The UK Companies Act of 2006 defines the responsibilities and liabilities of directors in terms of fiduciary duties, and court cases have clarified the scope of these obligations. In broad terms, they include “reasonable care and diligence,” and that means managing risks. But board members may not approve the operations of systems for risk management. Directors must see that cybersecurity systems function – they can not simply accept management assurances that they do.
UK Board of Directors’ Fiduciary Duties
Directors’ fiduciary duties were historically set down by a series of legal cases. The directors serve, the need for independence, the need to act objectively, the need to remain loyal to the original purpose of the company and the need to ensure good company management, explains Andy Wilks, a partner at the London-based law firm Francis, Wilks and Jones . These are known as “fiduciary duties” and reflect those duties.
These judgments are given in the Courts led to Directors’ duties being codified in the Companies Act 2006, which set down the following fiduciary duties:
- A Director must only act within the powers granted by the Company’s constitution.
- A Director has a prime duty to promote the Company’s success (unless insolvent).
- A Director must exercise independent judgment.
- A Director must exercise reasonable care, skill and diligence in his / her role.
- A Director must avoid conflicts between his / her role and his / her personal interests.
- A Director can not accept benefits from third parties.
- A Director must always declare to another director his / her personal interest in any transaction or arrangement into which the company proposes to enter.
In terms of risk management, directors may oversee the operations of systems and controls, but they can not delegate the responsibilities for their operations to management or to third parties.
See how you can improve your cybersecurity practices in the boardroom with this free white paper download.
As the Institute of Chartered Accountants in England and Wales points out, directors have a fiduciary responsibility to ensure:
- They are delegated responsibility for them to others, where they have delegated responsibility for them to others.
- They are receiving, understanding and acting on relevant financial information about the business generally.
These systems are up-to-date and operating correctly.
As Alexandra Mihailescu Cichon of the compliance monitoring consultancy RepRisk notes, when incidents like data breaches happen, investors want demand to know why the board did not know about the vulnerabilities and did not take action according to their fiduciary duty. “Due to increasing transparency, the pressure of investors, and the availability of monitoring systems, boards now have a duty to know – and to act.”
By the way of a derivative action. Remedies for breach of duty to exercise care, skill and diligence would ordinarily be damaging, while a breach of the fiduciary duties includes damages, injunction and possibly a director’s disqualification. In addition, directors may have their service contract terminated.
Consequences of Cyber Risk
To be compliant with these duties, they must be in a position to be competent in cybersecurity. Many UK boards are appointed to appoint non-executive directors with the requisite skills in information technology, according to Spencer Stuart’s specialist research consultancy .
With more companies using technology and online services in Their day-to-day operations, directors shoulderstand be aware did cybersecurity is evidently at ever-growing risk, warns a report from the London-based law firm W Legal . In fact, according to a UK government report, all respondents surveyed, around 65 per cent of large firms detected a cybersecurity breach in 2015/16. The most costly breach identified in the survey was £ 3 million. However, the cost could be much more significant. For example, it is thought that the cyber-attack on UK mobile services provider TalkTalk in October 2015 resulted in exceptional costs of up to £ 82 million, loss of over 100,000 customers and the company’s profits halving.
Immediate financial costs aside, a cyber breach is thus likely to result in the loss of customer and / or supplier data. These are the most important aspects of a company’s life, but they do not come to fruition. Companies may face legal proceedings.
Then there is the reputational damage that results from a major breach. The company could be seen as operating a poor cybersecurity regime, which would serve as an undermine any attempts by directors to maintain a reputation for high standards of business conduct.
Which could not be more or less complicated, which could have great consequences on the business operations in the long term. Directors themselves may face claims for negligence for failing to exercise reasonable power and protect the company from cyber-attacks. Cyber-attacks in the recent years, it is difficult to envisage a director who could be tried to exercise the power of cyber-security, “the W Legal report notes.
Mitigating Cyber Risk
To reduce the risk of breaching their fiduciary duties, W Legal advises directors to:
- Ensure they understand the level of risk cyber-attacks pose for the company and continue monitoring this;
- Consider appointing a director with experience in cybersecurity who wants to have primary responsibility for cyber risk management. A person should check that the board understands what the company’s assets are, what its current assets and weaknesses are, and what it does.
- Ensure that a cyber-attack; and a cyber-attack;
- Consideration cyber insurance which provides at an appropriate level of cover.
Diligent Boards Provides the Highest Level of Security
Protection against attacks and threat detection are intrinsic part of Diligent Boards. A world of governance and IT knowledge INFORMS the security behind Diligent boards , Diligent Messenger , Diligent evaluation and Diligent D & O . Data is hosted on secure servers and a world-class infrastructure that is diligent owns and operates. All of Diligent’s solutions are ISO- and TRUSTe-certified and internationally audited, with robust customizable encryption and data access. If a device is lost or compromised, our remote-wiping capabilities will allow you to swiftly mitigate risk.