Directors' Duties to Tackle Emerging Cyber Threats

05 June 2017

What must Directors do to tackle the emerging threats of cyber attacks and regulatory burdens?

First of all, look at the company’s Business Continuity Plans and insurance coverage.

Business continuity is affected when hit by Denial-of-service attack (DDoS) against insecure internet-connected devices such as IoT(the internet of things) like cameras, webcams and digital video recorders, which become infected with malware. 

Therefore, companies must think carefully about their Internet-exposed infrastructure and that of their vendors, everything from a customer online portal to their building’s heating, ventilation and air-conditioning system, and brace for heightened levels of disruption to operations if attacked.

We saw with the recent attack on the NHS, similar trend emerging with regard to ransomware, the malware that holds its victims’ data hostage through encryption until a ransom is paid in bitcoins. 

Naturally, where records are the target, the criminals steal sensitive files and - rather than locking them down with encryption – use the information within them.  

So, it is clear, directors must evaluate cyber-risk differently, and while most companies have a business continuity plan many have not stress-tested their plans against these evolving threats. 

One method for doing so is to enlist employees or a cyber-security firm to attempt to execute attacks through so-called “red teaming,” which should help companies identify any shortcomings before an attack strikes. Certainly, such an effort will signal that the board and management are paying attention to these risks.

The board also should determine whether the company’s insurance covers these new risks.

Cyber insurance has traditionally focused on privacy breaches, but companies now increasingly seek policies that cover:

·         business interruption coverage

·         systems failure

·         cyber extortion

·         digital asset restoration

·         contingent business interruption coverage which covers business interruption caused by a third party such as a cloud provider.

Therefore, the business should consider readjusting its insurance coverage accordingly.

Separately, there needs to be scrutiny of the company’s Cyber-risk and Incident Disclosures in readiness of the mandatory reporting of breaches under the EU General Data Protection Regulation (EUGDPR).

Companies also should expect that cybersecurity whistleblowers will become more prevalent and therefore, directors should first ensure that the company has afforded opportunities for whistleblowers to report internally, and that management has trained information technology managers about what could form the basis for cyber-security whistleblower complaints and how to properly receive and escalate any issues raised by internal reports to the appropriate level. 

For further advice and guidance, please contact Aaron Pearson on 0151 659 1070 or This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.