Stepping stone liability of directors for cyber incidents

In a world increasingly dependent on digital infrastructure, cyber incidents have become a significant risk for organisations of all sizes. While businesses focus on mitigating operational and reputational damage, company directors must also be aware of their personal legal exposure. One of the emerging concepts in this area is “stepping stone liability”, where directors may be personally liable in relation to a cyber incident.

How are directors personally liable for cyber incidents?

The concept of “stepping stone liability” is a legal doctrine whereby a director becomes personally liable for failing to prevent a company’s breach of laws. The company’s contravention of laws therefore acts as the “stepping stone” for the director’s personal liability.

In a cyber incident, data breaches, ransomware attacks and unauthorised access to sensitive information can result in regulatory breaches by the company such as the Personal Data Privacy Ordinance Cap. 486. Companies in regulated sectors may also be subject to risks of being found non-compliant with specific sectoral guidelines issued by the relevant regulators.

If it is established that directors failed to implement appropriate cyber risk management strategies, did not keep themselves informed about cyber threats, or neglected to ensure compliance with legal obligations, there might be a risk of being in breach of their duties. The company’s regulatory breach thus becomes the “stepping stone” to director liability.

Directors have a statutory duty to act with reasonable care, skill and diligence. This encompasses a responsibility to understand and address significant risks facing the company – including those posed by cyber threats, which can be a core enterprise risk.

As cyber threats become more prevalent, directors are increasingly expected to take reasonable steps to respond to and mitigate cyber-related risks, including:

• Staying informed about cyber risks relevant to the business
• Ensuring the company has robust cyber security policies and procedures
• Overseeing the implementation of staff training and incident response plans
• Monitoring compliance with data protection and cyber security legislation
• Responding promptly and effectively to any cyber incident
• Considering managing cyber-related risks by purchasing appropriate cyber insurance

Failure to do so could potentially be construed as a breach of duty, with the company’s regulatory breach as evidence.

Enforcement and regulatory trends

Across common law jurisdictions, there appears to be a growing willingness to hold individual directors responsible for the company’s contravention.

• The Australian Securities & Investments Commission (ASIC) has pursued directors for breach of duty under Section 180(1) of the Corporations Act 2001 where a director has caused or permitted a company’s contravention of laws. For example, a director was found to have failed to exercise the duty of care and diligence required to fulfil a company’s disclosure obligation to the Australian Securities Exchange.¹1 The ASIC chair made clear in 2023 that the commission will take legal action against directors and boards if they fail to take reasonable steps in fulfilling their cybersecurity-related obligations.²2 In 2022, the Federal Court of Australia found that a financial services licensee breached sections 912A(1)(a) and (h) of the Companies Act by failing to have adequate documentation and controls in respect of cybersecurity and cyber resilience in place.³3 This case paves the way for the ASIC to take further action against the directors and officers of the financial services licensee for failing to fulfil their statutory duty under Section 180(1) of the Corporations Act.
• In 2022, the US Federal Trade Commission (FTC) took enforcement action against an online alcohol marketplace and its CEO for security failures that led to a data breach exposing the personal information of about 2.5 million consumers. While the enforcement action was resolved by agreement, the FTC’s complaint alleged that the CEO was “responsible for the failure as he did not implement, or properly delegate the responsibility to implement, reasonable information security practices.”⁴4
• The High Court of Ireland in Nolan & Ors v Dildar & Ors [2024] IEHC 4 imposed personal liability on a director for breach of the Data Protection Acts 1988 and 2003.
• UK regulators including the Information Commissioner’s Office, the Financial Conduct Authority and Prudential Regulation Authority, have emphasised that cyber risk is a board-level issue. The UK government has issued a Cyber Governance Code of Practice which sets out expectations for the board’s management of cyber risks.⁵5
• In Hong Kong, the Hong Kong Monetary Authority (HKMA), Securities and Futures Commission (SFC) and Insurance Authority (IA) also expect the board of directors or senior management to be responsible for the company’s cybersecurity. For instance:
  • Supervisory Policy Manual Module TM-C-1 sets out the HKMA’s policy and approach for supervising the management of cyber risk by authorised institutions. The HKMA also expects the board of directors to be ultimately responsible for understanding the risks faced by authorised institutions and ensuring they are properly managed.⁶6
  • The Report on the 2023/2024 Thematic Cybersecurity Review of Licensed Corporations, published by the SFC earlier this year, also highlighted cybersecurity vulnerabilities that indicate there is insufficient oversight by senior management of licensed corporations, and stated it will develop an industry-wide cybersecurity framework to guide on management of cybersecurity risks.⁷7
  • The IA’s Guideline on Cybersecurity (GL20), effective since 1 January 2025, also makes clear that “the board of directors of an authorised insurer should hold the overall responsibility for cybersecurity controls and ensure accountability within the insurer by articulating clear responsibilities and lines of reporting and escalation for cybersecurity controls.”

Conclusion

Regulators around the global clearly expect cybersecurity to be an agenda item for the board – and enforcement cases illustrated here show that contraventions or breaches of legal requirement arising from cyber incidents by the company exposes individual directors to stepping stone liability.

We believe it will only be a matter of time before Hong Kong regulators and courts introduce the stepping stone doctrine holding individual directors liable for breaches in relation to cyber incidents.

Mitigating risks: Practical steps for directors

To minimise the risk of stepping stone liability arising from cyber incidents, directors should:

• Regularly assess and update the company’s cyber security framework to ensure risks are identified and properly managed
• Ensure cyber risk is a standing item on the board agenda and sufficient resources are allocated for cybersecurity
• Engage independent experts to conduct security audits and penetration testing
• Document all board discussions and decisions regarding cyber security
• Provide regular training for staff and management on cyber threats and incident response
• Ensure there are clear and sufficient internal policies and procedures for responding to cyber incidents such as ransomware attack
• Stay abreast of legal and regulatory developments in cyber and data protection law

Directors should also review and check their directors and officers liability insurance to ascertain whether any claims or regulatory enforcement actions for stepping stone liability arising from cyber incidents are covered.