Cyber-attacks have been at the forefront of media reporting over the past few months, with the likes of Marks and Spencer, Adidas, Coinbase and the Co-operative being amongst the big names recently affected. The public sector has not been spared either, with the Legal Aid Agency and West Lothian Council also falling victim to similar attacks resulting in data theft.
Directors duties
As a director, pursuant to the Companies Act 2006, your duties include the exercise of reasonable care, skill and diligence in making decisions on behalf of the company. Such care, skill and diligence is measured against the standard of a reasonably diligent person with both:
- Objective test: the general knowledge, skill and experience reasonably expected of a person carrying out the functions carried out by the director in relation to the company; and
- Subjective test: that director’s actual knowledge, skill and experience.
In short, a director will be (as a minimum) required to meet the objective test and, where a director has specialist knowledge or experience, will be subject to the higher standard measured on their specific experience under the subjective test.
In applying such duties to company cyber security, a director is expected to stay up to date with such issues as a minimum and if necessary seek professional or expert advice (and can be deemed negligent if they do not take such advice).
How can you approach this?
A director’s approach to their cyber security duties will vary depending on the size of the company and whether or not there is dedicated resource available to have an in-house cyber security function.
A director is able to rely on others (for example a dedicated cyber security team comprised of appropriately qualified personnel) by delegating management function to such persons however cannot fully abrogate responsibility. The director must retain a level of control and supervision over those persons through active monitoring and maintain an awareness of risk warning signs.
Where such resource isn’t available (particularly in sole director companies), such director(s) may wish to outsource this function to a third party who can conduct assessments and report regularly on cyber risks.
What can you do immediately to mitigate security risk?
The following is a non-exhaustive list of immediate steps which you may wish to take or information you may wish to review when implementing a cyber security framework.
Internal audit
- Review the internal measures which the business currently has in place regarding its computer and internet usage, which could include:
- User / password locked network – who has access to what?
- Two factor authentication;
- Anti-virus / malware detection / firewall software; and
- Cyber contingency plans.
- Determine what the company does or owns and why might a person or entity seek to exploit flaws in the cyber security system?
- For example, does the company process large quantities of personal data or sensitive data, or facilitate the electronic movement of cash?
- Are the directors or personnel aware of any disgruntled former employees or has the company provided services to a customer under activist / public scrutiny?
Online guidance
- The National Cyber Security Centre provides free advice & guidance tailored to the size of your business (including self employed / sole traders, SMEs and large businesses) and can generate an action plan based on responses to their questionnaire.
- The Information Commissioners Office provides both brief and detailed guidance on data and cyber security, with a dedicated small business web hub specifically focussed on data security and compliance.
- UK Government Department for Science, Innovation and Technology has launched the cyber essentials programme with partner IASME whereby businesses can get assessed and certified (with a size-tiered fee structure). The website also features a range of free guidance and tools to help businesses secure themselves and their wider supply chain.
Personnel
- Are the company’s personnel trained on spotting cyber security threats such as phishing, man in the middle threats or vulnerabilities caused by lax personal security?
- Do the company’s policies and processes place the responsibility of cyber security on the appropriate person and is the handling of data and privacy addressed in the staff handbook?
What measures can you put in place bolster risk mitigation long-term?
Once a company has assessed its own internal measures and has identified areas to be improved, the directors may wish to table the following:
Accreditation
- Companies may seek certain accreditations which correlate with their own security objectives. Such accreditations include Cyber Essentials (and Plus), NCSC Certified Training, IASME (mentioned above) or in the case of cyber security personnel – CISSP.
- Some accreditations such as Cyber Essentials may be self-assessed and provide a good foundation to develop whereas others such as ISO 27001 (ISMS) may require rigorous scrutiny of internal measures.
Personnel
- As a company grows (or in relation to a larger company) it may wish to hire specific personnel to manage the cyber security of the business under the direction of the directors, or a suitably qualified consultant.
- The company, if outsourcing their cyber security function (perhaps as part of a wider outsourced IT function), may want to revisit the terms attaching to those services to ensure that information and cyber security are appropriately addressed.
Processes
- The establishment (or development) of an existing cyber security contingency plan to control and mitigate the impact before, during and following a cyber-attack and addressing incident response and post-attack recovery.
- Diarised periodic software updates to ensure that any cyber security software (anti-virus / firewall) is running on the latest version, fixing any vulnerabilities and shutting out attackers.
Whilst the above measures are by no means exhaustive in relation to steps a director can take to discharge their duties under the Companies Act in relation to cyber security, they will foundationally be beneficial in minimising a director’s liability should a cyber-attack occur.
Technology is, and will remain, ever evolving and businesses are subject to further tests than just those arising from the Companies Act. Given the importance in businesses ensuring they are protected against cyber threats, please feel free to reach out to us should you wish to discuss cyber security and company compliance further at [email protected].
