So far as directors’ and officers’ liability is concerned, there is a whole universe of potential cyber risk not understood at board level.
The starting point is the same as in any other form of significant business risk, i.e. directors are generally under a duty to gain a basic but sufficient understanding of the nature of all such risks. The need to gain this understanding is a key aspect of a directors’ supervisory function and many courts have held cannot be delegated. In the realm of cyber risk, the particular challenge for boards is that the universe of potential cyber risk is broader than more tangible risks such as health and safety, property damage and supply chain interruption. Moreover, depending on the nature of the company’s activities, serious data breaches can occur either through basic human error and/or as a result of sophisticated hacking activity. Once a board is aware of a cyber security issue, he dilemma is what to do with that knowledge. On the one hand (as SEC guidance issued in 2011 makes clear) there are perils associated with non-disclosure. On the other hand, however, there are risks associated with exposing and disclosing cyber breaches without having first fixed the problem. A company would not wish to provide an invitation or route map to other hackers to have a go. That in itself could lead to additional reputational damage and destruction of shareholder value. Whilst this dilemma is and remains particularly acute in the U.S. (and the SEC guidance underlines this), the basic threat and the various conundrums which it poses remain the same for directors everywhere.