Kymatio Isotype
Why Kymatio
Partners
Book a demo
Book a demo
EN
Kymatio Isotype
Why Kymatio
Partners
Book a demo
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

I acceptSettings
Cookie settings
Kymatio uses cookies to make your experience better. Check our Privacy Policy to learn more.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings
Close
articles
Responsibility of the board of directors against cybersecurity risk. Recommendations.
Cyberattacks
Cybersecurity Prevention

Responsibility of the board of directors against cybersecurity risk. Recommendations.

by
Fernando Mateus
|
May 9, 2023

In 2022, a record number of cyber attacks was reached. There was a particularly notable increase in those based on obtaining the credentials of template members, installing malware, phishing, smishing or denial of service.

IN THIS article
Text Link
Book a demo

Record year for cyberattacks in 2022

In 2022, a record number of cyberattacks was reached. There was a particularly notable increase in those based on obtaining employee credentials, installing malware, phishing, smishing, or denial of service.

It is worth noting the interest that criminals have in attacking employees and the resulting risk to the supply chain. This approach enjoys great success among cybercriminals, as it provides a high ROI and is relatively safe for them.

Some of the world's largest and best-known companies fell victim to cyber incidents. No one is safe: Apple, Cisco, Meta, Samsung, Twitter, and Uber, among others. But individuals and SMEs are also frequent targets of attacks.

Increasing sophistication and global impact

Cyberattacks have become increasingly sophisticated, often causing immense damage to businesses and governments around the world.

In May 2022, for example, the Costa Rican government was forced to declare a state of emergency after a criminal group attacked its institutions with ransomware.

Businesses suffer significant consequences not only from the data breaches themselves, but also from the litigation that often ensues. For example, T-Mobile settled a class action lawsuit last year after a data breach for $350 million.

Regulatory pressure and legal consequences

Governments and regulatory agencies have also taken note of the problem and are building pressure for companies to respond effectively to cybersecurity incidents. Among these pressures, the imposition of heavy fines stands out in cases where due diligence is not demonstrated in prevention.

Boards of directors worldwide are facing shareholder complaints, particularly in the U.S., for alleged breaches of their cybersecurity oversight duties.

According to a U.S. court decision, managers may face personal liability for failing to prevent damage, especially in cases involving a lack of diligence or bad faith. Bad faith may be established if the board “completely failed” to implement monitoring or reporting systems, or if there was inadequate oversight of cybersecurity.

High-profile case: Marriott International

In one notable example, plaintiffs sued after a data breach at Marriott International exposed the personal information of up to 500 million guests. They accused management of “failing to fully discharge its oversight responsibilities, turning a blind eye to known compliance violations, or knowingly failing to remedy the cybersecurity flaw.”

This contrasts with the strategy of companies that proactively address cybersecurity risks across their full exposure area.

Bad practices to avoid

Court decisions have outlined certain bad practices to avoid:

  • Failure of committees with cybersecurity oversight responsibilities to report regularly
  • Ignoring industry warnings
  • Failing to conduct appropriate cybersecurity due diligence when acquiring another company

Cybersecurity should be treated as a critical risk that businesses and boards of directors actively manage and monitor.

Legal standards and industry regulations

Lawsuits often allege violations of “positive law” by referencing industry standards and legal requirements established by regulators.

Proposed rules would impose new cybersecurity requirements on businesses, including:

  • Regular reporting on policies and procedures for identifying and managing cybersecurity risks
  • The role and expertise of management in assessing and managing cybersecurity risk
  • Implementation of security policies and procedures

Board responsibilities and reporting

Organizations must ensure that the board, or designated committees with cybersecurity responsibilities, receive appropriate management reports. At a minimum, these reports should address:

  • External risks
  • Supply chain cybersecurity
  • Plans for implementing adequate protections against cyber intrusions
  • Internal risks
  • Cybersecurity programs and cyber insurance coverage
  • Training and awareness initiatives

NIS2 regulation: Oversight and accountability

For the first time, NIS2 specifically places obligations on management bodies, including C-suite members, to implement and comply with enhanced security measures and acknowledges the possible consequences of non-compliance.

According to the Official Journal of the European Union:
“Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity with powers to represent it, the authority to make decisions on its behalf or the authority to exercise control over it has powers to ensure that it complies with this Directive. Member States shall ensure that such natural persons can be held liable for their breach of their duty to ensure compliance with this Directive.”

Kymatio’s recommendations

From Kymatio, we highlight the need to address:

  • Adoption of a wide variety of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management, and user awareness
  • Organizing staff training and raising awareness about cyberthreats, the illicit capture of confidential data, and social engineering techniques
related articles

Explore more articles

Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
Cyberattacks
Cybersecurity Prevention
Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
by
Kymatio
|
August 19, 2025
NIS2 vs. DORA comparison — what applies to your organization
Cyberattacks
Cybersecurity Glossary
NIS2 vs. DORA comparison — what applies to your organization
by
Kymatio
|
August 1, 2025
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
Cyberattacks
Cybersecurity Prevention
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
by
Kymatio
|
July 29, 2025
ACTIVATE YOUR HUMAN FIREWALLS

Ready to uncover the real risk within your organization

Book a demo
Know the real risk
4.8 in Capterra

Join the Kymatio® newsletter and get the latest insights, research, and practical tips on cybersecurity awareness prevention straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Services
HRMAssessment  & AwarenessAttack SimulationsBreach ScanDigital Wellbeing
Use cases
Public SectorFinancial SectorHealthcare SectorLarge enterprises
About us
Why KymatioKnow KymatioOur valuesSuccess Stories
Resources
BlogWebinarsWhitepapersNews
Get in touch
ContactLinkedInXFacebookYoutube
© 2025 Kymatio. All Rights reserved.
Privacy policy
·
Compliance
·
Cookies Policy
·
Legal Notice
·
AI Policy