It has been well publicised that cyber-attacks have increased dramatically in recent years and that small and medium-sized enterprises ("SMEs") in particular are vulnerable to such attacks.
As a consequence, there has been an upward trend in SMEs looking to place blame on their (usually former) directors following cyber-attacks or IT failure. In certain circumstances, directors can find themselves facing a claim if they have failed to ensure that appropriate IT security measures were in place or adhered to where this has seemingly left the door open for cyber criminals. Such claims are usually covered under a directors' and officers' insurance policy.
Directors of SMEs are often responsible for a number of different areas of their business. Just because a company faces a cyber-attack or IT failure, does not mean that directors can be held responsible. Cyber-criminals use sophisticated techniques to hack even the largest businesses with the most secure networks. It is crucial that directors of SMEs are aware of IT/cyber risks and the importance of implementing and enforcing measures to keep their business secure.
Exposures for SMEs
The Cyber Security Breaches Survey 2018 measured how organisations in the UK approach cyber security and the impact of breaches. The directors or senior management in 74% of businesses with less than 50 staff ("Micro businesses") said that cyber security is a high priority with 42% identifying at least one breach or attack in the last 12 months and in 17% of cases, it took these businesses a day or more to recover from the breach.
Micro businesses are less likely than medium/large businesses to have: 1) sought any information, advice or guidance about cyber security (58% vs. 79%); 2) formal cyber security policies (26% vs. 62%); and 3) any cyber security training (19% vs. 47%).
SMEs, by their very nature, often do not benefit from large corporate structures with dedicated teams to manage cyber risks. Cyber security will often form a small part of a SME director's responsibilities. Directors may not realise the sheer amount of information their business holds which would be attractive to cyber criminals. This will often include sensitive customer information.
Common reasons for not having a cyber-security policy in place are: the cost of implementing and enforcing a cyber-security policy; not being fully aware of the risks; not having in-house IT advice; and not prioritising the review or updating of security protocols and programs.
Among the Micro businesses that identified at least one breach or attack in the last 12 months: 36% needed to implement new measures to prevent or protect against future breaches; 31% used additional staff time to deal with the breaches; 27% said that breaches stopped staff carrying our day-to-day work; 21% said that breached incurred further recover or repair costs.
Potential exposure for directors
SMEs are less resilient to the reputational and financial damage which can result from cyber-attacks or IT failures. The obligation to protect against cyber risks does not mean directors are guaranteeing no attack will succeed, but if directors ignore the risks then they could be exposed to liability for failing to fulfil their duties to the business.
The rules governing directors are contained within case law and within specific legislation but the Companies Act 2006 ("CA 2006") sets out what are described as a director's general duties within sections 171-177.
The statutory duties under S.172 (to promote the success of the company) and S.174 (to exercise reasonable case, skill and diligence) of the CA 2006 are commonly the focus of claims against directors in this context. These duties are arguably the most fundamental in that a director must act in a way he considers would be most likely to promote the success of the company for the benefit of its members as a whole and they will be held to the standard of the 'reasonable director' who will be assumed to have the knowledge, skill and experience to be expected of a director in that role.
A director will need to be able to demonstrate that they have considered what IT security measures may be required by the company. There will undoubtedly be a cost benefit analysis that will take place in relation to some solutions. Directors should ensure that any such discussions are documented (for example, in board minutes). When considering the level of cyber security that would be appropriate, this will very much depend on the size and type of company. Directors should also consider the type of information being held.
The mere existence of a cyber-attack of IT failure does not automatically mean any wrongdoing on the part of a director. However, directors may be exposed to criticism if they are unable to demonstrate that cyber/IT security has been properly considered.
For businesses handling significant levels of data, it should be part of insurers underwriting process to understand whether cyber and IT security has been considered by its directors as such claims against a director are often covered by a standard SME D&O policy.