According to Marsh company directors and officers need to be certain of their responsibilities relating to the prevention or management of a cyber event, or else they run the risk of being held personally liable should an attack against their firm occur.

Under many regulatory regimes, directors and officers have extensive responsibilities to implement systems and controls to manage their company’s data usage. If, following a cyber attack, it is found that they have breached these fiduciary duties, company directors and officers could be personally exposed to lawsuits, shareholder class actions and regulatory activity.

Beth Thurston, head of Management Liability, Financial and Professional (FINPRO) Practice, Marsh, said: “Management boards should develop cyber strategies that take these legal obligations into account. However, it is clear from recent high-profile cases that such strategies must be more than a box-ticking exercise – the management of cyber risk now needs to be an intrinsic part of day-to-day life for management boards.”