Cyber security (the protection of devices, services and networks and the information on them from theft or damage via electronic means) must be a key concern for board members. Indeed, according to the managing director of the World Economic Forum (WEF) expressed in its 2022 Global Security Outlook it is “not a separate technology but rather a foundational set of systems, spanning technology, people and processes for the Fourth Industrial Revolution.”
Communication
There is a worrying discrepancy between the perceptions of business leaders and cyber experts within the same organisations as to the scale of the task. The WEF Global Security Outlook 2022 survey found that whereas 94% of business leaders polled believed that cyber resilience was integrated into enterprise risk management, only 54% of cyber experts within the same organisations held that view. Clearly, communication between the board and those with direct responsibility for cyber security is key as is a shared understanding of some key terms. A brief glossary of some of these is set out at the end of this article.
Legal duties
It is worth reminding ourselves of the nature of a director’s non-delegable supervisory duty with respect to the company’s cyber security. To discharge that duty both executive and non-executive directors must have enough expertise to understand both how a cyber event might affect the whole company and what the specific consequences might be for the area (if any) of each director’s particular focus. To achieve this, directors should have a working knowledge of the cyber risks the company faces and how those risks will continue to evolve with the advance of and heavier reliance on technology throughout the company (and not just as it relates to consumer and client products/services offered by the company).
Work in progress
Earlier this year, NEDonBoard conducted its own survey specifically as to non-executive directors’ awareness of cyber risk as it affects the organisations they serve. This also produced interesting results including that:
- Only 35% of respondents think they have all the necessary cyber knowledge and expertise to discharge their duties
- only 13% of respondents have a cyber incident response plan that involves the board.
- 50% of respondents don’t know what cyber insurance covers
- Only 7% of respondents understand the cyber policies never cover the cost to the company of theft by computer
- Only 23% of respondents know whether payments may lawfully be made to stop a ransomware attack
These findings were discussed in a wide-ranging webinar hosted by NEDonBoard in June 2022. The focus of the debate was on practical steps by which directors could put themselves in a position to make reasoned assessments and judgments as to a company’s preparedness to meet a cyber event. There was also useful discussion as to the role the role cyber insurance has to play in mitigating these risks both by covering some of the attendant losses and by providing independent technical expertise both before and during a cyber incident. (The answer by the way to the question as to whether payments may lawfully be made to stop a ransomware attack is yes at least here in the UK.)
Related post: Cyber security, risk and insurance
Glossary of Terms
- Cyber Attack – deliberate entry into a computer system, with the intent to alter, corrupt or remove systems/data; irrespective of the identity of perpetrator
- Cyber Event – General collective term encompassing Cyber Incident, Cyber Attack and/or Data Breach
- Cyber Incident – accidental or unintentional alteration, corruption or failure of computer systems/data
- Cyber Risk – the risk of loss, damage or disruption to a company emanating from its network systems and/or data
- Cyber Resilience – the ability to anticipate, identify, recover from and/or withstand Cyber Events
- Cyber Security – the processes, practices and technologies employed to protect the company’s network systems and data
- Data Breach – loss, theft or unauthorised disclosure of confidential/personal data whether on computer or otherwise.
- System Failure – unplanned and unintentional outage of a computer system
Conclusion
The time when a board could delegate issues of cyber security to the head of IT (or even its chief information security officer) are long gone. What instead is required of directors is a degree of active engagement with the issues and threats faced by a company. In the event of a serious loss of data with significant implications for the ability of the company to continue trading or damage to its reputation, the prospect of a breach of duty claim against the directors cannot be ruled out. Whilst courts are usually adept at not applying hindsight and directors are not expected to get every decision right, the ability to demonstrate sufficient active engagement with the subject is likely to form the cornerstone of any effective defence to such a claim. Both cyber insurance for the company and D&O insurance for the directors can also significantly mitigate the effects of such claims and losses.
Related post: Managing cyber risk to build resilient organisations
To go further: How well are you protected from cyber liability threats as a director?
Written by Francis Kean, Partner financial lines at McGill and Partners.
To develop your understanding of liability protection as a non-executive director, sign-up to the NEDonBoard Membership. You may also visit the NED Accelerator® Programme page. The training includes dedicated modules on Directors and Officers liability insurance and a quiz to validate your understanding.