Cyber security is now a major challenge for business and,with the volume and severity of attacks increasing, one that could put the organisation’s future at risk.
But while most directors appreciate the threats to their business, what they might not realise is that these issues can lead to personal liability for themselves too. Here are five ways that cybersecurity issues can have a direct impact on board members:
Breach of directors’ duties
According to corporate law specialist Joel Molloy of Clifton Ingram LLP, the Companies Act 2006 specifies that directors have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the conduct of their role. “A director’s failure to understand and mitigate cyber breaches could amount to a breach of these duties which could lead to claims against them by the company or its shareholders,” Joel explains.
Falling foul of regulators
For companies operating in regulated sectors, a failure to manage cyber risks could equate to a breach of their personal regulatory obligations. “For example, the FCA can take action if a director does not adequately discharge their regulatory duties and this could include not properly managing cyber risks for their company,” adds Joel Molloy.
Breaches of data privacy and cyber laws
Some laws places direct obligations on individual directors – including the Data Protection Act 2018, the Network and Information Security Directive and the Digital Economy Act 2017.
Claims by customers and other third parties
In addition to action by the company, directors could also face claims from customers, says Joel Molloy. “By failing to adequately understand and mitigate cyber security risks, directors will also be at risk of claims by third parties who have sufferedsome loss or damage as a result of a director’s mismanagement of cyber risk, including claims for negligent conduct.”
Risks to their job or professional reputation
Increasingly board members are being targeted directly by cybercriminals using ever more sophisticated scams. In one case last year the FD and CEO of film company Pathe’s Dutch arm were sacked after being tricked into paying over €19m into a bank account in Dubai. Edwin Slutter and Dertje Meijer believed they were acting on instructions from their Paris headquarters and the money related to an acquisition that was underway. When their mistake came to light, both lost their jobs and later filed for unfair dismissal.
While cybersecurity will be seen as a new responsibility by many directors, it is now vital that they update their skills. By understanding and monitoring their cybersecurity, directors will certainly reduce business and personal risk.
Jon Abbott is the CEO of ThreatAware, a new software platform which allows directors to monitor the whole of their cybersecurity for the first time.