Corporate governance and directors’ duties in the UK
DAC Beachcroft’s London Corporate team and the Governance Advisory Practice have produced the UK chapter of the multi-jurisdictional guide to Corporate Governance and Directors’ Duties for the…
Published 1 June 2016
Cyber security is an issue for most individuals and all sizes of organisation, and within organisations it is now generally accepted that it should be a board-level matter, and not one for the IT department to tackle alone.
The risk of the threat is ever increasing for a plethora of reasons: More companies depending on their online offering, more companies depending on intellectual property held electronically, and more companies holding ever increasing levels of information on customers and employees electronically being just the tip of the iceberg.
Companies can undergo a cyber-breach without realising it has even taken place. As well as the general risk to an organisation’s reputation, there are legal obligations and financial exposures that may result from data/security breaches.
The fact that the taking of some small basic steps can significantly help reduce the risk prompted BIS, in collaboration with others, to publish its 10 Steps to Cyber Security suite of advice and its Cyber Essentials scheme. The role of the general counsel in helping to ensure that not only current regulations are followed, and new regulations foreseen, but also best practice is embraced by organisations is illustrated by the fact that the “Association of General Counsel and Company Secretaries working in FTSE 100 Companies (GC100)” thought fit to produce a guidance note on this topic for general counsels and company secretaries in February this year.
In the Governance Advisory Practice at DAC Beachcroft we often work with boards on their role and, when advising on the content of their matters reserved, look to ensure that oversight of cyber security is given suitable prominence. Among a number of helpful resources for companies, perhaps most tellingly, BIS has issued a note aimed specifically at non-executive directors, drawing their attention to the kinds of questions they should be asking of themselves, their board colleagues, and board committees. Questions include:
Clearly when looking to see if cyber risk is being appropriately managed internally, there is overlap with a general review of the management of risk: Does information on new risks flow up, down, and across the organisation? Is the risk register a meaningful document?
Cyber risk is after all just one of a number of risks on which boards will want to satisfy themselves that the appropriate risk identification and management processes are in place, and working effectively.