Cybersecurity remains one of the biggest concerns facing the insurance industry. While all levels of operation within an organization are responsible for cybersecurity, recent litigation and regulatory action have demonstrated that the ultimate responsibility for enacting a company’s cybersecurity rests with the board of directors. Many boards of directors have had to defend themselves against shareholders alleging that the board’s failure to take steps to prevent a data breach violated board members’ fiduciary duty of care. Regulators have also stepped up examinations of companies’ cybersecurity programs, sometimes reminding directors that cybersecurity is not merely a question for IT personnel, but rather a high-priority issue that must be addressed from the top-down. To avoid potential litigation or regulatory action, boards should be proactive strive to create company-wide cybersecurity protocols and policies that regularly test cybersecurity systems, require training in cyber risk management, establish a data breach response plan, and implement appropriate oversight of third-party service providers.

As noted above, a board’s duty with respect to cybersecurity is generally to oversee the company’s cybersecurity policies, procedures, and strategies, and adequately assess cyberrisk, in order to help ensure that appropriate mechanisms have been implemented by management. One oversight strategy is formation of a committee responsible for managing and overseeing the company’s cybersecurity systems and IT personnel. This could be the committee responsible for overseeing the company’s risk management policies and procedures, such as a risk committee (RC). Larger companies may consider formation of an independent cybersecurity risk committee (CRC) to focus exclusively on cybersecurity, data management, and IT. Whether to form an independent CRC or rely on an existing RC will depend on the size and complexity of the insurer and the sensitivity of the data that the company must safeguard.