Partners& - Spring Magazine, Top tips and key insights!

VIEW MAGAZINEClose

Cyber risks and the responsibilities of directors and officers 

When you own or run a business, you have many responsibilities. Looking after your people, your clients, sales, logistics – even the cleaning of your company’s premises.   

Many tasks are shared with your management team or specific departments. For example, IT, stationery and HR. Cyber prevention is another – and you may well feel that this sits with your IT team or support company.   

However, whilst IT are responsible for your cyber security solutions, it’s important that you play an active role in protecting your business against cyber risks.   

When cyber-attacks occur, legal action against directors and officers can often follow. Stakeholders affected by a cyber-attack may allege that senior leadership failed to adequately address cyber-security threats or establish a plan for responding to an attack.  

Therefore, it’s imperative for you and your senior leadership team to be actively involved in understanding the risks cyber-attacks pose to your business.    

This means implementing robust cyber-security practices to prevent potential attacks, ensuring compliance with all applicable data security standards and establishing an effective cyber-incident response plan to minimise any damages in the event of an attack.   

Cyber-attacks and the risk to board members

In 2020, approximately 9 million Easy Jet customers had their personal data unlawfully accessed by third parties in a sophisticated cyber-attack.   Consequently, law firm PGMBM issued a claim in the London High Court seeking damages of up to  £18 billion on behalf of impacted customers.  

Your active involvement can both improve cyber-security across your business and can reduce liability for directors and officers.  

Just one cyber-attack can result in significant damages, including reputational harm, financial  losses, legal action and even regulatory action.  In some instances, a cyber-event can negatively impact an organisation’s share price, which could cause directors and officers to be sued for a breach of their fiduciary duty.  

When it comes to international trading, global regulators are becoming increasingly concerned with the consequences of a cyber-attack. As a result, senior leadership—directors and officers especially— are being challenged to play a greater role in managing cyber-risks for the businesses they represent.   

Should you or your board of directors fail to carry out due diligence, you’re not only risking the future of your business, but you’re also putting your own personal finances on the line should legal action be taken in the aftermath of a cyber-attack.   

General responsibilities of directors and officers

While it’s important for the relevant management team or department to have oversight, carrying out cyber-security initiatives is ultimately up to your company’s leadership team. Above all, senior leadership must ensure that everyone clearly understands their roles and responsibilities. These include:  

Policies  

  • Adopt written cyber-security policies, procedures and internal controls  
  • Implement tools that detect cyber-security events  

 

Appointments 

  • Discuss (as part of your leadership strategy) hiring a chief information officer, chief security officer or similar role. Having a dedicated cyber leadership role isn’t practical for every business. Where this isn’t appropriate, you should consider identifying a qualified, in-house team member who could take on the cyber-security responsibilities in addition to their current role  

 

Reviews & reports 

  • Review budgets and IT security programmes on a regular basis  
  • Receive and review reports on any data incidents  
  • Keep up to date and informed with cyber-security trends that could impact your business  
  • Create and oversee a team of individuals who are responsible for cyber-security – including systems, protocols and staff training  

 

Direction 

  • Assess cyber-security risks  
  • Determine which risks can be mitigated directly and which may be transferred using cyber liability insurance or other coverage   

Simply put, one of the best ways you can play an active role in your organisation’s cyber security is include the management and mitigation of cyber risks as part of your overall business strategy.   

Investing in cyber security from the top down will help your entire company engage with cyber-security, which in turn helps you build resilience against cyber attacks and the risk to you and your fellow board directors.   

For more information and tools to understand the cyber threats your business could face, get in touch.