Even if one subscribes to the belief that personal data is the 21st century equivalent of oil, there is no doubt that it brings both pros and cons, as evidenced by the liability claims often filed against companies that hold data.
In addition, since 8 January 2021, authorities in Brazil can apply severe sanctions under the General Data Protection Law. This reinforces accountability risk and the need for companies to establish a robust data protection culture.
Certain types of insurance have been created to address these issues. Insurance for cyber risks deals with data leaks, server downtime, software and hardware failure, and the resulting reputational damage, for example.
Processing and protecting personal data has obvious implications for cyber insurance risk, but it also affects other types of insurance as well.
For instance, for errors and omissions (E&O) insurance, typically sourced by companies that provide technology services, such as a software developer whose products may cause severe damage to end users. In this example, an E&O insurance policy would protect the property interests of the technology company.
General liability insurance may cover situations in which a particular cyber risk causes material damage to third parties. In May 2021, for example, hackers accessed the systems of a fuel distributor, collapsing its network and causing issues across almost the entire east coast of Brazil.
There are also implications for directors and officers (D&O) insurance. In all jurisdictions, not just Brazil, issues related to cyber risks are no longer a problem just for companies, but also for their D&Os.
According to a study by the Organisation for Economic Co-operation and Development (OECD), there is enormous potential for losses associated with cyber risks. As a result, companies should implement robust information and data security systems and ensure they continue to operate properly. They should seek specialist, technical advice on protecting against cyber risks and their impact. If there is a lack of diligence in this area, executives may be held accountable for any resulting damages.
Class actions, based on violations of user or consumer data protection systems, have been filed against D&Os in the US, Europe, the UK and Asia. The defendants are often exclusively data protection officers (DPOs), who are the individuals in charge of this function under the provisions of article 41 of Brazil’s General Data Protection Law (LGPD). However, large public companies usually have chief risk officers (CROs) or directors who are also responsible for information technology, and may find themselves subject to class actions. Furthermore, managers of Brazilian companies may be answerable for the acts of other managers, under article 158 of the Corporations Law.
‘Silent’ cyber coverage means a policyholder’s insurance programme does not categorically state either the existence or non-existence of coverage for cyber risks. Today, such silence is troubling. The opposite of silent coverage is affirmative coverage, whereby the contractual language explicitly clarifies either coverage for, or exclusion of, cyber risks.
In terms of the intersection between cyber risks and directors’ liability, directors are increasingly seeking D&O insurance that can offer them guarantees such as, for example, coverage for defence costs, damage to their reputation, coverage for fines imposed by authorities and also possible indemnities to be paid to third parties.
Directors should therefore take a closer look at their insurance programmes, with the aim of avoiding ‘silent’ cyber coverage and its deleterious effects.
There are parallels that the Brazilian insurance market has observed between environmental insurance and D&O insurance. The environmental tragedies of Mariana and Brumadinho, which occurred in Minas Gerais, resulted in a loss of share value for the Brazilian mining company responsible for those sites. The Brumadinho catastrophe led to a discussion about the responsibility, or otherwise, of the company’s directors and board members, on the grounds that they could or should have taken measures to avoid the event.
The issues gave rise to a convergence between the two classes of insurance, environmental and D&O. Should liability claims have been allocated to D&O insurance or to environmental liability insurance?
Going forward, there is rising probability that certain events will, similarly, give rise to a convergence between cyber and D&O insurance. It is therefore up to policyholders, insurers and reinsurers, as well as brokers, to make the right decisions around coverage, allocations and exclusions. They must, at all costs, avoid silent cyber coverage, and the associated issues it will eventually cause.
