In and out of the glare of media attention, companies of all sizes are grappling with the issues posed by cyber threats, whether to the integrity of the company’s own confidential information, it systems and trade secrets or to the client/customer data that it holds.
With both information technology and those seeking to exploit its weaknesses becoming ever more sophisticated, what role does the law require directors to play in ensuring that their company is protected from cyber threats?
The general duty – exercising reasonable care, skill and diligence
Outside some specific areas such as data protection (where data processors are required to take “appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage“), the law has nothing to say on what specific steps directors need to take in order to protect their business from cyber risks.
Instead, statute imposes general duties on directors, and those duties which are applied by the courts on a fact-specific basis. Whilst the discharge of these duties should require nothing more than the implementation of good business practices, it does expose the directors to the risk of personal liability should they fail to meet the required standard.
These general duties of directors, which had been built up by the courts since the eighteenth century, were codified for the first time under the Companies Act 2006 (see box below).
The seven general duties of directors under the Companies Act 2006
Reasonable care, skill and diligence
Of the seven general duties, the most relevant duty to the issue of cyber security is the duty to exercise reasonable care, skill and diligence. This test is composed of objective and subjective elements. So, to discharge the duty, the relevant director must exercise the care skill and diligence that would be exercised by a reasonably diligent person with:
- the general knowledge, skill and experience that may reasonably be expected of a person carrying out the functions carried out by the director in relation to the company (the objective element); and
- the general knowledge, skill and experience that the director has (the subjective element).
The core principles which can be distilled from this duty are that:
- the objective test establishes a “hygiene” standard of behaviour that each director must meet, but, within that, it does accommodate the practical reality that directors do discharge different functions within the company. So, for example, the skill and experience (and the scope of day-to-day attention) expected of an IT director in relation to cyber security will be higher than that expected of a non-executive director, who will (consistent with the general function of non-executive directors) be expected to demonstrate informed oversight and constructive challenge to the activities of the executive directors;
- in meeting the objective element of the test, the extent to which the relevant company is exposed to cyber risk will inform the standard expected of all directors – so the directors of an online retailer will be expected to take greater steps to educate themselves in the scope and nature of the cyber risks the company may face, as opposed to the directors of a company which only has a relatively small web presence or technology platform where less focus on this issue may be warranted;
- the subjective element requires that, where a director has specific skills and experience, she is expected to bring these to bear in performing her role. So a director with a technical background in IT/cyber-security will be held to a higher standard than other directors without similar experience; and
- in practice, responsibility for a cyber defence strategy will be often be delegated to technical IT personnel below board level. Where that is the case, the directors should:
- ensure that it is reasonable for them to delegate the relevant functions – this assessment will include ensuring that relevant staff are appropriately qualified with relevant skills and experience obtained in a comparable environment;
- maintain effective oversight of the delegated functions – this will involve taking steps to familiarise themselves with the company’s IT environment and, in broad terms, the types of cyber threat that the business may face; and
- require periodic internal reporting on the management of cyber risks and engage in regular face-to-face discussions with the IT management team.
Whilst breach of directors’ duties may give rise to a claim against the directors by the company itself (brought in practice by the company’s shareholders under what is known as a “derivative claim” and so is likely to be in play where shareholders have suffered a significant loss in value), the effective discharge of directors’ duties is likely to significantly reduce the likelihood of a successful third party claim for negligence for a specific event (such as theft of client data).
10 Steps to Cyber Security – UK Government guidance
As part of its 10 Steps to Cyber Security initiative, the Government has published 10 Steps: A Board Level Responsibility which poses the following key questions boards should be asking themselves in the context of cyber security:
Protection of key information assets is critical
Exploring who might compromise our information and why
Pro-active management of the cyber risk at Board level is critical
Cyber risks in the context of corporate finance transactions: ICAEW and Government guidance
Cyber risks are heightened in corporate finance transactions principally because, in the words of the ICAEW and the Government in their 2014 report Cyber-security in Corporate Finance “of the sheer number of people involved in each phase of the process and the volume of information that is shared between the parties in the context of a transaction bring with them a substantial risk of compromise to companies, their advisers, financiers and/or investors.” The report identifies a number of potential groups who could threaten a company’s cyber integrity during a typical transaction, including competitors, organised crime networks and hacktivists through to a company’s own employees and contractors.
The report contains useful guidance for companies and their boards at each stage of a typical corporate finance transaction, from the engagement of external advisers through to the management of the due diligence process in virtual data rooms and deal execution and completion.
What to do if you suffer a cyber attack
What should you do in the immediate aftermath of a cyber attack on your organisation? OC’s Disputes team offers some practical guidance in this post.