Functioning cybersecurity is a matter for the boss. The board of directors of a public limited company and no one else is responsible for this. This task can neither be delegated nor outsourced. If there is no adequate cybersecurity and a hacker attack causes damage to the company, the board is personally liable to the company (with his salary, his house, his savings, etc.) for all damages if he has not taken adequate care of functioning cybersecurity measures.

Many board members are not (fully) aware of this situation. By pointing to a division of labour in the board, cyber insurance for the company, the D&O insurance obligatory for executives or the lack of attractiveness of the company for hacker attacks, board members think they are safe and absolved of l ...