Board of directors and cyber risks: duties of care and supervision
José Ramón Morales (partner of the Corporate Law and Commercial Contracts and the Technology & Outsourcing industry).
The importance of digital assets in organizations (personal data, key business information, trade secrets, algorithms, etc.) and the arrangement of corporate systems which are increasingly connected to third-party environments, have been accompanied by a growth of the corporate risks of a digital nature which organizations face. Not only the number of cyber incidents is growing very significantly, but also the type of entities affected and the potential seriousness both for whoever suffers them directly and for those whose systems or assets are indirectly endangered as a result of the attack suffered by others (customers, suppliers, trading partners).
The management of cyber risks becomes, in this context, a source of significant concern on the agenda of chief executives and the boards of organizations. Apart from the intrinsic damage due to the loss of valuable corporate data or information, a cyber incident exposes the organization to repercussions in relation to regulatory or contractual compliance, third-party claims, effects on the market price of shares or reputational damage. It can also trigger the resignation of executives or managers -as we have seen in some recent cases- and, in certain circumstances, constitute a source of liability for directors themselves.
These risks should be placed in context from the perspective of the duties of care and supervision of the directors of corporate enterprises. Under Spanish law, the director’s duty of care (the standard required is the one corresponding to an “ordenado empresario” -“organized businessman”-, Art. 225 of the Capital Companies Law, LSC) has been clarified in the recent reforms in 2014 with clear references to the duty of each director to have “adequate dedication”, to “adopt the necessary measures for the proper management and supervision of the company”; as well as the “duty to demand” and the “the right to obtain from the company” the appropriate and necessary information to allow him to fulfill his obligations.
In addition, the business judgement rule has been explicitly recognized in the Laws (Art. 226 LSC). This principle allows a clear margin for business judgement in the adoption of strategic and business decisions, since it recognizes that the standard of care of the organized businessman is presumed to be observed provided that, in addition to having acted in good faith and without personal interest in the matter decided on, the director has acted “with sufficient information” and “in accordance with an appropriate decision-making procedure”.
As an important element to clarify the scope of the board’s supervisory duties, in listed companies provision is made for the nondelegable nature of the powers relating to the determination of the policy on control and management of risks, and the supervision of internal information and control systems (section 1 of Art. 529ter of the LSC).
Although we will have to see how the courts assess these duties of care and supervision in relation to the management of cyber risks, it may be useful to find out the content of initiatives which have arisen in other jurisdictions which propose best practices for the management of cyber risks by the management body. Among them it seems important to mention the “Cyber-risk Oversight” handbook published in 2017 by the NACD-National Association of Corporate Directors, which points out five major principles which boards should consider so as to improve their supervisory role in this area:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
These general lines are explained throughout the NACD document, but from its mere list it may be expected that, although in a different legislative environment, corporate practices are being devised to determine the role and degree of involvement which the management body and its members should assume in the management of cyber risks.