Cyber-attack: your legal responsibilities as a company director

It’s easy to assume that cyber-crime only happens to high profile organisations because those are the ones that make the news – like Equifax, Barclays and the NHS. But the reality is that all businesses have to take the threat of cyber-attack seriously.


The Cyber Security Breaches Survey 2017 reported that in a 12 month period 46% of all UK businesses identified at least one cyber security breach or attack. The figure rises to 66% among medium firms and 68% for large firms.


All company directors, whether or not they have any IT expertise, have a number of general responsibilities that are highly relevant to the threat cyber-attack poses to a business.


Under the Companies Act 2006, the Board of Directors must:


  • Keep up-to-date about issues which should be in your contemplation – cyber security should definitely be a priority.
  • Take professional or expert advice. You can be held personally negligent if you fail to take appropriate advice in areas you don’t have sufficient expertise in yourself.


The Board also retains a residual duty where they rely on external experts to manage functions like cyber security. In this scenario the Board has a duty to ensure that they are monitoring the performance of these outside companies effectively and acting on their advice.


If a loss occurs and the Board is found to be negligent in its duties then each Director potentially faces unlimited personal liability.


Where to start?

A good place to start is to think like a cyber-criminal or hacker. Ask yourself the following questions:

  1. What does your business have that other people might want? Assets that are particularly attractive to hackers include:
  • Data
  • Money
  • Intellectual property


Prioritise your list to ensure the most attractive are the best protected.Are you involved in any controversial activities that hackers might want to disrupt? What would be the best way to achieve their aims?

  1. Are you involved in any controversial activities that hackers might want to disrupt? What would be the best way to achieve their aims?
  2. Think about the type of person who might want to attack you (including former or disgruntled employees, competitors, activists, criminals seeking financial gain) and how they might access your networks.


Then drill down into your IT set-up to establish:

  1. How do we monitor our networks for signs of a cyber-attack?
  2. How often do we update our perimeter security?
  3. Do we have a strategy for managing patches or upgrades for software applications and technologies?
  4. What security software (including firewalls and malware detection software) do we have in place? Is it robust enough for our needs?
  5. Who has access to our networks? Do we differentiate access i.e. are some areas better protected than others? If not, should they be?
  6. How do we vet people who aren’t direct employees of our company but who have access to some or all of our systems e.g. IT contractors, freelancers.


Managing the threat


Assess the general risk to your company. Appoint an appropriate individual (or even better a team including tech, legal and operational personnel) to undertake a risk assessment for your specific business, its customers and suppliers.


Discuss the findings at board level and agree a proportionate response depending on the risk you face of being attacked and the likely consequences. A business holding the financial details of thousands of consumers will take a different approach to a medium sized manufacturing business – although there is still a risk to be considered.


Engage an independent third party to undertake penetration or vulnerability testing. If weaknesses are found, address them quickly and comprehensively!


Train staff in cyber security issues to ensure they understand what they can do to minimise the risk of them occurring e.g. how to deal with spam email and phishing.


Periodically review the cyber threat to your business at board level. Technology and criminal behaviour moves on quickly so what works now might need not work in 6 months’ time so complacency isn’t an option.


Take professional advice from cyber security, risk management, insurance and legal specialists especially in areas where you feel out of your depth. This will help fulfil the professional duty mentioned above. Many professionals run seminars and training events, often for free, and by going along you‘ll be fulfilling your duty to keep up-to-date with the latest developments in cyber-security too.


You can never completely protect against every risk to your business – technology related or not. But a proactive approach and the implementation of appropriate technological and organisational measures will help minimise your liability as a director should a cyber-attack happen and meet the standards required by relevant legislation including the UK Data Protection Act, the UK Communications Act and the EU Data Protection Regulation.