Cyber Security- Director Responsibility

Cyber security is no longer a matter for IT teams alone. It is a core governance and risk management issue that sits within the remit of company directors. As organisations become more dependent on digital systems and data, directors must ensure that cyber risks are identified, assessed and managed in line with their statutory and fiduciary duties.

Directors’ Duties under the Companies Act 2006

The principal duties of directors are set out in the Companies Act 2006. In the context of cyber security, the following duties are of particular importance: – 

Section 172 requires directors to act, in good faith, in a way most likely to promote the success of the company for the benefit of its members as a whole. Major cyber incidents can cause severe financial, operational and reputational harm. Building and maintaining cyber resilience is therefore integral to sustaining long-term corporate success.

Section 173 requires directors to exercise independent judgement. Directors should not simply defer to management or IT teams on cyber risk decisions without appropriate oversight, scrutiny and challenge.

Section 174 requires directors to exercise reasonable care, skill and diligence. Directors are not expected to be cyber specialists, but they must take reasonable steps to understand material cyber risks, obtain appropriate advice, challenge management where needed, and ensure that suitable systems, controls and assurance mechanisms are in place.

The 2025 M&S Cyber Attack

The cyber-attack on Marks & Spencer (M&S) in 2025 illustrates the scale and impact of cyber risk. The incident disrupted online services, payment systems and wider operations, resulting in significant financial losses and operational difficulties.

Key Lessons for Directors

• Cyber security is a director responsibility. Directors should receive clear, regular reporting on cyber risks, vulnerabilities, incidents and mitigation.
• Third-party risk requires active oversight. Directors should ensure robust due diligence, contractual protections and ongoing monitoring of suppliers and contractors.
• Incident response planning is essential. Companies should maintain and routinely test incident response, business continuity and disaster recovery plans.
• Investment in resilience is a governance matter. Directors should be satisfied that appropriate resources are allocated to cyber security, staff training and technical safeguards.
• Regulatory and litigation exposure is increasing. Serious breaches can trigger regulatory investigations by the Information Commissioner’s Office, shareholder actions, contractual disputes and reputational damage.

Governance Implications

Although the Companies Act 2006 does not explicitly reference cyber security, its statutory duties oblige directors to give proper consideration to cyber risk within their overall governance responsibilities. In the current threat landscape, inadequate oversight of cyber security may amount to a failure to exercise reasonable care, skill and diligence under section 174, particularly where foreseeable risks are disregarded or appropriate controls are not implemented.

Conclusion

The M&S incident reinforces that cyber security is not merely a technical concern but a strategic and legal issue requiring active director engagement. Directors who establish robust cyber governance, effective risk management and organisational resilience will be better placed to discharge their duties under the Companies Act 2006 and to safeguard the long-term interests of their companies.

If your organisation needs guidance on director responsibilities, cyber‑risk governance or strengthening your company’s resilience, get in touch with our Corporate & Commercial team. We can help you understand your obligations and put robust measures in place to protect your business.

The contents of this article is a general guide only at the date of publication. It is not comprehensive, and it does not constitute legal advice. Specific legal advice should be sought in relation to the particular facts of a given situation.