Board accountability: not if, but when

Board accountability for cyber resilience failures has been a hot topic since last year's high-profile breaches at JLR, Marks & Spencer and Co-Op. And whilst few will disagree that boards should be accountable, the current debate seems to be generating more heat than light.

Government's Cyber Security and Resilience Bill is currently passing through Parliament, and some accounts of the debate suggested that MPs have chosen not to legislate on board accountability. In reality it will be included in secondary legislation, rather than the main Bill text, allowing for more robust and responsive regulation.

And a cynic might say that the debate is just theatre, because board accountability for cyber resilience already exists in law.

The Companies Act 2006 sets directors' duties out clearly: a duty to "promote the success of the company" (section 172), to "exercise independent judgement" (173) and to "exercise reasonable care, skill and diligence" (174). Directors can be sued by the company itself, liquidators, shareholders or others, and in some circumstances are open to criminal prosecution.

Most directors understand that their duties apply across the full range of risks, including cyber security, even if many boards are only now paying attention. It's spelt out even more explicitly for organisations regulated under the NIS regime (which will be strengthened by the Cyber Security and Resilience Bill). They are required to undergo the CAF assessment (or equivalent), which dedicates an entire section to board direction.

So I'd argue that we already have plenty of levers by which to hold boards and directors accountable. The real question is, when is anyone going to use them?

Join the debate: CxB is convening a Chatham House conversation about board accountability for cyber on 23rd March. Register to attend