The risk of cyber-attacks is very well publicised and the travails of M&S, JLR and others are all over the press at the moment. Everyone is checking their systems and IT security in the hope of not becoming the next ransom victim.
What is less publicised, however, is how the boards of those entities targeted by cyber-attacks, and also third parties who financially rely on those parties (as demonstrated by the JLR shutdown), should react to the financial turmoil caused by those attacks.
All of those entities may have been in rude financial health and may not have previously had to worry about solvency or personal liability for directors. Now, these issues are probably at the forefront of their directors’ minds.
The legal position
When solvent, directors’ duties are set out in the Companies Act 2006 and, fundamentally, revolve around acting in the best interest of the company and its shareholders, in addition to the various stakeholders set out in the legislation.
If a company is facing an insolvency process then those duties switch and the predominant duty is owed to the creditors as a whole.
When is a company insolvent? Either when it cannot pay its debts as and when they fall due, or its liabilities are greater than its assets on its balance sheet at any given time.
A company is a separate legal entity and its directors and shareholders are not normally liable for its debts. That is limited liability and why individuals conduct business through companies.
However, in certain situations, the directors can be personally liable. Two examples of this arise in an insolvent situation.
The first is misfeasance, where a director has failed to act in the best interest of creditors. The second is wrongful trading where the director knew (in their own mind) or should have known (assessed against the reasonably competent director, that the company would not avoid an insolvency process and did not take every step to minimise losses to creditors.
If a company is insolvent, or at risk of becoming insolvent, then the most prudent approach for directors to take, is to have the interest of creditors in mind, if not at the front of their mind.
Furthermore, if a company enters an insolvency process, then a report may be prepared on the conduct of its directors and others involved in its decision-making processes by the relevant insolvency officeholder. This report - if adverse - could result in disqualification proceedings being taken.
Approach
If a company suffers a traumatic event like a cyber-attack, or a cyber-attack on a key customer or supplier, then the directors should be ready to assess the current financial position of the company based on the consequences to evaluate whether the company is insolvent or at risk of insolvency.
If that is the case then advice should be sought. Just because a company is insolvent or at risk of insolvency does not mean that that company has to go into an insolvency process. However, the directors should protect themselves from personal liability in calculating how their business can survive and trade through an event like a cyber-attack.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.