Just what are the responsibilities of board members in relation to cyber resilience?
A useful approach to answering this question is to consider four separate areas:
Legislative responsibilities vary depending on the type of legal structure used for the organisation in question. A useful reference point for all board members lies in the consolidated Companies Act 2014, where, for the first time, the duties of directors were codified. The relevant section (s.228) contains 3 references of particular interest:
A director of a company shall:
- act in good faith in what the director considers to be the interests of the company;
- act honestly and responsibly in relation to the conduct of the affairs of the company;
- exercise the care, skill and diligence which would be exercised in the same circumstances
by a reasonable person having both:
- the knowledge and experience that may reasonably be expected of a person in the same position as the director;
- the knowledge and experience which the director has;
"Acting responsibly" means board members need to understand the threats facing their organisation and to direct management to take appropriate measures (following up to ensure that they are completed to the satisfaction of the board).
Regulatory requirements, set out in governance codes, are explicit about the board's responsibilities:
“The board should establish procedures to
manage risk, oversee the internal control framework, and determine the nature and extent of
the principle risks the company is willing to take in order to achieve its long-term strategic
“Advising on key risk is a matter for the
(Code of Practice for the Governance of State Bodies, 2016)
And regulators, who are supervising firms, are taking an increasingly strict stance:
“...there should be a sufficient skill set
on the board to challenge and oversee [the
cyber security] strategy. This skill set and knowledge should be built upon and refreshed
regularly to enable the board to understand the evolving nature of the threat and the
implications for the business”
(Central Bank of Ireland, 2020)
Board members must also consider the varying demands of a wide range of regulators relevant to their organisation. These include sector-specific regulators (such as financial services, food, telecommunications etc.) as well as regulators that monitor all organisations (such as data protection, health and safety, etc).
Contractual requirements are specific to each firm and reflect the particular contracts they have entered into with customers, suppliers and others. The terms and conditions of individual contracts can be onerous enough in themselves (and they often impact on cyber security) - the addition of explicit service level agreements may dramatically increase the obligations on the organisation, the most material of which may require specific board direction and oversight.
Policy requirements, often the poor relation in considering the ‘conformance universe’, represent explicit commitments by the organisation (the most important of which will be directly approved by the Board rather than by management). Many of these will directly impact cyber resilience (for example, because the policy concerned reflects how the organisation has chosen to comply with specific legislation or regulation, in some cases making commitments above and beyond what Is strictly required).