Why Company Boards must take Cyber Security out of the too difficult pile!


Lady Barbara Judge was recently quoted as saying that the “whole issue of cyber security is so overwhelming to boards that they often put it in the ‘too difficult’ category”.

A recent survey of the UK’s FTSE350 companies showed that although companies are worried about cyber security about a quarter of them fail to take any action.  In the age of a growing cyber security threat landscape and the resulting rise in litigation this a risk that boards can no longer afford to ignore!

So what are the reasons for this complacency?  The  FT/ICSA Boardroom Bellwether survey  found that companies simply feel they have bigger fish to fry and there are more important risks to be concerned about.  Politics and the debate about the UK leaving the EU together with litigation were considered more critical risk factors.  Is this because, fundamentally as Lady Judge said, boards often lack the knowledge to understand the cyber threat and all that it entails?

Cyber security is seen as a buzz word associated with scaremongering and not a reality.  Members of boards are baffled by cyber threat terminology, not understanding the IT language in which cyber security is often communicated. In the cases where directors do accept that a cyber attack is likely to happen, they think that financially they can afford to “take the hit”.  However, with the increasing litigation over cyber security breaches and the fact that litigation generally is high on their risk list, companies will be forced to take more proactive approach to their information security.

UK Companies are governed by the UK Corporate Governance Code which states that Directors are expected to assess and mitigate principal risks facing the company, with UK listed firms required to make a statement to this effect in their Annual Company Report.  Although this is not legally binding the Institutional Share Services organisation can recommend, under extraordinary circumstances, to vote against individual directors for material failure of governance of stewardship and risk oversight.

After the Target breach in the US the CIO and CEO resigned as a result of public and shareholder pressure.  Whilst most litigations a result of a cyber attack have been in the US it is only a matter of time before we see a significant case in the UK.  This shows us that shareholders are not afraid to scrutinise company directors and the board for their role in not taking adequate steps to protect their information and prevent the damage.

Litigation in the UK until now has been rare, the main reason being the difficulty in establishing the nature and extent of financial loss in the aftermath of a breach. However, in the case of Google v Vidal – Hall  earlier this year the court found that the claimants could claim for distress without having to prove pecuniary loss. This has greatly increased the scope for compensation claims in the future.

Regulators are also keen to be seen to be taking tougher action on data loss with fines from the Information Commissioners Office (ICO)  and the Financial Conduct Authority (FCA) on the increase. At the moment the ICO has the ability  to set fines of up to £500,000.  When the EU Data Protection regulation comes into force we will see fines of up to 5% of annual worldwide turnover or 100M Euros whichever is the greater.  

Directors in the UK are under increasing pressure to account for any failures of their company’s data protection policies.  They must reassess their duties to exercise reasonable skill and care to mitigate the principal risks to their business. This now means reviewing their information security risks, protecting their most critical information and putting robust plans in place to deal with a breach when it happens!

To find out how Broadgate might assist with this, please visit our Assurity page.  We specialise in working with boards to identify their key cyber security risks and how to protect them.

RSS Feed Subscribe to our RSS Feed

Posted on : 27-11-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , , , , , ,

Write a comment