Cybersecurity and board responsibilities

The “Wannacry” ransomware attack that disrupted businesses around the world on 12 May has led to the need to consider more carefully the impact of a cyberattack and its implications not only on the protection of consumer data, but also on the company’s financial and sensitive data.

A cyberattack can not only cause the loss of a company’s consumer data, it can also expose confidential information relating to a company, such as ongoing regulatory investigations, or it may cause the loss of intellectual property other than of consumer data.  Financial risks as well as reputational risks are at stake for a company.

Boards are therefore increasingly coming to the realization that a data leek due to cybercrime is a serious risk management issue.

This is a challenge as while most directors are somewhat informed about cybersecurity, it is often very difficult for them to stay updated with the latest information, and especially to deploy sufficient investments to protect the company from ever changing cyber risk. Also, cybersecurity has in most companies been delegated to an IT manager with no sufficient budget or decision making power.

Accepting that this is a key enterprise risk which needs to be addressed at a board level and not just at an IT management level is an essential switch that boards need to make.

The key reason is that a lack of proper action may lead to board responsibilities towards the company (ie under Art. 2392 of the Italian Civil Code for example for lack of appropriate action to protect the company).

cropped-foto-stefania-sito-web-3.jpg© Stefania Lucchetti 2017.  For further information Contact the Author

Articles may be shared and/or reproduced only in their entirety and with full credit/citation. 

One Reply to “Cybersecurity and board responsibilities”

Comments are closed.