Cybersecurity and Information
Governance for Directors
The proliferation of cybersecurity threats against companies has, out of necessity, brought about a shift in mindset among all board members in terms of their ability to adequately plan for and respond to instances of cyber-attacks against their businesses.
This shift in mindset is not limited to the “techies” who are well-versed in data security and whose remit is to understand the implications of their technologies controlling and processing data. We are seeing a growing number of directors (including non-executive directors) whose willingness to assume board responsibility is not solely based on an understanding of finance matters, personnel management or other traditional areas of governance expertise.
Rather, there is a growing appreciation of the need to understand the technological aspects of the business and the implications for the company and its directors should things go wrong from an information governance and cyber security perspective.
Information Governance
A lot like good financial governance, information governance and associated good practices are an important aspect of a board’s responsibilities. When viewed against the statement of principal directors’ fiduciary duties set out in the Companies Act, it becomes apparent that ignoring information governance within an organisation or entrusting it to others without appreciating the issues or risks at play is an imprudent course of action.
If your business controls or processes data you cannot be said to be acting honestly as a director for the purposes of the Companies Act if your business is not transparent and open in terms of the data it holds and the purposes for which it is held. Moreover, and in view of the range of cyber-threats that can impact a business, you cannot be said to be acting responsibly as a director if you have not put in place and understand how to implement robust cyber security policies. This gap in a director’s knowledge and skill-set is brought into sharper focus given the weight of sanctions for breaching GDPR.
As a director of a data business the Companies Act requires you to exercise the care, skill and diligence which would be exercised in the same circumstances by a reasonable person. While the director’s skills and knowledge are considered for the purposes of that test, clearly it involves benchmarking the director against what would be reasonable in the context of a data business.
Understanding the Issues
It is important for directors to fully understand their business from a data security perspective if they are to fulfil their board functions to the standards required by law and minimise their own and their company’s potential liability.
The following questions put the company’s executives will go some way in creating that understanding and prompt efforts to deal with any gaps that may be identified:
- How does the company get its data and where is it sourced? This will inform whether the company is acting fairly and transparently as to the sources of its data.
- Have data subjects given their consent to the company possessing their data? If the data is sensitive there must be explicit consent from the data subject.
- Are we giving the data to any third parties? If yes, specific written contract terms are required to govern any such transfers.
- Is our data secure? Data must be processed using technical and organisational measures that ensure the security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. This question should involve the board analysing: (i) the state of the technology used to keep data secure together with the cost of implementing same; (ii) the nature of the data concerned; and (iii) the potential harm if a data breach occurs.
- How long are we keeping data? A company should be retaining data for no longer than is necessary for the purposes for which the data was collected. It is unacceptable to retain data merely on the basis that it is better to have it than not.
- Is our data collecting necessary? Data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Does the company have a legitimate interest in collecting the data? If not, its collection may be unnecessary.
Actions to Take
Policies and Practices
What can directors do to mitigate company and personal risks around cybersecurity? A key step is ensuring that the company has in place robust data security policies that are GDPR compliant. However, having a policy in place is one thing, implementing it in real time is quite another.
For example, in the context of a significant data breach there can be considerable chaos in the business while it gets to grips with the causes and implications of the breach. During the resulting chaos of dealing with multiple parties (including customers, employees and the media), it is possible to give insufficient attention to the requirement to notify the Data Protection Commissioner without undue delay and, where feasible, not later than 72 hours after having become aware of the breach (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons).
This example highlights the importance of creating and closely scrutinising a company’s data security policy and action plan. If necessary, implementing a dry-run of that action plan would be helpful in establishing whether those with responsibility and the wider board are aware of their responsibilities and role in resolving the issue.
Insurance
There is also the possibility of taking out a cyber liability insurance policy with a reputable carrier. However, any such policy should be closely scrutinised to ensure that it is fit for the company’s specific requirements and provides an appropriate level of coverage. It would certainly be worthwhile having a solicitor review the policy along with the business to ensure that it extends to the relevant regulatory fines.
It is also important to review the D&O insurance policies that are in place to cover claims against directors and officers for breach of duty and other management failings. While it is uncommon for claims arising from the failure to ensure proper management of cyber risks to be excluded from D&O policies, existing policies may not have been written with cyber liabilities in mind and therefore may need to be recast. Similarly, D&O policy jurisdictional exclusions may pose issues in the context of the international nature of cybercrime attacks.
Any D&O policy should be reviewed from the point of view of providing appropriate cover against claims against the director by the company itself, liquidators, administrators, shareholders and regulators.
Conclusion
Both executive and non-executive directors are increasingly facing exposure to cyber-related liabilities. By analysing the potential threats facing a business, planning contingencies in respect of those threats and putting in place appropriate insurance coverage directors can help protect against such liability.
With cybercrime giving rise to an increased focus on information governance, directors are presented with an opportunity to analyse their boards and add value by facing up to those threats and structuring policies and procedures that meet a very real business risk head-on.