Cybersecurity – an obligatory item on the Supervisory Board’s agenda

Cybersecurity has become an incredibly hot topic both in Poland as well as globally. Recently, numerous companies have fallen victim to cyber attacks, some of which resulting in considerable losses. A global study conducted among directors by WTW and Clyde & Co indicates cyber attacks and data loss as the two main risk factors facing businesses today.

In the U.S., the SEC has proposed new rules for disclosing cybersecurity incidents, risk management, strategy and governance. At the same time, in recent months we have observed a number of lawsuits filed by shareholders claiming failures surrounding duty of oversight relating to cybersecurity. A shareholder lawsuit was filed, among others, against T-Mobile USA’s board of directors, pointing to a lack of monitoring and acting upon obvious red flags.

The Association of Independent Non-Executive Directors would like to indicate that due to the risk associated with failures in the area of cybersecurity as well as the fact that at many companies there is still a substantial number of gaps in this area, cybersecurity should be included in the agenda of the Supervisory Board or Audit Committee every year. Considering the current environment, it seems highly advisable that Supervisory Boards perform an urgent review of cybersecurity, comprising also an audit of this area, in which they may use support of specialized external firms.