Policy Monitor

What Directors need to know about Cyber Security

Often cyber security is seen as a one-off or periodic exercise which is the responsibility of the IT department, Nick Denning, CEO of Policy Monitor, argues that it has become an integral part of a modern director’s role which is vital to the long-term success and sustainability of organisations.

What are the duties of directors?

Company directors need to know about cyber security because it is integral to several of the seven statutory duties of the Companies Act of 2006[i].  These responsibilities include a “Duty to promote the success of the company” and “Duty to exercise reasonable care, skill and diligence,” which sound simple and obvious but are in fact wide ranging in scope.

Cyber security is crucial for safeguarding sensitive data, intellectual property, customer information, financial records, and other critical assets. Cyberattacks are no longer new or a novelty. Ignorance of cyber security threats is not a defence so paying proper attention to cyber security has become fundamental to these duties.

The Board is responsible for ensuring that risks to delivering the strategy are identified, evaluated, and mitigated in line with the business risk appetite. Board members don’t need to be technical experts, but do need to know enough to have constructive discussions with key staff so that they can be confident that these risks are managed.

Cyber security is at least as important as physical security

It would be unreasonable for a director to be surprised if there was a burglary due to an organisation’s buildings having no locks, yet many directors do not see cyber security as just as important, as physical security and organisational wellbeing. Physical checks on equipment, investment in security and safety devices, tests of emergency evacuation procedures and renewals of buildings insurance are standard, non-negotiable budget items which are always renewed, yet investments in cyber security, cyber insurance and staff awareness training often need justification each year.

A data breach or cyberattack can result in significant financial losses, potentially fatal reputational damage, and legal and regulatory consequences which could stop the business from operating, result in large fines or even send the directors to jail. Directors treating cyber security seriously is the first step to mitigating risks and protecting the organisation’s overall wellbeing and longevity.

Compliance is a prerequisite to doing business

Many industries have specific cyber security requirements mandated by law or in industry-specific regulations. In many cases suppliers and business partners must prove that they meet such standards or they have no chance of winning business in a sector. Directors are accountable for ensuring the organisation is compliant with these standards to avoid penalties, fines, and legal action.

EU and UK data protection laws, global consumer privacy standards and payment processing rules are just a few examples of a growing number of laws requiring compliance. The results of non-compliance can be devastating. For example, breaking UK GDPR laws could result in fines of up to £17.5 million or 4% of annual global turnover. Cyber security should be near the top of directors’ priorities. A strong position on cyber security builds trust and protects an organisation’s reputation, which may well be its most valuable asset.

Cyberattacks can derail your business

Cyber security also plays a major part in another important element of a director’s role, namely ensuring business continuity and resilience. Cyberattacks can disrupt business operations, leading to outages, financial losses, and inefficiencies in business processes such as fulfilling orders or responding to customer queries.

Directors must recognise that cyber security is not solely a topic for IT but a critical aspect of business continuity and resilience. By implementing robust security measures, disaster recovery plans, incident response strategies, and communication plans, organisations can minimise the impact of cyber incidents. If these are well documented and kept up to date they can also act as proof that the issue is being taken seriously, which can help win new business and reduce cyber security insurance costs.

Cyber security is an essential part of a modern director’s role

Cyber threats are constantly evolving, with cyber criminals becoming ever more sophisticated and persistent. Directors need to stay informed about emerging threats, security standards and best practices, so they can allocate appropriate resources to cyber security. Regular assessments, audits and risk management processes will help directors understand the organisation’s vulnerabilities and highlight where proactive measures are needed. Cyber security is not a one-off or annual exercise. Directors need to take it seriously and bake it into daily business operations.

Company directors need to pay regular attention to cyber security because in today’s business environment it is essential for protecting the organisation, complying with laws and regulations, maintaining trust and reputation, ensuring business continuity and gaining competitive advantage to help win new business. In prioritising cyber security, directors are performing an essential element of their role and contributing to the long-term success, sustainability and profitability of their organisation.


[i] https://www.legislation.gov.uk/ukpga/2006/46/part/10/chapter/2/crossheading/the-general-duties