Who is actually legally responsible for neglected cybersecurity in a company, what are the possible penalties and how you can get insured against such consequences? All that is revealed in our interview with Bořivoj Líbal, Associated Partner at the international law firm Noerr.
Which companies do you think should address security against cyber-attacks/risks?
Cybersecurity has become an essential part of the operations of virtually any company that uses online information systems to operate today. Therefore, I would recommend that almost all companies reasonably focus on cybersecurity. Whether it is a multinational corporation doing business in the construction industry or a smaller business doing accounting. Neglecting cybersecurity can have many unfortunate consequences and, in extreme cases, lead to criminal liability.
Who in the company is actually responsible for securing the company against cyber-attacks/risks?
Generally speaking, the ultimate responsibility for ensuring cybersecurity lies with the statutory body of the company, be it the CEO or the Board of Directors. The statutory body is obliged to exercise its functions according to due diligence – in the context of cybersecurity, mainly to make sufficiently informed and responsible decisions. It is true that a statutory body does not have to be, and cannot be, an expert in all aspects of the business or even the individual activities of the company in which it operates. However, if they make a decision for which they are not professionally competent, they must choose an expert to make that decision.
In such a case, the expert in question may be, for example, another member of the elected body, who is then usually entrusted with the specific issue in question as part of the formal division of responsibilities. Such a division of competence is called horizontal delegation. However, the delegation of a particular agenda to one member who is an expert in the subject matter does not relieve the other members of their duty of control and cooperation and, of course, they are also responsible for having made an informed choice of the right member to whom the delegation was made.
And in the case where a member of the statutory body is an expert in the subject matter?
Then they are held to a higher standard of accountability for decision-making than other members of the statutory body. This means that they must be more proactive and provide information to the other statutory members as to why a decision is right or wrong. It should be noted here that simply not raising one’s hand without proper argumentation against an adverse decision does not necessarily mean that such a member of the statutory body will be absolved of responsibility.
In addition, a higher standard for those with certain knowledge can also be formalised in the context of horizontal delegation, i.e. the division of responsibilities between members of the statutory body, whereby if someone is cyber-savvy, as a statutory body member they will be more responsible for that particular area. At the same time, such expertise in the statutory body prevents the company from charging more than the remuneration of the statutory body for providing such expertise. If a member of the statutory body were, for example, an expert in cybernetics and came across a problem of this nature, which by its nature is within his competence, then he is obliged to solve this problem already by virtue of his position, that is, it is not possible for him to “hire” himself to solve this problem, typically for monetary compensation.
So, is it possible to transfer this responsibility from the CEO/board member to another professional?
Yes, we call such a process regular vertical delegation. It is a procedure where the statutory body delegates, and therefore transfers, responsibility for decisions on a particular matter to a third party outside the statutory body. Here, this is usually someone who works as an expert in the field. However, when the statutory body delegates its responsibility to a third party (whether on a regular or ad-hoc basis), it must always carefully observe three obligations to maintain due diligence. Firstly, he has to make a good and informed choice of the person to whom he delegates; secondly, he has to cooperate (i.e. in particular to create the conditions for cooperation, including the supply of documents, etc.); and finally, he has a duty to control that person within reasonable limits.
Now, it must be said that the statutory agent is responsible for making a reasonable and informed decision. Indeed, the outcome of an informed decision, whether positive or negative, falls within the category of business risk. Business risk is part of the business. The owner of the company must always take it into account in the course of his business and cannot successfully hold the statutory officer liable for any decision that ultimately harms the business. In other words, this means that a member of an elected body is not subject to penalty if they made a decision that they reasonably assumed to have acted in an informed, loyal and defensible business interest. Still, the consequences to the company were nevertheless negative, for example, due to the misconduct of a correctly and properly selected external cyber expert.
If the expert then recommends certain security to the statutory body, must the statutory body obey without fail?
No, there is no obligation of unquestioning obedience. If the statutory officer doubts the proposed solution, especially in the context of economy or reasonableness, he may suggest solving the problem in another appropriate way.
So, what is the penalty if the statutory body does not implement the security or does not insure the company despite the recommendation?
In addition to the financial penalties arising from liability to the company, shareholders and third parties, the failure of the statutory body to provide security may also carry a risk of criminal prosecution. A breach of due diligence by a statutory manager can lead to a criminal offence of breach of duty in the management of someone else’s property if he causes the damage of at least CZK 50,000. Since this offence can also be committed negligently, a member of a body who has not paid sufficient attention to his or her duties and has caused damage to the company by his or her inaction may also be held criminally liable. In practice, we often see members of bodies who do not actually perform their duties and are only appointed “by the numbers”. It is important to bear in mind that the responsibility for due diligence also lies with these persons, irrespective of their business arrangement with the shareholders who appointed them.
A member of the statutory body may insure against the risks described above by means of personal liability insurance for members of the statutory body. The insurance may cover not only the damage caused but also, for example, any legal or other representation costs, which may be desirable given that any legal proceedings may extend over a period of years.
Who can then actually recover the damages?
If a member of the company’s governing body is proven not to have acted with due care, then he is directly liable for the damage, as I have outlined earlier, not only to (i) the company itself, (ii) the shareholders, but he may also be liable to (iii) third parties, usually creditors, if he was obliged to compensate the company for the damage, but failed to do so, and the creditor cannot enforce the obligation against the company. In addition, the member shall be obliged to reimburse the company for any benefit which he has acquired by the breach of due care. If that is not possible, he must make good the loss in money.
So, is there any general guidance on how a statutory body should behave about cyber threats?
I would strongly advise all statutory bodies not to take cyber threats lightly, to act with due diligence in this matter and, as a safeguard, to take out the insurance I have already mentioned, if necessary. Failure to do so could have the aforementioned far-reaching consequences.
Thank you for the interview.