en

A stricter board responsibility for cyber security

06/05/2024

The board is responsible for proper organization of the company, which also means that both the General manager and board members may become liable for loss and damages. Two factors in particular sharpen the responsibility, write three lawyers in BULL.

By Henrik Monrad Stranheim Krokå, Kristian Foss and Tara Årøe

The first condition is new and tightened requirements for cyber security. As usual, the EU is leading the way and is introducing three new acts on cyber security, namely the Cyber Resilience act, NIS2 and DORA.

The Cyber Resilience Act sets requirements for security in gadgets – products with digital elements – as well as software. These requirements can regulate everything from connected cameras and Wi-Fi routers to biometric readers and toys.

The NIS 2 directive applies to security in network and information systems of private and public actors in a wide range of sectors. The scope of the act is much wider than that of NIS 1, which will be implemented in Norwegian law through the Digital Security Act (Digitalsikkerhetsloven).

Digital Operational Resilience Act («DORA») establishes new requirements for cyber security in financial institutions. The requirements will not only apply to the big banks that we all are customers of, but also among others payment institutions, investment firms, insurance undertakings, crowdfunding service providers, audit firms and ICT third-party service providers.

A common denominator for all the acts is that a significant part of the responsibility for cyber security is assigned to company board.

The Supreme Court is more explicit

The second condition is the Supreme Court's tightening of the board liability under the Limited Liability Companies Act. The starting point for liability under Norwegian law is that the person who has inflicted loss or damage must have acted with negligence in order to be liable - a requirement of guilt.

The Supreme Court explicitly stated in a court case from 2016 that if "duties that objectively apply to the person concerned" is violated, there is a presumption that the person concerned has acted negligently.

The court case implies that Norwegian courts will presume that the company board regulated by the new EU acts on cyber security have acted negligently if they haven't been compliant with the rules, and a loss or damage has occurred.

What steps should be taken?

To avoid violations of the many new rules, companies should start with assessing whether their business is affected. If so, the next step is to understand the content of the rules, and further evaluate to what extent they're already compliant (normally not very much).

Finally, the company must lay down a plan to close the gaps and actually follow it. All these steps can be demanding, especially the last one.

Even if solid efforts are made, one can never be completely certain about the compliance. We recommend that you handle the residual risk by taking out cyber insurance.

When will the new rules apply?

The deadline for implementation in the EU of the first rules is this October, and they will enter into force immediately. Norwegian authorities have signaled that the rules will be implemented in Norway simultaneously.

This article is also published on digi.no: https://www.digi.no/artikler/debatt-styrets-ansvar-for-cybersikkerhet-strammes-til/546397 

En tjeneste levert av Bull & Co advokatfirma AS