What are a Director’s Duties on Cyber Security?

With cybersecurity becoming an increasing threat to all organisations, how far should directors’ duties extend to mitigating the risks?

Anyone who read the main newspaper headlines recently will not have failed to grasp the seriousness with which the National Cyber Security Centre (NCSC) takes the risk of a major cyber attack on the UK.  The NCSC, in its second annual review, stated it is currently handling over ten serious attacks each week, which can be traced back to “nation states in some way hostile to the UK”[1].  The same report revealed other startling statistics including:

• They have removed nearly 140,000 phishing sites hosted in the UK
• Over 14,000 sites have been removed worldwide which spoof the UK Government.
• Nearly 11,000 malicious domains are blocked every month.

But with the NCSC and the ‘Five Eyes’ partnership doing their very best to protect our valuable online assets, and national security, it is vital for business leaders to understand their own role in securing their operations, and crucially, the legal duties placed on company directors regarding cybersecurity.

Cyber-security – the duty of directors

The obligations of company directors to ensure the cyber security of their systems comes from several sources.  Firstly, under the Companies Act 2006 (CA 2006), ss 171–177, directors have a duty to their shareholders to:

• Promote the success of the company
• Exercise independent judgement
• Exercise reasonable care, skill and diligence

On the face of it, there is no direct reference to cyber security or risk within the scope of the statutory duties, but it is very much implied.  And as the law is updated to reflect the growing risk to organisations of cyber incidents, it is inevitable that there will be an explicit duty on directors to put all necessary countermeasures in place to limit and contain cybersecurity exposure.

Secondly, company directors can be held criminally liable under the Data Protection Act 2018, section 198 if an offence under the Act has been committed by a company with the “consent or connivance of or to be attributable to neglect” on the part of the director.

Also, the Network and Information Systems Regulations 2018 places strict legal liability on ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs) to “implement appropriate technical and organisational measures to prevent and minimise the impact of incidents that affect their systems. These measures must be appropriate to the risk posed”[2].

For businesses operating across multiple jurisdictions, for example in the EU and US, it is essential for heads of businesses to understand and embody their duties in all jurisdictions.

Recent Cybersecurity incidents – a wakeup call to directors

In Various Claimants v Wm Morrisons Supermarket PLC 01.12.2017, Queen’s Bench, Morrisons Supermarket was found vicariously liable for the actions of a former employee who had posted the personal details of 99,998 on a file-sharing website.  If such an incident were to occur now the GDPR is in force, a fine of between €10-20 million, or 2-4% of global turnover (whichever is greater) could be levied; an amount that may cause serious damage to any business.

And in September 2018, British Airways (BA) suffered an extremely serious cyber-attack after the credit card details of nearly 400,000 online customers were compromised.  It is too soon to know the impact of this incident to BA, but if the full weight of the GDPR is applied, the find could be up to £500m – 4% of its £12.2b turnover for the year ending December 2017[3].

Prevention is not enough

It is not sufficient to solely implement measures to mitigate the risk of a cyber attack; with the growing sophistication of hackers and hostile entities, there is always the possibility that a serious cyber incident could occur, through unforeseen or completely new methods.  As such, the best form of defence includes a strategy of robust rolling assessment, testing, and emergency response captured with an incident response plan.  This is a risk-based approach whereby the company is not just adhering to compliance standards but using a comprehensive approach that leverages best practices and industry standards to actively identify and mitigate security gaps and potential new threats.

Within this approach it is vital to implement processes to keep key stakeholders informed, allowing them to make the necessary decisions to minimise the time between identification of a new threat and its mitigation, and increasing the likelihood of a quick and easy recovery when and if such an event occurs.

In conclusion

Cybersecurity is rapidly becoming front and centre as a risk consideration for UK businesses.  All efforts should be input into reviewing existing risks and gaps, recurring penetration testing of current security systems, control of newly detected threats, and implementing an early response plan should the worst happen.  Such a 360-degree approach will decrease the amount of negative impact to your organisation and even possibly eliminate it.

The key is planning. This is more than just having a checklist in place and then going down the list, checking off each task. It involves continuous, comprehensive, risk-based preparation in conjunction with your business leadership team, general counsel, system operators, continuity planners, CEO, CIO, COO and your risk and Security Officers.

Lineal is a global leader in providing flexible cyber security support.  To find out more about our cyber security services, please call us on +44 (0)20 7940 4799 or email info@linealservices.com.

[1] https://www.ncsc.gov.uk/news/ncsc-deals-1100-cyber-attacks-first-two-years

[2] https://ico.org.uk/for-organisations/the-guide-to-nis/

[3] https://www.telegraph.co.uk/news/2018/09/07/british-airways-hacking-customers-cancel-credit-cards-airline/