News

Directors’ Duties and Cybersecurity in the Age of Criminal Chatbots

AI-powered tools like Anthropic's Claude have already been weaponised to execute large-scale cyber espionage with minimal human input.

Now, boards face machine-driven, industrial-scale attacks rather than the actions of lone hackers. And in the UK and the EU, directors' duties and responsibilities are increasingly focused on risk analysis and management of cybersecurity.

In the UK, both the Companies Act 2006 and the new Cyber Governance Code of Practice require directors to play a part in cybersecurity. The Cyber Governance Code outlines practical steps for boards, covering everything from risk management to incident response. It offers directors a blueprint for demonstrating that they've exercised reasonable care, skill, and diligence in managing cybersecurity.

Across the EU, directives like the Network and Information Security Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) go a step further, holding hold directors personally liable for cyber and ICT risks in some cases. Non-compliance could lead to fines running into the tens of millions of euros, or even temporary disqualification in some jurisdictions.

Directors' Duties Meet AI-Driven Cyber Risk

When an AI chatbot can autonomously manage 80-90% of a complex cyber attack, the dynamic in the boardroom must shift. Anthropic's 2025 report on an AI-orchestrated espionage campaign demonstrated how its Claude Code tool could be manipulated to carry out hours of intrusions with minimal human oversight, targeting governments, banks, and tech firms.

This is not a hypothetical threat. It is the real-world context in which regulators, courts, and investors are now interpreting directors' duties in both the UK and the EU.

In England and Wales, directors operate within the well-established framework set out in sections 171–177 of the Companies Act 2006. At first glance, these sections might seem unrelated to cybersecurity, but two duties are key.

Duty to Promote the Success of the Company (s.172): This now clearly extends to safeguarding a company's reputation, customer data, operational resilience, and essential relationships against cyber incidents.

Duty to Exercise Reasonable Care, Skill, and Diligence (s.174): This requires directors to understand the organisation's cyber risks, seek informed assurance, and ensure that proportionate measures are in place.

The UK Cyber Governance Code of Practice

A significant milestone in 2025 is the government's Cyber Governance Code of Practice, developed in conjunction with the National Cybersecurity Centre (NCSC).

Though voluntary for now, the Code translates the abstract duties under the Companies Act into concrete board-level actions across five themes: risk management, strategy, people, incident planning, and assurance.

  • Risk and Strategy: Boards are expected to identify critical assets, set a cyber risk appetite, incorporate cyber risks into enterprise risk management, and approve a cyber strategy aligned with business goals.
  • People and Culture: Directors should complete cyber training, promote positive security behaviours, and clarify roles and responsibilities for cyber oversight at both executive and non-executive levels.
  • Incidents and Assurance: The Code expects incident response plans to be tested regularly, and for boards to receive structured reports on cyber risks and incidents (at least quarterly).

The NCSC explicitly links adherence to the Code with fulfilling the duty to exercise reasonable care, providing directors with a clear path to demonstrate sound governance of cyber risks.

EU NIS2 and DORA – When Liability Gets Personal

For UK-based directors with operations or regulated clients in the EU, the legal obligations are even sharper.

NIS2 – Cyber as a Boardroom Obligation

The NIS2 Directive, effective from late 2024, broadens the scope of "essential" and "important" entities and places significant new expectations on senior management.

  1. Management bodies must actively approve and oversee cybersecurity risk management measures, rather than merely signing off on a policy once a year.
  2. Fines can reach the greater of EUR 10 million or a percentage of global turnover, with some jurisdictions allowing temporary bans on non-compliant directors.
  3. Every member of the board, executive or non-executive, could face personal exposure if regulators conclude that they were passive or disengaged from cyber oversight.

NIS2 is not just about technical policies; it mandates cybersecurity as a central element of corporate governance.

DORA – ICT Risk in Financial Services

DORA, effective from January 2025, places boards of EU financial entities firmly in charge of ICT risk management.

Boards must define, approve, and oversee the ICT risk framework, allocate budgets, supervise third-party ICT providers, and sign an annual attestation that could be scrutinised during enforcement actions or litigation.

Effective, proportionate sanctions are anticipated, often in the form of fines up to EUR 10 million or 2% of global turnover. Moreover, regulators will closely scrutinise board members' competence in ICT risk management, potentially questioning their suitability for office if they lack expertise.

AI-Enabled Threats and What "Reasonable Care" Now Looks Like

The Anthropic case serves as a clear illustration of how AI changes the scale and speed of cyber risks. AI tools like Claude Code can automate everything from reconnaissance to credential theft, with humans stepping in only where strategic decisions are needed.

Security experts now refer to these as "AI-orchestrated cyberattacks. These are a distinct class of threat characterised by deep automation, custom exploit generation, and sophisticated lateral movement within enterprise networks.

For directors, this shift has two immediate consequences:

  1. "We didn't know it could happen" is no longer a defence. Regulators and the NCSC are issuing public warnings and providing board-focused toolkits.
  2. The meaning of reasonable care evolves. As AI-driven attack methods become widely understood, boards will be expected to adapt their controls, budgets, and supplier due diligence accordingly.

Practical Steps for UK Boards

To ensure a robust defence against AI-driven cyber threats, directors in England and Wales should aim to demonstrate the following:

  • Appoint a cyber lead, establish a clear governance structure, and ensure regular, structured reporting on cyber risk, incidents, and remediation efforts.
  • Approve a board-level cyber strategy, aligning it with business objectives and supporting it with sufficient resources for technology, staff, and testing.
  • Ensure the organisation has a tested incident response plan that accounts for AI-enabled attacks, third-party breaches, and regulatory notification timelines and document all exercises.
  • Assess the cyber risk of key suppliers, data centres, service providers, and AI tools. Ensure robust security obligations and ongoing monitoring cover them.

FAQs

Are there specific "cyber duties" in the Companies Act 2006?

No. While the Act outlines general duties, regulators and the NCSC now interpret the duty of care and the duty to promote success as including clear, documented oversight of cyber risks, given their impact on operations, data, and reputation.

Is the UK Cyber Governance Code of Practice mandatory?

No, it is voluntary for now. However, it is considered a best practice reference for boards, and legal commentators suggest that alignment with the Code can be persuasive evidence that directors have exercised reasonable care.

Can directors be personally liable under NIS2?

Yes, in certain EU jurisdictions, individual directors can be penalised if they fail to demonstrate active involvement in cyber risk management and NIS2 compliance. Some countries also impose temporary bans on non-compliant directors.

Does AI change what "reasonable" cyber governance looks like?

Yes. As AI-enabled attacks become more widely documented, regulators will expect boards to account for these risks in their assessments and incident plans, particularly in sectors that handle large volumes of sensitive data or operate critical infrastructure.

What simple step should a UK board take first?

Many advisers recommend starting with a board briefing and a gap analysis against the Cyber Governance Code of Practice. From there, directors can develop a short action plan with clear ownership, timelines, and regular updates to the board.

    Close

    How can we help?

    Please fill in the form and we’ll get back to you as soon as we can





    We have partnered with Law Share from JMW Solicitors LLP to refer instructions and clients to them, when we are unable to act. By answering yes to this question, you agree that we may pass your details on to Law Share in such circumstances. You are under no obligation to instruct JMW Solicitors LLP after being referred. We may receive a payment from JMW Solicitors LLP further to this referral.