Linkedin
Facebook
Email
more
Board member liability refers to the legal responsibilities and potential for personal accountability faced by members of a company's board of directors. This can encompass a wide range of duties, from fiduciary responsibilities to ensuring compliance with applicable laws and regulations. With the NIS2 directive coming into force in October of 2023, this (very often overlooked cyber governance) matter needs to be addressed by the C-level suite. Board members can now be held liable for damages resulting from negligence, breach of duty, or failure to act in the company's best interests.
This article is written by Cem Adiyaman ([email protected]) who is part of RSM Netherlands Business Consulting services with a focus on Strategy and Technology (law).
The NIS2 Directive is a piece of legislation aimed at significantly improving the cybersecurity posture across the EU. It's an evolution of the original Network and Information Systems (NIS) Directive, which was the first EU-wide legislation on cybersecurity. The NIS2 directive aims to address the shortcomings and limitations identified in the NIS Directive, extending its scope to cover more sectors and entities, and imposing stricter security and incident reporting requirements.
NIS2's primary goal is to enhance the overall level of cybersecurity in the EU by ensuring that both public and private entities in critical sectors (such as energy, transport, banking, and healthcare) as well as digital service providers (like cloud computing services and online marketplaces) have appropriate security measures in place. It also seeks to harmonize cybersecurity and reporting obligations across member states to ensure a unified approach to addressing cyber threats.
Intersections
The intersection of board member liability and the NIS2 Directive could arise in situations where a failure to comply with the cybersecurity requirements laid out by the NIS2 Directive leads to a breach or significant cyber incident. In such cases, board members could potentially be held liable for not ensuring that the company met its legal obligations to implement adequate cybersecurity measures. This highlights the importance for board members to not only be aware of their general legal duties and liabilities but also to understand specific regulatory requirements, such as those under the NIS2 Directive, that impact the operations and legal standing of the organizations they oversee.
While specific instances of board member liability due to cyber incidents in Europe are not extensively publicized, owing to the intricate nature of legal actions and often confidential settlements, the growing number and severity of such incidents undeniably heighten legal and financial risks for board members and executives. This underscores the importance of ensuring robust cybersecurity measures are in place to avoid potential legal and financial consequences stemming from inadequate data protection and cybersecurity practices. The intersection between GDPR and the NIS2 Directive amplifies the legal and financial risks for board members and executives in Europe, as these regulations collectively heighten the standards for data protection and cybersecurity. Given the increasing frequency and severity of cyber incidents, it's crucial for those in leadership positions to ensure comprehensive cybersecurity measures are implemented. This integration of GDPR and NIS2 mandates not only enhances the protection of personal data but also strengthens the security of network and information systems, thereby placing a greater emphasis on the accountability of board members and executives to avoid potential legal and financial repercussions from non-compliance.
But wait there is more!
Beyond the liability risks faced by board members, organizations must also navigate a multitude of other challenges stemming from non-compliance with the NIS2 Directive and GDPR. Administrative penalties under both regulations can be substantial1, imposing significant financial burdens on entities that fail to adhere to mandated cybersecurity and data protection standards. Furthermore, the impact of an incident on business continuity cannot be overstated; the costs associated with disruptions to operations often extend far beyond immediate financial losses, affecting long-term business viability. Additionally, the intangible yet profound effects of reputation damage pose a critical risk. Such damage, difficult to quantify in monetary terms, can erode customer trust and investor confidence, potentially leading to lasting detrimental effects on the organization's market position and future prospects.
Forward Thinking
The evolving legal landscape suggests that it's only a matter of time before we see more explicit cases where board members are held liable for cyber incidents. Companies and their leadership must therefore be proactive in their approach to cybersecurity, treating it as a critical aspect of their governance and risk management practices to mitigate potential legal risks and liabilities.
Businesses with multiple entities must rigorously assess each subsidiary's cyber governance to align with regulations like the NIS2 Directive and GDPR. For instance, if a subsidiary responsible for data processing suffers a breach due to poor cybersecurity, the parent company's board members could face liability, given their oversight role. This scenario highlights the potential for administrative penalties, reputational damage, and financial losses. Hence, ensuring comprehensive cyber governance across all entities is crucial to mitigate risks and maintain regulatory compliance.
RSM is Thought Leader in the field of Strategy and Technology Consulting. We offer frequent insights through training and sharing of thought leadership that is based on a detailed knowledge of regulatory obligations and practical applications in working with our customers. If you want to know more, please reach out to one of our consultants.