Board of Directors’ Fiduciary Duties in Terms of Cybersecurity

The UK Companies Act of 2006 defines the responsibilities and liabilities of directors in terms of fiduciary duties, and court cases have clarified the scope of these obligations. In broad terms, they include “reasonable care and diligence,” and that means managing risks. But board members may not approve the operations of systems for risk management – they must make sure these systems are effective, or face personal liability. Hence directors must see that cybersecurity systems function – they cannot simply accept management assurances that they do.

UK Board of Directors’ Fiduciary Duties

Directors’ fiduciary duties were historically set down by a series of legal cases stipulating the interests which Directors serve, the need for independence, the need to act objectively, the need to remain loyal to the original purpose of the company and the need to ensure good company management, explains Andy Wilks, a partner at the London-based law firm Francis, Wilks and Jones. These are known as “fiduciary duties” and reflect those duties which exist where there is a relationship of trust and confidence, as essentially the Shareholders are entrusting their investment to the hands of Directors.

These decisions in the Courts led to Directors’ duties being codified in the Companies Act 2006, which set down the following fiduciary duties:

  • A Director must only act within the powers as granted by the Company’s constitution.
  • A Director has a prime duty to promote the Company’s success (unless insolvent).
  • A Director must exercise independent judgment.
  • A Director must exercise reasonable care, skill and diligence in his/her role.
  • A Director must avoid conflicts between his/her role and his/her personal interests.
  • A Director cannot accept benefits from third parties which arise from his/her role.
  • A Director must always declare to other director his/her personal interest in any transaction or arrangement into which the Company proposes to enter.

In terms of risk management, directors may oversee the operations of systems and controls, but they cannot delegate the responsibilities for their operation to management or to third parties.

See how you can improve your cybersecurity practices within the boardroom with this free white paper download.

As the Institute of Chartered Accountants in England and Wales points out, directors have a fiduciary responsibility to ensure:

  1. There are systems and controls that ensure they monitor and review key aspects of their company’s business, including agreements with outsiders, and investigate and involve themselves where necessary, even where they have delegated responsibility for them to others.
  2. They are receiving, understanding and acting on relevant financial information about the business generally.

This means that directors have a fiduciary duty to ensure that these systems are up-to-date and operating correctly.

As Alexandra Mihailescu Cichon of the compliance monitoring consultancy RepRisk notes, when incidents like data breaches happen, investors will demand to know why the board didn’t know about the vulnerabilities and did not take action according to their fiduciary duty. “Due to increasing transparency, the pressure of investors, and the availability of monitoring systems, boards now have a duty to know – and to act.”

A breach of these duties could result in the directors being held liable either by the company or by the shareholders by way of a derivative action. Remedies for breach of duty to exercise care, skill and diligence would ordinarily be damages, whereas a breach of the fiduciary duties includes damages, injunction and possibly a director’s disqualification. In addition, directors may have their service contract terminated.

Consequences of Cyber Risk

To comply with these fiduciary duties, boards of directors should consider either appointing a member with technical expertise in cybersecurity, or receiving sufficient training themselves to ensure that they are capable of the task. Many UK boards are choosing to appoint non-executive directors with the requisite skills in information technology, according to specialist research consultancy Spencer Stuart.

With more companies using technology and online services in their day-to-day operations, directors should be aware that cybersecurity is evidently an ever-growing risk, warns a report from the London-based law firm W Legal.  In fact, according to a UK government report, of all respondents surveyed, around 65 per cent of large firms detected a cybersecurity breach in 2015/16. The most costly breach identified in the survey was £3 million. However, the cost could be much more significant. For example, it is thought that the cyber-attack on UK mobile services provider TalkTalk in October 2015 resulted in exceptional costs of up to £82 million, loss of over 100,000 customers and the company’s profits halving.

Immediate financial costs aside, a cyber breach is also likely to result in the loss of customer and/or supplier data. Such a loss would not only put at risk those affected, but would likely result in customers and suppliers terminating their business relationships with the company for fear of future breaches. Companies may also face legal proceedings.

Then there is the reputational damage that results from a major breach. The company could be seen as operating a poor cybersecurity regime, which would serve to undermine any attempts by directors to maintain a reputation for high standards of business conduct.

“The effects of these additional factors will no doubt add financial strain to the business which could have severe consequences on the business’ operations in the long term. Directors themselves may face claims for negligence for failing to exercise reasonable care and skill to protect the company from cyber-attacks. Indeed, with an influx of reports of high-profile cyber-attacks in the recent years, it is difficult to envisage a director who could be deemed to exercise reasonable care and skill without making any attempts to address the company’s cyber security,” the W Legal report notes.

Mitigating Cyber Risk

To reduce the risk of breaching their fiduciary duties, W Legal advises directors to:

  • Ensure they understand the level of risk cyber-attacks pose for the company and continue monitoring this;
  • Consider appointing a director with experience in cybersecurity who will have primary responsibility for cyber risk management. Such a person should check that the board understands what the company’s key assets are, what its current strengths and weaknesses are, and that it operates a robust cybersecurity policy addressing each of these factors among others;
  • Ensure that the company’s cyber policy provides for regular cybersecurity training to employees and that it contains a practical and efficient incident response plan which will help contain and mitigate any damage caused by a cyber-attack;
  • Consider obtaining cyber insurance which provides an appropriate level of cover.

Diligent Boards Provides the Highest Level of Security

Protection against attacks and threat detection are an intrinsic part of Diligent Boards. A world of governance and IT knowledge informs the security behind Diligent BoardsDiligent Messenger, Diligent Evaluations and Diligent D&O. Data is hosted on secure servers and a world-class infrastructure that Diligent owns and operates. All of Diligent’s solutions are ISO- and TRUSTe-certified and internationally audited, with robust customisable encryption and data access. If a device is lost or compromised, our remote-wiping capabilities allow you to swiftly mitigate risk.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog