Heavy is the head that wears the crown. These are the words that encapsulate the burden and difficulties faced by directors when navigating through the modern business environment; a responsibility that might have seemed moderate at first might turn into a compliance nightmare.

Companies no longer have to comply with just company laws. Compliance now extends to a wide range of issues that have become important in recent years. These issues include privacy laws, environmental impacts and social influences; companies are now viewed as corporate citizens and they must be responsible and be held accountable. Added to this equation are the advancements in technology with interconnected systems for business operations as well as the rise in the use of customer data by businesses to customize consumer experiences and target a wider range of customers. However, this comes at a cost; in the terrain of technology, data is a commodity - and like anything of value, criminals, or shall we say, cybercriminals, want in.

In this age of advanced technology, one cannot simply shy away from director liabilities when it comes to cyber risks. Cyber risks are a real concern and can result in material financial losses for companies. Directors should therefore be well informed of the issues and the impacts it may have on their businesses and organizations. But this may not always be the case. Particularly, in relation to what the duties of a director are and the risks that a director should be aware of when navigating a business environment powered by artificial intelligence and data science, particularly, to cybersecurity. What this really comes down to is fiduciary duties of a director and regulatory compliance.

The failure of directors to manage and implement appropriate measures to guard against cyber security risks could give rise to a breach of a director's fiduciary duties and, moreover breach laws in terms of the Cybercrimes Act 19 of 2020 ("Cybercrimes Act") and, perhaps more importantly, the Protection of Personal Information Act No 4 of 2013 ("POPIA").

The Companies Act 71 of 2008 ("the Act") entrusts the board of directors with the duty to manage and direct the business and affairs of a company. The Act gives the board of directors the authority to exercise all of the powers and perform any of the functions of the company subject to the provisions of the Act and that of a company's memorandum of incorporation. Notwithstanding this collective responsibility, the liability and responsibility of each board member or director are not spared. Directors are required to act in the company's best interests and owe the company fiduciary duties of care, skill and diligence, whether in terms of the Act or under the common law.

A director of a company may potentially be held personally liable for any loss, damages or costs sustained by the company as a consequence of any breach of a director's fiduciary duties. The implications, however do not stop there for the liability of a director, or even for the company itself. From a regulatory perspective under POPIA and the Cybercrimes Act, directors must be vigilant of the regulatory obligations applicable to companies dealing with data and personal information, particularly when it comes to cyber risks.

In terms of POPIA, a responsible party, which is defined as a "public or private body or any other person, which alone or in conjunction with others, determines the purpose of and means for processing personal information", must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.

Additionally, the responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of a specific industry or profession. In giving effect to such duties, a responsible party must take reasonable steps to:

  1. identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
  2. establish and maintain appropriate safeguards against the risks identified;
  3. regularly verify that the safeguards are effectively implemented; and
  4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

A responsible party that fails to comply with the provisions of POPIA may attract imprisonment and/or fine in certain instances following an enforcement notice from the Information Regulator. Moreover, POPIA similarly provides for the institution of civil proceedings for the recovery of damages regardless of whether any breach of POPIA was intentional or negligent. Effectively, the company or person, including directors, in an organization may, depending on the circumstances, potentially face criminal and/or civil action.

On the other hand, the Cybercrimes Act particularly imposes stringent reporting duties on certain industry sectors, including electronic communication service providers and financial institutions. Electronic communications service providers or financial institutions that are aware or become aware that its electronic communications service or electronic communications network have been breached in any unlawful manner, must report the offence to the South African Police Service, without undue delay. Once again, failure to comply with the provisions of the Cybercrimes Act would render a party guilty of an offence and is liable on conviction to a fine.

A director or the board of directors (which is not exempt from individualized responsibility and liability) as the custodian of a company carries a fiduciary duty to act in good faith and with care, skill and diligence towards the company. The reality is that directors must take cognizance of cyber risks that are ever more prominent in today's business environment. Steps must be taken to become informed of such risks, and implement appropriate measures to address cyber security risks. This may include implementing training, cyber security policies and awareness of post-breach procedures, vulnerability assessments or insurance for cyber security.

The failure to do so could potentially expose directors to a breach of their fiduciary duties, where any loss, financial or otherwise, suffered by a company as a consequence of a director's failure to act with the requisite care, skill and diligence would be contrary to the best interests of the company. This is further amplified by the fact that the failure to address cyber security issues, and upon the happening of a cyber security incident or breach, depending whether or not data and personal information is compromised, the company, and in turn, the directors steering the helm of the company face potential liability arising from the company's breach of the regulatory requirements under POPIA and the Cybercrimes Act.

All in all, the responsibility that lies on the shoulders of directors is no small matter but an onerous responsibility. Directors are tasked with the management of the company and its business. And like any other day-to-day issues that arise, directors should be aware of the risks associated with cyber security as it poses a real threat to companies in an era of ever-evolving technology and interconnectivity. If directors are not vigilant and fail to take diligent steps to guard their organizations against cyber risks, they may face potential liability for a breach of their fiduciary duties following any loss or damage suffered by the company.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.