As the legal profession embraces digital transformation and new technologies, the role of cyber lawyers in advising boards has never been more critical. Cyber security is no longer a back-office concern but a central pillar of governance, particularly as boards across the UK and EU face growing regulatory expectations under frameworks like the EU’s Digital Operational Resilience Act (DORA), the NIS2 Directive, as well as the UK NIS Regulations. 

Recently, the UK’s Institute of Directors (IoD) emphasised this need in its published lessons from the ongoing Post Office Horizon IT scandal: "Going forward, navigating the AI transition and managing cyber security threats will become ever more important issues for directors. Although every director does not need to be an IT expert, a high level of tech literacy should be seen as a prerequisite for a directorship."

This guide provides practical advice for cyber lawyers on supporting boards in fulfilling their fiduciary duties, mitigating risks, and fostering a culture of cyber resilience. Leveraging Thomas Murray’s expertise, cyber lawyers can help boards navigate this complex terrain with confidence.

Understanding fiduciary duty and key regulatory frameworks

At the core of a director’s responsibility is fiduciary duty: an obligation to act with loyalty, care, and good faith in the best interests of the company and its stakeholders. Under fiduciary duty principles, directors are required to make informed decisions and manage risks effectively, including cyber risks that could threaten company assets, reputation, and shareholder value. Directors in the UK and EU share this fundamental duty under the UK Companies Act 2006 and equivalent EU laws..

Neglecting cyber risk management can be deemed a breach of fiduciary duty, leading to personal liability and potential litigation if the board fails to take reasonable precautions to protect the company. Fiduciary duty underpins existing and emerging regulatory frameworks like DORA, NIS, and NIS2, which set explicit expectations for cyber security oversight and accountability, detailed as follows:

  • DORA (EU): Targeted at financial entities and their ICT providers, DORA mandates that boards oversee ICT risk management, conduct resilience testing, and report incidents. Accountability requirements under DORA demand that boards actively engage in compliance and continuity strategies to protect market stability and client assets. Failing to do so may lead to regulatory penalties and potential derivative lawsuits from shareholders seeking damages for negligent oversight.
  • NIS and NIS2 Directives (EU): Effective in 2024, NIS2 expands regulatory obligations to include sectors such as healthcare, telecommunications, and critical infrastructure. Medium and large organisations in these sectors must implement cyber security measures and establish incident reporting mechanisms, with boards playing a pivotal role. Non-compliance with NIS2 may expose directors to civil litigation from affected stakeholders in addition to regulatory fines, especially where fiduciary duty is considered breached due to inadequate cyber preparedness.
  • UK NIS Regulations and Cyber Security and Resilience Bill: Similar to NIS2, the UK’s NIS Regulations and the forthcoming Cyber Security and Resilience Bill cover essential and digital services, focusing on managed services and supply chain security. Boards are responsible for adapting to evolving compliance standards, with a fiduciary obligation to safeguard the organisation’s resilience. Breaches stemming from insufficient oversight or adaptation may prompt civil claims and lead to scrutiny of fiduciary duty compliance.

Addressing personal liability and accountability

Cyber lawyers must prepare boards for potential personal liability for cyber security oversight failures, especially under regulatory frameworks like DORA and the UK’s Senior Managers and Certification Regime (SM&CR), which make senior managers directly accountable.

  • Personal Liability: Boards face personal accountability for cyber oversight failures under DORA and SM&CR, particularly in financial services where standards are high. Personal liability may be pursued in cases of negligence, especially if boards disregard cyber risks, leading to regulatory action or shareholder litigation.
  • Mitigation Strategies: Cyber lawyers should advise on securing directors’ liability insurance (D&O insurance) and establishing thorough documentation of proactive measures, including resilience testing and compliance adherence. This documentation supports the defence of fiduciary duty and mitigates litigation risks.

Building cyber resilience and incident preparedness

A proactive approach to cyber resilience helps boards demonstrate compliance and fulfil fiduciary duty in protecting the company against risks.

  • Incident Simulations and Testing: DORA and NIS2 mandate resilience testing, while the UK’s National Cyber Security Centre (NCSC) provides tools such as Exercise in a Box. Regular testing prepares boards for disruptions and offers evidence of proactive governance to defend against negligence claims in case of a breach.
  • Third-Party Risk Management: With DORA and NIS2 focus on supply chain security, third-party vendors should be carefully managed. Contracts should include compliance clauses, and regular audits conducted to mitigate board liability for third-party breaches, which can otherwise result in claims for damages.

Fostering a cyber security culture and leveraging threat intelligence

A strong cyber security culture and threat intelligence support effective governance and demonstrate the board’s fiduciary commitment to managing cyber risk.

  • Cyber security Culture: Cyber lawyers should advise boards to foster a security-first culture that promotes cross-department collaboration. Poor culture may lead to litigation if internal negligence contributes to incidents, as courts may deem it a breach of fiduciary duty.
  • Working with the key cyber security or information governance individuals in the business to design KPIs or benchmarks for resilience, preparedness, and culture could help directors monitor their progress.
  • Threat Intelligence: Access to real-time threat intelligence allows boards to anticipate sector-specific risks. Failing to address these risks—such as ransomware or supply chain vulnerabilities—can result in regulatory penalties and litigation if stakeholders claim the board neglected fiduciary responsibilities.

Aligning data protection and privacy compliance

Data protection and privacy are critical to cyber governance, with GDPR compliance and anticipated UK data reforms as central components.

  • GDPR and UK Data Reforms: Boards must comply with GDPR and prepare for the UK Data Protection and Digital Information Bill, aligning with DORA and NIS2 requirements. Ensuring cohesive data protection practices reinforces fiduciary duty and reduces litigation exposure from data breach lawsuits and regulatory fines.

Litigation risks

Directors can be exposed to regulatory penalties and litigation for cyber governance failures, especially if they breach their fiduciary duties to act with reasonable care and skill. Potential litigation includes:

  1. Civil suits: Stakeholders (e.g., shareholders, clients) may sue for damages if cyber incidents lead to financial losses.
  2. Derivative actions: Shareholders may pursue claims on behalf of the company for reputational or financial harm linked to weak governance.
  3. Class-action lawsuits: Data breaches involving sensitive information often lead to class actions, particularly under GDPR.
  4. Regulatory enforcement: Beyond fines, regulators may impose restrictions on directors or pursue personal penalties in cases of egregious neglect.

As a result, Directors must show diligent cyber governance, leveraging regulatory guidance, best practices, and robust risk management to limit liability. Proactive measures not only ensure compliance but also serve as essential defences against litigation.

Competitive advantage

Encouraging the client by expanding on innovation and competitive advantage in cyber governance can shift the narrative from compliance to a tangible strategic opportunity. Boards that prioritise robust cyber practices not only mitigate risks but also position their organisations as leaders in security and resilience. This proactive approach builds customer and stakeholder trust by demonstrating a commitment to protecting sensitive data and ensuring operational continuity. 

Furthermore, strong cyber governance can serve as a market differentiator, particularly in sectors where clients and partners increasingly prioritise security in their decision-making. By integrating cutting-edge technologies, such as AI-driven threat detection and advanced encryption methods, boards can showcase innovation while fostering a reputation for reliability and foresight. These efforts not only enhance resilience but also contribute to long-term competitive advantages, making cyber governance a cornerstone of strategic growth.

Leveraging Thomas Murray for board engagement

UK and EU boards are legally required to adopt proactive cyber governance strategies to meet DORA, NIS2, and NIS regulations. By integrating sector-specific insights and structured risk management, cyber lawyers can help boards achieve compliance while protecting organisational and personal liability.

Thomas Murray offers tailored regulatory insights and threat intelligence, supporting boards in understanding compliance nuances, especially under DORA and NIS2. By providing real-time, sector-specific cyber threat intelligence on emerging risks such as ransomware, AI-driven threats, and supply chain vulnerabilities, Thomas Murray can enable boards to make informed decisions on resource allocation and risk mitigation. 

For cyber lawyers, partnering with Thomas Murray can help to enhance  your client’s board-level discussions on effective governance, strategic resilience, and regulatory alignment.