UK - Directors beware! The civil penalties for ransomware

Over the past six months or so, you would be hard pressed not to have read or heard about a cyber-attack. Attacks on the Colonial Pipeline in the United States; on Brenntag, a German chemical distribution company operating in over 77 countries; on the Harris Federation Schools, the largest academy trust in the UK where data from 38,000 pupils was stolen; the more recent attack on Kaseya, a US information technology company, over the 4 July weekend; and the two recently reported attacks on barristers chambers in London with threats to publish sensitive client data if ransoms were not paid, are just a small handful of those recently reported. Such an attack can be highly damaging, with sensitive data being published on the dark web or more widely distributed if a high ransom is not paid, reputations being damaged or destroyed and, in circumstances where healthcare organisations such as the NHS have been attacked, lives can (and have) been put at risk.

It may surprise some to learn that cyber-security is a board level responsibility - directors could fall foul of the individual duties that they personally owe to the company if they do not consider and take reasonable steps to mitigate against potential losses and damage arising from such an attack. While directors can obtain insurance cover to protect them and the company against such risks, they will still need to demonstrate that they have taken reasonable steps to prevent a cyber-attack to escape potential liability.

You can read the rest of the article here