Risk Insider: Carol Zacharias

Cyber Directors: Greater Expertise, Greater Liabilities?

By: | October 17, 2016 • 2 min read
Carol Zacharias is underwriting counsel to QBE North America, a multinational insurer. She has a master's degree in corporate law from New York University School of Law. She can be reached at [email protected]

The World Economic Forum places cyber security ahead of terrorism as one of the top 10 economic threats to 140 countries. Cyber security risk in the corporate arena is the responsibility of the board.

As noted by the commissioner of the SEC, “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.”

Boards have taken up the charge. Cyber security has moved from 11th place to third place on board agendas according to the Lloyd’s of London “Biennial Risk Index” of 2011 and 2013.  The increased spending on cyber security protection by companies further supports this trend.

Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?

According to Gartner Inc., companies spent $86 billion on protection efforts in 2015, which reflects an 18 percent increase from the prior year, and are expected to spend $94 billion in 2016.

Expertise

The issue becomes, how can a board address cyber risk complexities and meet its duty of care?

Congress proposes mandating cyber experience on boards. The Cybersecurity Disclosure Act of 2015 requires that public companies disclose whether the company has a director with cyber security experience or expertise, or disclose what cyber security steps it has taken that mitigate against acquiring board expertise.

At the same time, boards today are addressing cyber risk in one of several different ways.

Some address cyber security as a plenary board, receiving reports, engaging in discussions and making critical decisions as a whole. This can prove challenging due to the paucity of time at a board meeting and lack of board level cyber expertise.

Alternatively, boards may delegate cyber risk management to established audit committees. A committee forum provides greater time for analysis and expert consultation. However, audit committees are more likely to have financial rather than cyber expertise, and are more attuned to financial rather than technology and innovation issues.

Other boards create a cyber security committee or seek to add a cyber expert to the board itself. Either way, the board is seeking greater cyber expertise and experience at the board level.

Liability 

The issue becomes whether the cyber expert director has a higher risk of liability than fellow directors. Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?

All corporate directors owe a fiduciary duty of care to the company and its shareholders. In executing their duty of care, the director must act in a manner that a reasonably prudent person would act under the circumstances.  A reasonable person means one with the expertise of the director in question. If a director has a particular expertise, skill or experience, they are expected to apply it.

Accordingly, the cyber expert-director could be held to a higher standard of care and diligence in reviewing cyber-related matters than a director without cyber expertise.

While no director can turn a blind eye to negligence, and while all directors must act with diligence and care in addressing cyber matters, the cyber expert-director will tenably be expected to act in a manner that a reasonably prudent cyber expert would act under the circumstances, conducting a diligent technical review and evaluation of cyber matters that a director without cyber expertise could not undertake.

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

After 20 years in the business, Navy Pier’s Director of Risk Management values her relationships in the industry more than ever.
By: | June 1, 2017 • 4 min read

R&I: What was your first job?

Working at Dominick’s Finer Foods bagging groceries. Shortly after I was hired, I was promoted to [cashier] and then to a management position. It taught me great responsibility and it helped me develop the leadership skills I still carry today.

R&I: How did you come to work in risk management?

While working for Hyatt Regency McCormick Place Hotel, one of my responsibilities was to oversee the administration of claims. This led to a business relationship with the director of risk management of the organization who actually owned the property. Ultimately, a position became available in her department and the rest is history.

R&I: What is the risk management community doing right?

Advertisement




The risk management community is doing a phenomenal job in professional development and creating great opportunities for risk managers to network. The development of relationships in this industry is vitally important and by providing opportunities for risk managers to come together and speak about their experiences and challenges is what enables many of us to be able to do our jobs even more effectively.

R&I: What could the risk management community be doing a better job of?

Attracting, educating and retaining young talent. There is this preconceived notion that the insurance industry and risk management are boring and there could be nothing further from the truth.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

In my 20 years in the industry, the biggest change in risk management and the insurance industry are the various types of risk we look to insure against. Many risks that exist today were not even on our radar 20 years ago.

Gina Kirchner, director of risk management, Navy Pier Inc.

R&I: What insurance carrier do you have the highest opinion of?

FM Global. They have been our property carrier for a great number of years and in my opinion are the best in the business.

R&I: Are you optimistic about the US economy or pessimistic and why?

I am optimistic that policies will be put in place with the new administration that will be good for the economy and business.

R&I: What emerging commercial risk most concerns you?

Advertisement




The commercial risks that are of most concern to me are cyber risks, business interruption, and any form of a health epidemic on a global scale. We are dealing with new exposures and new risks that we are truly not ready for.

R&I: Who is your mentor and why?

My mother has played a significant role in shaping my ideals and values. She truly instilled a very strong work ethic in me. However, there are many men and women in business who have mentored me and have had a significant impact on me and my career as well.

R&I: What have you accomplished that you are proudest of?

I am most proud of making the decision a couple of years ago to return to school and obtain my [MBA]. It took a lot of prayer, dedication and determination to accomplish this while still working a full time job, being involved in my church, studying abroad and maintaining a household.

R&I: What is your favorite book or movie?

“Heaven Is For Real” by Todd Burpo and Lynn Vincent. I loved the book and the movie.

R&I: What’s the best restaurant you’ve ever eaten at?

Advertisement




A French restaurant in Paris, France named Les Noces de Jeannette Restaurant à Paris. It was the most amazing food and brings back such great memories.

R&I: What is the most unusual/interesting place you have ever visited?

Israel. My husband and I just returned a few days ago and spent time in Jerusalem, Nazareth, Jericho and Jordan. It was an absolutely amazing experience. We did everything from riding camels to taking boat rides on the Sea of Galilee to attending concerts sitting on the Temple steps. The trip was absolutely life changing.

R&I: What is the riskiest activity you ever engaged in?

Many, many years ago … I went parasailing in the Caribbean. I had a great experience and didn’t think about the risk at the time because I was young, single and free. Looking back, I don’t know that I would make the same decision today.

R&I: What about this work do you find the most fulfilling or rewarding?

I would have to say the relationships and partnerships I have developed with insurance carriers, brokers and other professionals in the industry. To have wonderful working relationships with such a vast array of talented individuals who are so knowledgeable and to have some of those relationships develop into true friendships is very rewarding.

R&I: What do your friends and family think you do?

My friends and family have a general idea that my position involves claims and insurance. However, I don’t think they fully understand the magnitude of my responsibilities and the direct impact it has on my organization, which experiences more than 9 million visitors a year.




Katie Siegel is a staff writer at Risk & Insurance®. She can be reached at [email protected]