Treading the Tight Rope Between Cyber Risk Mitigation and Good Governance

Liabilities arising out of the Protection of Personal Information Act (POPIA) as well as King IV have a direct correlation to Information Technology (IT) risk management. Insurance solutions in both the cyber and Directors & Officers (D&O) liability space have evolved to keep pace with the changing digital and technology risk landscape, supporting board and C-Suite executives in navigating the complex risks that stem from a volatile cyber threat landscape.

South Africa’s regulatory environment has changed radically in the last five years. King IV became active for companies in the 2017 financial year, while the Cybercrimes Act was legislated in 2020, shortly followed by POPIA in 2021. The focus is squarely on data privacy and the liability that emanates from cyber related crimes – both of which have fundamentally transformed the liability landscape for all directors and officers.

“The King IV report put IT governance under a microscope, and POPIA added a liability component onto the misappropriation of client and customer data. Essentially it means that if an organisation suffers a cyber breach, the directors and officers of a company are likely to face investigation as to the IT governance and data privacy controls and whether these were up to standard,” says Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa.

“With regulated data privacy acts and corporate governance codes such as POPIA and King IV, shareholders are also stepping in and seeking action against directors and officers in their personal capacity, for perceived failure to appropriately deal with a cyber-related incident which has an adverse impact on the share price,” Zamani adds.

The objective of the King IV Report is to:
Promote corporate governance as integral to running an organisation and delivering governance outcomes such as an ethical culture, good performance, effective control and legitimacy.
Broaden the acceptance of King IV by making it accessible and fit for implementation across a variety of sectors and organisational types.
Reinforce corporate governance as a holistic and interrelated set of arrangements to be understood and implemented in an integrated manner.
Encourage transparent and meaningful reporting to stakeholders.
Present corporate governance as concerned with not only structure and process but also with an ethical consciousness and conduct.

Principle 12 – contained within the King IV report – specifically requires the governing body of an organisation to govern technology and information in a way that supports the organisation in setting and achieving its strategic objectives.

Recommended practices include:
13 (b) – Integration of technology and information risks into organisation-wide risk management.
13 (c) – Arrangement to provide for business resilience.
13 (d) – Proactive monitoring of intelligence to identify and respond to incidents, including cyber-attacks and adverse social media events.
13 (e) – Management of the performance of, and the risks pertaining to, third-party and outsourced service providers.
13 (i) – Compliance with relevant laws.
16 – The governing body should consider the need to receive periodic independent assurance on the effectiveness of the organisation’s technology and information arrangements, including outsourced providers.
17 (c) – Disclosure of actions taken to monitor the effectiveness of technology and information and how the outcomes were addressed.
17 (d) – Planned areas of future focus.

How this translates into cyber as a D&O risk
The best defence in mitigating D&O risk is to transfer the risk through D&O insurance. The cover that a D&O liability insurance policy provides is an absolute necessity when it comes to the protection of the personal assets of directors, officers and other employees charged with supervisory and managerial responsibilities. These individuals can be held liable for wrongful acts which may occur in their day-to-day management activities of the business or entity. The main purpose of a D&O policy is to offer financial protection for investigation and defence costs together with awards for a valid claim for the individual directors and officers in their personal capacity.

D&O insurance typically has a ‘failure to insure’ exclusion, this exclusion precludes coverage for claims made against insureds when claimants suffer losses resulting from failure to purchase insurance coverage, provided such coverage was available (IRMI,2022).

“The interpretation of this wording from the perspective of King IV, means that a D&O policy will most likely not respond to protect the responsible director(s) or officer(s) if a company decides not to purchase or investigate the purchase of cyber insurance to assist in the fulfillment of principle 12c (business resilience); especially if the nature of any subsequent investigation finds that the decision was critical to the finding or failure,” Zamani explains.