Cyber risk is becoming one of the largest global threats to businesses. According to a report by Deloitte, almost 9 out of 10 FTSE 100 companies have identified a cyber risk in their disclosure and roughly 87% of firms deem cyber risk as one of their principal risks. As a result, directors, who owe a duty to the company to use reasonable care and skill in their decision-making and promote the success of the company, should take every opportunity to minimise cyber risk. Despite the growing trend in recognition of cyber risk, it is reported that only around 5% of directors at board level of FTSE 100 companies have cyber security expertise and only 27% have a clearly identified person or body who is responsible for cyber security. What’s more, according to a UK government report, up to 98% of large companies have no cyber insurance cover in place. This probably means that directors of up to 98% of UK companies are in breach of their statutory duties.
Directors’ Statutory Duties
The Companies Act 2006 imposes a number of duties on directors which are owed to the company, including the need to promote the success of the company and to exercise reasonable care, skill and diligence in their decision-making. In promoting the success of the company, the director is required to (among other things):
– consider the likely long-term consequences of any decision; and
– seek to ensure that the company maintains a reputation for high standards of business conduct.
A breach of these duties could result in the directors being held liable either by the company or the shareholders by way of a derivative action.
Consequences of Cyber Risk
To comply with the statutory duties, directors generally address risk management in their corporate governance strategy. With more companies using technology and online services in their day-to-day operations, cybersecurity is evidently an ever growing risk. In fact, according to a UK government report, of all respondents surveyed, around 65% of large firms detected a cyber security breach in 2015/16. The most costly breach identified in the survey was £3m. However, the cost could be much more significant. For example, it is thought that the cyber-attack on TalkTalk in October 2015 resulted in exceptional costs of up to £82m, loss of over 100,000 customers and the company’s profits halving.
Immediate financial costs aside, a cyber breach is also likely to result in the loss of customer and/or supplier data. Such a loss will not only put at risk those affected, but will likely result in customers and suppliers terminating their business relationships with the company for fear of future breaches. Companies may also face legal proceedings. In addition, the company could be seen as operating a poor cyber security regime which will serve to undermine any attempts by directors to maintain a reputation for high standards of business conduct. The effects of these additional factors will no doubt add financial strain to the business which could have severe consequences on the business’ operations in the long term. Directors themselves may face claims for negligence for failing to exercise reasonable care and skill to protect the company from cyber-attacks. Indeed, with an influx of reports of high-profile cyber-attacks in the recent years, it is difficult to envisage a director who could be deemed to exercise reasonable care and skill without making any attempts to address the company’s cyber security. After all, in the current climate, “the event of a cyber-attack is not a question of if, but when, by whom and by what degree” (Deloitte UK).
Mitigating Cyber Risk
To minimise the risk of breaching their statutory duties, directors must:
(i) ensure they understand the level of risk cyber-attacks pose for the company and continue monitoring this;
(ii) consider appointing a director with experience in cyber security who will have primary responsibility for cyber risk management. Such a person should check that the board understands what the company’s key assets are, what its current strengths and weaknesses are and that it operates a robust cyber security policy addressing each of these factors among others;
(iii) ensure that the company’s cyber policy provides for regular cyber security training to employees and that it contains a practical and efficient incident response plan which will help contain and mitigate any damage caused by a cyber-attack; and
(iv) consider obtaining cyber insurance which provides an appropriate level of cover.
This article is for guidance only and is not a substitute for taking legal advice. W Legal Limited and the author will not be liable for any reliance made on the contents. If you would like further information or specific advice please contact us.
W Legal Limited © 2017