The reality of living and working in 2018 is that cybercrime is a constant threat.
Whether it’s malware that throws open back doors or clever phishing tactics, cyber crime is a threat that every business will have to face.
But in the event of a local business experiencing a cyber attack, who is responsible?
According to Associate at Webber Wentzel Berné Burger and candidate attorney, Daniel Vale, the liability of cyber attacks is increasingly falling squarely on the shoulders of directors and chief executive officers (CEOs).
“Although stipulating varying thresholds for directors with different skillsets, it is plain that all directors must maintain a degree of oversight over their companies’ information and technology security. With the increased prominence of e-commerce and the digitalisation of businesses, complete ignorance in this regard can no longer be pleaded,” explain Burger and Vale.
What the law says
In the past, if a firm were to experience a cyber breach of some form a director or CEO would be judged according to their skill level. Essentially a director could plead ignorance or inexperience in the matter and be judged more leniently but the Companies Act, no. 71 of 2008 together with the King IV report on corporate governance changed that.
“King IV, published in November 2016, signalled a significant change in the approach to corporate governance in light of advances in technology and digitisation that are revolutionising business and transforming products, services and business models,” explains the Webber Wentzel legal team.
“King IV urges organisations to strengthen the processes that help them, to anticipate change and to respond by capturing new opportunities and managing new risks.”
The pair adds that while the Companies Act and King IV don’t directly speak to a director’s liability it does increase the expectation of a director’s duties. A court would therefore look at recommended practices alongside what the law says and determine a director or CEOs liability based on that.
In addition to these two tomes, when the Protection of Personal Information Act (POPIA) is fully enforced, directors and CEOs would automatically be appointed as Information Officers who are responsible for complying with the Act.
“It is pivotal that directors stay in tune with the duties with which they are obliged to fulfill in the developing world of information and technology,” Burger and Vale conclude.
[Image – CC 0 Pixabay]