Board Level Responsibility Regarding Security of Systems and Data
1st September 2023
Sandip Patel KCThe UK Companies Act 2006 imposes a number of duties on directors which are owed to the company, including the need to promote the success of the company and to exercise reasonable care, skill and diligence in their decision-making.
In promoting the success of the company, the director is required to (among other things):
- Consider the likely long-term consequences of any decision; and
- Seek to ensure that the company maintains a reputation for high standards of business conduct.
In exercising reasonable care, skill and diligence, there are several points to note from this.
Directors:
- have a duty to keep themselves informed as to issues which should be in their contemplation;
- are unlikely to be held liable for errors of business judgement.
- may be held to be negligent if they do not take professional or expert advice; and
- are entitled to rely on others to whom functions are reasonably delegated.
A breach of these duties could result in the directors being held liable either by the company or the shareholders by way of a derivative action. Remedies for breach of duty to exercise care, skill and diligence would ordinarily be damages whereas a breach of the fiduciary duties includes damages, injunction and possibly a director's disqualification. In addition, directors may have their service contract terminated.
A breach of these duties resulting in harm to a third party (eg supply chain partner) could also result in a claim.
When, Not If
In the current climate, "the event of a cyber-attack is not a question of if, but when, by whom and by what degree" (Deloitte UK), it is difficult to envisage a director who would be deemed to exercise reasonable care and skill without making meaningful efforts to address cyber security.
Media reporting of successful cyber-attacks, together with the considerable cyber-risk awareness campaigns undertaken by the UK Government, mean that the subject has been well-publicised. But for those who have no background in technology, where should you begin so as to act effectively for the company, as well as to ensure that you have discharged your director’s duties?
The Companies Act 2006 introduced an objective test which measures you, as a Company Director, against the standard of “a reasonably diligent person with... the general knowledge, skill and experience that may reasonably be expected of a person carrying out the functions carried out by the director in relation to the company...” . This sits alongside a subjective test as to the knowledge, skill and experience that you actually have.
What do you need to do?
Where, therefore, do you start if you know nothing about it?
Firstly, ensure that there is a person, or better still, a team assembled (comprising at least IT, operations and legal) to whom the cyber-risk assessment function can be delegated. You can then start to question that team.
There is a large volume of information on cyber-risks available, and to distil it into a digestible summary risks omitting important considerations. Such an assessment can only ever be specific to your business but the following non-exhaustive list will help:
- Have we undertaken an analysis of cyber-risks to the business and its staff?
- What is it that our business owns which others might want?
- Is it data, money, IP, or are we undertaking activities which might attract some form of public criticism?
- Within those categories, are there any items of particular value, the protection of which should be prioritised?
- Who might wish to cause us harm? Former or departing employees, competitors, social activists, criminals (theft or ransom) or at a more macro level, foreign organisations or nation states?
- What form of cyber-security programme and set of policies do we have in place?
Staff Education
Threats to your business clearly need to be kept under active consideration, even if changes to your cyber-risk programme are less frequent. The discussion need not be held at every meeting but you do need to ensure that the risk assessment phase of your cyber-programme is regularly on the board agenda in order to ensure that your obligations are properly fulfilled.
There are further tests to satisfy which arise in the context of laws aside from the Companies Act, but at a generic level, a business which reacts positively to directors setting the scope of the assessment described above will have gone a long way to minimising liability in the event of a cyber- breach.
Working from the principle that no business is immune to a breach of some kind, it is critical that a business implements appropriate technical and organisational measures to counter unauthorised access to its networks and data. This is in essence the standard required by relevant applicable legislation (including the current UK Data Protection Act, drafts of the EU Data Protection Regulation, the proposed EU “Cybersecurity” Directive and the current UK Communications Act). It may also be difficult to suggest that a director who has satisfied him/herself as to the company’s position in relation to the matters described in this note will have failed to discharge his common law duty of care so as to be at risk of liability for negligence.
UK Board of Directors’ Fiduciary Duties
Directors’ fiduciary duties were historically set down by a series of legal cases stipulating the interests which Directors serve, the need for independence, the need to act objectively, the need to remain loyal to the original purpose of the company and the need to ensure good company management.
These are known as “fiduciary duties” and reflect those duties which exist where there is a relationship of trust and confidence, as essentially the Shareholders are entrusting their investment to the hands of Directors.
These decisions in the Courts led to Directors’ duties being codified in the Companies Act 2006, which set down fiduciary duties.
As the Institute of Chartered Accountants in England and Wales points out, directors have a fiduciary responsibility to ensure:
-
There are systems and controls that ensure they monitor and review key aspects of their company’s business, including agreements with outsiders, and investigate and involve themselves where necessary, even where they have delegated responsibility for them to others.
-
They are receiving, understanding, and acting on relevant financial information about the business generally.
This means that directors have a fiduciary duty to ensure that these systems are up-to-date and operating correctly.