A customary Directors & Officers liability insurance neither covers cyber attacks nor the increased exposure from an Initial Public Offering (IPO). So, it might be time to go through your organisation’s responsibilities, as well as your current insurance policies.
In view of recent major cyber attacks, a problem that seems to escalate, and the implementation of the new EU General Data Protection Regulation next year, it’s important for any company to know how to handle sensitive data, such as patient data, and make sure that the company has adequate insurance coverage.
The new EU General Data Protection Regulation concerns any information that can be tied to a physical person. For a company, it means that all information about their employees, customer registers, newsletters, job applications (even spontaneous ones) are affected by the new regulation.
“Someone at the company, preferably a Data Protection Officer (DPO), needs to be responsible for handling data. A DPO is expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data, such as is handled in clinical trials for instance,” tells Ann Karlsson, Insurance Mediator at Söderberg & Partners (S&P).
With the new regulation the demands will be much stricter, from a Swedish perspective.
”For instance, if a hack may mean that sensitive information leaks, the company is obliged to notify relevant authorities within 72 hours. People whose personal data may have leaked by the hack shall also be informed,” she comments.
The penalties will also be higher.
“With penalties amounting of up to 4% of the company’s turnover (with a maximum amount of MEUR 20), you may be bankrupt or have an economic situation that prevents the company from making other investments.”
According to Ann Karlsson, a combination of a crime and a cyber policy is highly recommended in order to safeguard protection and to be compliant with the new legislation.
A favourable market has opened up for more and more life science companies to opt for the stock market. It is, however, important to consider that the risk of exposure increases with a listing and that an introduction is not covered by customary Directors & Officers liability insurance. Hence, when making an IPO it’s good to sign a prospectus liability insurance for the CEO, CFO and board as well, before the prospectus becomes public.
Among the most common requirements and exposures of prospecting is that the company has neglected, missed or not described a risk factor (or any other situation) adequately in the prospectus, which in the future may adversely affect earnings and thus the share price, i.e. investors lose money.
It can also concern incorrect allocation of shares. In this case current shareholders may consider and assert that they’ve been allocated too little shares in accordance with the issue prospectus and may sue for that reason. In case of bankruptcy, it’s possible to sue both under the Directors & Officers liability insurance and the IPO.
There are of course insurance policies that cover these exposures. Though some people think they’re quite costly, it’s typical to add the premium as part of the prospectus costs. When the premium is payed, the insurance automatically continues for a number of years (usually 3-6 years).
The experienced and skilled insurance mediators at S&P help businesses to navigate safely through the complex landscape of liabilities and exposures emerging from new legislation, cyber attacks and IPOs.
“We work closely with our customers and make sure that their insurance is up to date and covers the liabilities and exposures they face, both in the short and long term. One way in which we communicate changes on the market is through seminars. In Malmö, we will host a breakfast seminar on September 19th, where we partner with specialists from the MAQS law firm to inform our invited customers about cyber liability and the new regulation. A seminar that will, for instance, address the board’s responsibility,” Ann Karlsson concludes.