For any company that relies on computers (i.e. just about any company), cyber risk is real, serious and unavoidable. Given that all company directors are legally obliged to promote the success of the companies they serve and, in doing so, to exercise reasonable skill, care and diligence, ignorance of the nature and extent of these risks is dangerous.
When you add the Senior Managers’ Regime (“SMR”) into the mix (as you must for banks and insurance companies) the issue becomes all the more pressing. That is because individual senior managers are personally accountable to the regulators for failings that happen on their watch.
Given that few directors have the necessary technical expertise, how do they avoid these exposures? Fortunately, there are some reasonably clear answers to this question.
Asking the right questions
English courts have repeatedly made it clear that directors are not permitted to delegate their supervisory function. In other words, they must not leave it to others to ask the right questions in order to satisfy themselves that the company is being run as it should be.
Equally, courts have made it clear that directors are not guarantors of good outcomes and that their conduct should be judged by reference to facts of which they were (or should have been) aware at the time. The benefit of hindsight must not be applied.
What this means in practice is that by asking the right questions (and following up where appropriate) directors are creating for themselves the very planks of their individual liability defences in the event of a cyber incident.
So, what are the right questions? After all, cyber security risk can have an impact on share value, mergers and acquisitions activity, pricing, reputation, culture, staff, information, process control, brand, technology, and finance and just about anything else. Fortunately there are some excellent resources available. For example, the government has produced some valuable guidance specifically aimed at company boards.
Focus on corporate governance
Among other things, the guidance recommends that directors focus on corporate governance as a means of protecting information from cyber threats. In this area it suggests that directors:
- Confirm that you have identified your key information assets and the impact on your business if they were to be compromise.
- Confirm that you have clearly identified the key threats to your information assets and set an appetite for the associated risks.
- Consider gaining independent verification that you are appropriately managing the cyber risks to your information and have the necessary security policies and processes in place.
- Confirm that you have processes in place that can support continual improvement.
There are, of course, no easy or perfect answers to any of these issues but in a sense that misses the point. The law is only likely to punish those directors who take no diligent steps either to inform themselves of, or to address, the risks to which their companies are prone.
Ignorance and inactivity are no defence. That is especially so when:
- there is so much media attention on the threat and
- such readily available resources to help directors make relevant enquiries.
Document, document, document
One final note of caution: directors worried about their own personal positions would do well not simply to ask the right questions (and follow up where appropriate) but also to ensure that they and/or the company have duly recorded the fact that they have done so. This is especially so under the SMR since, in the event of a serious problem, the regulators will almost certainly demand evidence that the individuals who are personally accountable can demonstrate that they have themselves taken “reasonable steps” to prevent the problem occurring in the first place.
This post was originally published November 16 in Insurance Business.