Board members are required to keep up to date with sufficient knowledge and skill to understand information and communications technology risk and its operational impact. In practice, this means that board members need to skill up on cyber security and stay up to date with the changing landscape in order to comply with their obligations.
In parallel, Dora requires boards to review and approve policies and procedures — including in relation to cyber security. Boards should also receive regular briefings on cyber security incidents. Failure to meet these requirements could ultimately lead to individual liability.
Breach of fiduciary duties
Away from financial services regulation, failure on the part of a board member to manage cyber risk adequately could be perceived to be a breach of the board members’ fiduciary duties to the company (in the UK, under the Companies Act 2006).
This is a particular concern for directors of listed entities in the sector, where shareholder derivative actions against the board are a possibility. While we have not yet seen claims of this nature in the UK, they are not uncommon in the US.
As expectations around effective cyber risk management at the board level increase, the risk of claims of this nature being brought is inevitably also on the rise.
In addition, chief information security officers often find themselves the subject of regulatory scrutiny. As well as the regulatory burden described above, their perceived role as the overall figurehead of a company’s cyber security programme often means they are called on to give evidence to financial services regulators, data protection/privacy regulators, securities regulators and government agencies in light of significant cyber incidents.
This itself carries a burden in terms of ensuring that requests are appropriately and fairly responded to — and charges have been brought against former CISOs of large companies when this burden has not been fully discharged.
But how can board members and senior executives best understand and discharge their responsibilities in this area? A good starting point is to take advice from both internal and external subject-matter experts on effective cyber risk management and operational resilience.
Key to that is understanding the specific regulatory obligations, and it is important to document decisions taken by the board in relation to cyber security and to monitor the governance structures that underlie those decisions.
A programme of cyber skills training to ensure cyber knowledge is kept up to date by way of regular training and briefings may also be required, particularly vital when you consider the speed at which the cyber risk landscape is changing.