Cyber risk is becoming one of
the largest global threats to businesses. According to a very
recent report by Deloitte, almost 9 out of 10 FTSE 100 companies
have identified a cyber risk in their disclosure and roughly 87% of
firms deem cyber risk as one of their principal risks. As a result,
directors, who owe a duty to the company to use reasonable care and
skill in their decision-making and promote the success of the
company, should take every opportunity to minimise cyber risk.
Despite the growing trend in recognition of cyber risk, it is
reported that only around 5% of directors at board level of FTSE
100 companies have cyber security expertise and only 27% have a
clearly identified person or body who is responsible for cyber
security. What's more, according to a UK government report, up
to 98% of large companies have no cyber insurance cover in place.
This probably means that directors of up to 98% of UK companies are
in breach of their statutory duties.
DIRECTORS' STATUTORY DUTIES
The Companies Act 2006 imposes a number of duties on directors
which are owed to the company, including the need to promote the
success of the company and to exercise reasonable care, skill and
diligence in their decision-making. In promoting the success of the
company, the director is required to (among other things):
– consider the likely long-term consequences of any
– seek to ensure that the company maintains a reputation
for high standards of business conduct.
A breach of these duties could result in the directors
being held liable either by the company or the shareholders by way
of a derivative action. Remedies for breach of duty to exercise
care, skill and diligence would ordinarily be damages whereas a
breach of the fiduciary duties includes damages, injunction and
possibly a director's disqualification. In addition, directors
may have their service contract terminated.
CONSEQUENCES OF CYBER BREACH
To comply with the statutory duties, directors generally address
risk management in their corporate governance strategy. With more
companies using technology and online services in their day-to-day
operations, cybersecurity is evidently an ever growing risk. In
fact, according to a UK government report, of all respondents
surveyed, around 65% of large firms detected a cyber security
breach in 2015/16. The most costly breach identified in the survey
was £3m. However, the cost could be much more significant.
For example, it is thought that the cyber-attack on TalkTalk in
October 2015 resulted in exceptional costs of up to £82m,
loss of over 100,000 customers and the company's profits
Immediate financial costs aside, a cyber breach is also likely
to result in the loss of customer and/or supplier data. Such a loss
will not only put at risk those affected, but will likely result in
customers and suppliers terminating their business relationships
with the company for fear of future breaches. Companies may also
face legal proceedings. In addition, the company could be seen as
operating a poor cyber security regime which will serve to
undermine any attempts by directors to maintain a reputation for
high standards of business conduct. The effects of these additional
factors will no doubt add financial strain to the business which
could have severe consequences on the business' operations in
the long term. Directors themselves may face claims for negligence
for failing to exercise reasonable care and skill to protect the
company from cyber-attacks. Indeed, with an influx of reports of
high-profile cyber-attacks in the recent years, it is difficult to
envisage a director who could be deemed to exercise reasonable care
and skill without making any attempts to address the company's
cyber security. After all, in the current climate, "the event
of a cyber-attack is not a question of if, but when, by whom and by
what degree" (Deloitte UK).
MITIGATING CYBER RISK
To minimise the risk of breaching their statutory duties,
(i) ensure they understand the level of risk cyber-attacks pose
for the company and continue monitoring this;
(ii) consider appointing a director with experience in cyber
security who will have primary responsibility for cyber risk
management. Such a person should check that the board understands
what the company's key assets are, what its current strengths
and weaknesses are and that it operates a robust cyber security
policy addressing each of these factors among others;
(iii) ensure that the company's cyber policy provides for
regular cyber security training to employees and that it contains a
practical and efficient incident response plan which will help
contain and mitigate any damage caused by a cyber-attack; and
(iv) consider obtaining cyber insurance which provides an
appropriate level of cover.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
An assignment of rights under a contract is normally restricted to the benefit of the contract. Where a party wishes to transfer both the benefit and burden of the contract this generally needs to be done by way of a novation.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).