Tech, Media and Comms

Cybersecurity: the challenge for boards of directors of listed companies in Spain

Published on 21st Dec 2023

Companies need to adapt corporate governance policies constantly to face the challenge posed by the digital revolution

Blurry numbers on digital screen

The digital revolution, among other issues, has brought a series of increasingly complex risks and has highlighted the importance of the cybersecurity-related risks faced by companies. Due to the rapid evolution of these factors and the risks inherent to them, companies are forced to adapt their corporate risk management procedures and strategies and, ultimately, their corporate governance policies constantly.

Concept of good corporate governance

In general terms, good corporate governance encompasses a set of rules, principles and recommendations that aim to regulate the structure and proper functioning of a company's governance and management bodies.

The main objectives for adopting this type of decisions and procedures are: improving the company's competitiveness; enriching the company's relationship with its domestic and foreign shareholders and investors, as well as with other stakeholders, by applying principles of transparency; and optimising the entity's internal control and corporate responsibility.

Good corporate governance is an inalienable part of the strategy and day-to-day business of companies and especially of listed companies. It is not only a trend and common practice internationally: it was brought into the Spanish legal system in 2014 with the approval of Law 31/2014, of December 3, which amended the Spanish Companies Act to improve corporate governance.

The law, among others, incorporated:

  • the non-delegable authorities of the board of directors of listed companies, which include determining the risk control and management policy and the corporate governance policy of the company (article 529 ter.1 b) and c)); and
  • the obligation to prepare and publish an annual corporate governance report in which the listed company must indicate, among others, the degree of compliance with the corporate governance recommendations established in the Good Governance Code of Listed Companies approved by the Spanish Securities Exchange Commission (Comisión Nacional del Mercado de Valores), or, if applicable, the explanation for the lack of compliance with such recommendations (article 540).

Cybersecurity: a new challenge

As a result of the digital revolution, cybersecurity-related risks have become one of the most complex risks faced by listed companies because of the potential impact and the consequences not only on the organisation itself but also on its stakeholders, who may be affected by the organisation's activities. Cybersecurity is nowadays a strategic priority for listed companies, with the board of directors – and by delegation, the audit committee – ultimately responsible for its management and supervision.

Furthermore, domestic and international regulators are constantly developing new regulations with the aim of strengthening the cybersecurity of organisations. Many of the regulatory developments and changes in this area have been prompted by the increasingly frequent and costly negative effects borne by organisations, either as a result of cyber-attacks or inadequate internal management of cybersecurity risks.

For example, the revised Network and Information Systems Directive, known as NIS2, aims for high-level cybersecurity and to eliminate divergences in implementing the repealed NIS1 is pending to be transposed into Spanish law.

In the US, the regulation adopted by the Securities Exchange Commission in July 2023 requires foreign private issuers whose shares are listed on a US stock exchange to disclose any material cybersecurity incident and any annual information on cybersecurity risk management, strategy and governance.

Good Governance Code on Cybersecurity

On 13 July 2023, the Spanish Securities Exchange Commission published the Good Governance Code on Cybersecurity (GGCC), which has been drawn up by the National Cybersecurity Forum and is presented as a "guide of principles aim at supporting a cybersecurity governance model". Its main target audience is the governing bodies of organisations and, in particular, the boards of directors, who are ultimately responsible for the cybersecurity risk management, since, the determination of the risk control and management policy is a non-delegable power of these bodies.

The GGCC states that "it is neither a definition of a new standard of controls nor an implementation manual". On the contrary, it provides a series of voluntary principles and recommendations aimed at supporting a model of good governance of cybersecurity, ensuring that companies have robust cyberattack prevention, detection and response measures in place. In short, it is a roadmap for the boards of directors and senior management on how to manage cybersecurity risks.

The role of the board of directors

Cybersecurity is a key aspect within the boards of directors of listed companies as it forms part of the company's strategy, risk management and corporate governance policy. All of these are non-delegable authorities and the responsibility of the boards of directors.

Given its increasing importance on the agenda of the boards of directors' meetings, the GGCC recommends that companies have at least one member of the board of directors with experience in cybersecurity management to support and validate the objectives prior to their approval by the management team. Incorporating a member with this profile on the board of directors can add value to its composition, contributing to the professionalisation of its competence matrix.

In practice, the supervision of cybersecurity-related risks falls on the audit committee of listed companies, since, pursuant to article 529-quaterdecies 4 b) of the Spanish Companies Act, the audit committee is responsible for supervising the internal control systems of the company. The GGCC also recommends that companies have a unit in charge of the cybersecurity issue and that its head should be the chief information security officer.

Osborne Clarke comment

We are facing the consolidation of the cybersecurity as one of the cornerstones of risk management and of the strategy of the management bodies of listed companies. Regulatory developments in cybersecurity are likely to lead to the establishment of new obligations and new responsibilities as well as the introduction of new profiles that are increasingly in demand on the board of directors of listed companies.

Share

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?