Empty shelves, inability to take online payments, and reports that it will take months to recover – the cyber attack that recently hit high street stalwart Marks & Spencers, or M&S has rocked the retail world. The group behind the attack, Scattered Spider, is also suspected to have infiltrated Co-op and Harrods. The former has reported that members’s data has been stolen.

Harrods was not hugely affected and managed to keep its physical and online stores running. The luxury store also confirmed no data had been compromised. Marks and Spencers, however, has seen £500 million wiped off its stock market value. These events, and the fact that Scattered Spider has stated its plans to attack more businesses, have served as a wake-up call for businesses. And many company owners will be wondering what action they should take to comply with their directors’s duties in the event of a cyber attack.

What is the UK Government saying about the cyberattacks?

Cabinet Office Minister Pat McFadden will deliver a speech at the CyberUK conference in Manchester next week. He will tell businesses to prioritise cybersecurity and make it ‘an absolute priority’.

“These attacks need to be a wake-up call for every business in the UK.

“In a world where the cybercriminals targeting us are relentless in their pursuit of profit – with
attempts being made every hour of every day – companies must treat cybersecurity as an
absolute priority.

“We’ve watched in real time the disruption these attacks have caused, including to working
families going about their everyday lives.

“It serves as a powerful reminder that just as you would never leave your car or your house
unlocked on your way to work, we have to treat our digital shop fronts the same way.”

What are directors’s duties concerning cybersecurity?

All company directors must comply with the general directors’s duties set out in Chapter 2 of Part 10 of the Companies Act (CA) 2006. These are:

  • To act within powers.
  • To promote the success of the company.
  • To exercise independent judgment.
  • To exercise reasonable care, skill, and diligence.
  • To avoid conflicts of interest.
  • Not to accept benefits from third parties.
  • To declare any interest in a proposed transaction or arrangement with the company

The company’s Articles of Association may also include other duties. In addition, a director must comply with duties and responsibilities contained in other legislation, such as the UK GDPR and Data Protection Act 2018.

Although there is no specific mention of cybersecurity in the general directors’ duties, under the duty to exercise reasonable care, skill, and diligence, directors must put in place adequate cybersecurity measures, including emergency response places, in case of a breach.

What are the defences available for breaching directors’s duties?

It is important to note that the general directors’ duties are owed to the company, not individual members. Therefore, only the company can bring an action against a director for breach of duty.

Section 1157(1) of the Companies Act 2006 provides that where proceedings for negligence, default, breach of duty, or breach of trust are brought against directors, the Court may relieve them from liability, wholly or in part, if it considers both that:

  • They acted honestly and reasonably.
  • Having regard to all the circumstances of the case, they ought fairly to be excused.

A director may also apply to the court for relief if they believe a claim will soon be brought against them.

When it comes to cybersecurity, it is absolutely essential to ensure:

  • All measures taken to prevent cyberattacks are documented and regularly reviewed. Processes and procedures should be in place to contain the damage should an attack happen and respond and recover quickly.
  • New advice from organisations such as the National Cyber Security Centre (NCSC) are communicated to staff and other relevant stakeholders, such as suppliers and agents. For example, following the recent attacks, the NCSC has issued new guidance stating that hackers are impersonating IT help desk staff
  • Ensure policies and procedures are in place when it comes to complying with the UK GDPR if a data breach occurs. This includes notifying data subjects and the Information Commissioner’s Office (ICO).

Part of your emergency plan in case of a large cyber attack should be to seek expert legal advice to minimise the risk of claims against the company and its directors. This will help minimise any reputational damage stemming from the cyber incident and ensure the focus is on customer care and recovery.

Tanveer Qureshi has a robust track record of successfully advising and defending directors who are facing disqualification and/or damages claims. If you require legal representation, please get in touch with Tanveer directly at tqureshi@libertaschambers.com or via his Chambers, Libertas Chambers on ​020 7036 02000.

Author bio

Tanveer Qureshi specialises in general crime, white-collar crime, and regulatory investigations and prosecutions. He has over 20 years experience and is passionate about ensuring his clients get results and achieve justice. When not pouring over case briefs, Tanveer gets up at 4.30am to get his gym workout done and is a committed motorsports fan.