Please be sure to visit Mintz Levin's Privacy and Security Matters blog where Heidi Lawson and Danny Harary are posting a five part series focusing on cyber risks for the board room. This series focuses on what directors need to consider with respect to their own potential liability and the possible gaps in their company's current D&O policies for cyber risks. There will be a new post each day this week.
Yesterday's post focused on the recent increase in focus on privacy issues, and provided an overview of the SEC's most recent initiatives in this area. This post also provided several sample questions that directors should be asking about their company's cybersecurity readiness. Below is a preview of the remaining four posts in this series:
Tuesday: This post will provide an overview of why directors need to be concerned about data breaches and the potential personal liability that can arise from such breaches. While Target's termination of its CEO and Chairman provides a very stark and recent example of the impact that data breaches can have on directors and officers, this post will also provide an overview of other areas of potential exposure and liability, including SEC investigations and shareholder litigation. This post provides the context for why focusing on potential gaps in D&O coverage for these liabilities is so important.
Wednesday: Given the large potential exposures outlined by Tuesday's post, this post emphasizes the importance of having the right D&O coverage. This post provides several specific questions directors should be asking when it comes to their D&O coverage with a special emphasis on identifying any gaps that may exist with respect to coverage for cyber risks.
Thursday: This post will focus on the importance of having D&O coverage for regulatory investigations, including investigations concerning cyber attacks or data breaches, and identifies how many policies provide only illusory coverage for these types of investigations.
Friday: The final post in this series will examine D&O coverage for privacy violations. It examines potential exclusions of this type of coverage, and provides three specific steps that directors can take to fill such gaps.