cyber insurance to assist in the fulfillment of principle 12c (business resilience); especially if the nature of any subsequent investigation finds that the decision was critical to the finding or failure,” Zamani explains.
Although South Africa has not yet seen cases of this nature, the regulatory framework is laid out and is consistent with what has been observed in the US and EMEA. The following examples provide an indication of the severity of shareholder lawsuits:
Filing Date |
Organisation |
Description |
Status |
Source |
July 2018 |
|
|
$100 million settlement |
|
September 2017 |
Equifax |
|
$149 million settlement |
Equifax’s $149 Million Data Breach Settlement OK’d (Corrected) (bloomberglaw.com) |
January 2017 |
Altaba (Yahoo!) |
|
$29m derivative settlement June 2019. $80m securities claim settlement March 2018 |
|
January 2015 |
Anthem |
|
$115m settlement |
Anthem Agrees to $115 Million Settlement Over Data Breach - Bloomberg |
“Making informed decisions in this space requires concrete data and analytics from a seasoned cyber risk expert, who will guide you in taking the necessary steps to protect data and hold partners and suppliers to the same standards. It is essential to work with a specialised cyber risk broker and advisor who has the necessary experience, to help you map out the cyber risks facing your business and its directors and officers - putting the necessary processes, risk mitigation and protection in place is no longer an optional exercise, in a world that is exponentially impacted by cyber and technology threats,” Zamani concludes.