Skip to main content

Covid-19: Impact on Cyber Risk | Are Directors prepared?

COVID 19 Coronavirus

By Jessica Wright and Sunny Goel | May 20, 2020

Proper D&O and Cyber risks analysis is imperative prior to the negotiation of a tailored insurance policy to address the identified exposures.

Whether it is disclosure obligations for the potential impact of COVID-19 on businesses or increasing cyber vulnerabilities due to extensive work-from-home (WFH) initiatives, companies and their directors are dealing with myriad of risks with no real precedent for many of today’s tough decisions.

According to Willis Towers Watson India’s readiness survey on COVID-19, approximately 72% of organisations have indicated that they have equipped employees to WFH. This has spurred many companies into action in firstly reviewing their business continuity plans and secondly considering director’s duties in managing and mitigating the potential financial impacts of cyber and COVID-related incidents.

Several governmental institutions have had the long-standing goal of leveraging the insurance industry to incentivise the adoption of better cyber risk management practices across the private and public sectors. Brokers and underwriters today have access to reams of data about the frequency and impacts of privacy events due to the well-publicised breaches of massive amounts of personal data. What they lack, however, is the same information about cyber-caused business interruption events, their duration, and related costs. The reason for this disparity is simple. North America, Europe, the UK, and Australia have all adopted data breach notification laws, requiring companies to disclose data breaches to impacted individuals and relevant authorities. India has not yet enacted specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) (“IT Act”) to include Section 43A and Section 72A which provides for a right to compensation for improper collection & disclosure of personal information. These new amendments have imposed additional requirements on commercial and business entities in India which have some similarities with the European Union’s GDPR and Data Protection Directive.

Effectively addressing cybersecurity risks can be considered a duty of a director, and in our new environment directors and officers may also face allegations of mismanagement arising from COVID-19 exposures. In the context of the pandemic, securities claim may involve a shareholder class action alleging violations of securities laws relating to the adequacy of COVID-19 risk disclosures. Private companies are also not immune and may grapple with regulatory and compliance uncertainty in facing unparalleled events and responses by authorities (refer Disaster management Act 2005). While most D&O policies will respond well to traditional D&O perils caused by cyber and COVID-19 events, companies should consult their broker to guide them on coverage limitations being applied in unexpected ways. 

Given these heightened exposures are likely to survive the end of the COVID-19 pandemic, organisations should be prepared to implement long-term strategies including risk transfer options via insurance. Ensuring insurance programmes are adequate is a challenge many companies face, one that has pushed Willis Towers Watson to build on our technology platform and actuarial expertise to deliver enhanced risk advisory services which better address your unique needs. A proper analysis of the D&O and Cyber risks an organisation faces is imperative before a properly tailored insurance policy can be negotiated to address the identified exposures.

*The article was first published in ET CFO .

Title File Type File Size
Covid-19 Impact on Cyber Risk-Are Directors prepared PDF .1 MB

Regional Associate Director, Cyber – Asia,
Willis Towers Watson

Head of Financial and Executive Risks
Willis Towers Watson India Insurance Brokers

Related content tags, list of links Article COVID-19 (Coronavirus)

Related Solutions

Contact Us