The amendment to the Code of Commercial Companies, which entered into force on 13 October this year. equips supervisory boards with important responsibilities and controls that can help improve security against hacker attacks.
Changes, introduced on the model of the regulations in force, among others in Germany and the USA, are to adapt the relations between management boards and supervisory boards to the current business reality, making them more precise. According to the intention of the legislator, the boards will no longer perform façade, but real supervision over companies and will not be dependent on the management board.
Mutual control
Supervisory board members will certainly have more jobs. The amendment gives them new tools, but also imposes new obligations related to the control of the company’s activities. An important change is the introduction of the American ‘business judgment rule’ into our law, which states that board members will be able to be held liable, just like management board members, not only for actions detrimental to the organization, but also for insufficient diligence in fulfilling their tasks .
The reform leaves no room for negligence – both for management board members, who will be obliged to regularly report on the state of risk, and for supervisory board members, who will be obliged to enforce such reports. When necessary, they will be able to reach for expert support. According to the amendment, supervisory boards will have the right to appoint, at the company’s expense, external experts whose task will be to examine the activities of the management board in terms of implementing the necessary technical and organizational measures, e.g. to maintain the highest level of resistance to cyberattacks.
– Let’s imagine the following situation: a member of the supervisory board requests the management board to present a risk analysis for the company in the field of cyber security. In addition, the supervisory board decides to hire an external advisor who will assess the management board’s activities in this regard. In the current geopolitical situation, it should be expected that such action is highly probable. On the one hand, members of supervisory boards may feel pressure to assess the company’s functioning in strategic areas in order not to be accused of failing to exercise due diligence, on the other hand, management boards must report the company’s risk analysis to the supervisory board. And this, as we know, covers a number of aspects, among which the security aspect is becoming more and more important – points out Katarzyna Berbeć from ICsec S.A.
Critical infrastructure targeted by hackers
– Modern industrial enterprises are primarily a huge amount of data – transmitted, stored and processed. Packed with IoT (Internet of Things), artificial intelligence and learning machines, factories are a tasty morsel for cybercriminals. Therefore, the key category in risk management is the prevention of threats from hackers – comments Katarzyna Berbeć from ICsec.
– The topic of industrial infrastructure security was slowly emerging in the minds of company authorities. Due to insufficient cybersecurity resources, these cases did not have sufficient clout in prioritizing this area. The introduced reform will affect investments in cyber security, as well as will force the improvement of staff qualifications in the field of threats and the ability to react to dangerous situations – believes Marek Smolik, member of the board and CTO at ICsec S.A. and adds:
– The intensification of activities in this field in the industry is necessary, not only taking into account geopolitical tensions and the related hacker attacks on industrial infrastructure, including critical infrastructure, but also due to the continuous technological progress in enterprises. Each cyberattack can mean a paralysis of the company’s activity for several months and huge losses – both financial, but also, which is important for every company, image-related, related to publicizing the fact that the level of security in a given organization turned out to be insufficient. Moreover, in 2022, a very strong trend was observed related to the occurrence of wiper malware in cyberspace, also in industrial environments. A cyberattack using this technique is very dangerous – ransom negotiations are not even discussed here. I expect that 2023 will not be calmer in this regard.
– At the same time, let us remember that the new regulations may, but unfortunately do not have to, mean an increase in the level of cybersecurity in enterprises – notes Paweł Gruszecki, IP/TMT counsel at Domański Zakrzewski Palinka sp.k. and adds: – Everything depends on the awareness and knowledge of supervisory board members as to how and when to intervene effectively to improve cybersecurity in a supervised company. It is also not difficult to imagine a situation where the new powers will be used, for various reasons, to undermine the right actions of the management board in this regard. Let’s hope, however, that the mere fact of bearing this responsibility will ensure coherent cooperation between the various bodies of the company. The above can be achieved, for example, through the implementation and application in a given company of appropriately adapted to the regulations and transparent supervisory procedures that will relate to the security of information systems.
The British learned how fraught the consequences of negligence in the area of cybersecurity of critical infrastructure can be. In August 2022, South Staffordshire Water was hacked. Cybercriminals managed to gain access to SCADA systems by exploiting a network security vulnerability. They extracted 5 terabytes (TB) of data from it. which translated into the potential to cause damage to 15 million people in southern England.
Efficient security measures saved Ukraine. On February 23, 2022, one day before the Russian invasion, thanks to efficient network traffic monitoring, it was possible to thwart an infection attempt using the Wiperwave software, whose mission was to damage the operating systems of 70 organizations at the national and regional level by erasing data and programs without the possibility of restoring them. If this attack, named Industroyer 2, was successful, it would paralyze the key units of the state administration, as well as critical infrastructure, including the energy system, which would make it much more difficult to repel the military offensive of the Russian Federation troops.
– Entities which, under the provisions of applicable law, have the status of operators of essential services for this reason are the target of many sophisticated operations of cybercriminal groups more or less related to other countries – emphasizes Paweł Gruszecki, IP/TMT counsel at Domański Zakrzewski Palinka sp.k. and adds: – In the current situation, therefore, sorting out the role that individual bodies of companies that are operators of essential services should play in the area of cybersecurity management seems to be an obligation, not a choice.
Fill in the form. Our experts will contact you to arrange individual tests.