Defining the Current Corporate IT Risk Landscape

Information has always been one of the most important assets a company possesses. Trade secrets, patents and ‘know-how’ are important business assets. In a post-industrial economy, however, knowledge-based assets have become crucial not only for the survival of any company, but also for its continued existence. Every company decision is based on reliable and accurate information. Moreover, today companies retain a significant amount of sensitive, confidential and classified information on their computer systems and networks. It therefore follows that anything that threatens the information assets of the company will directly endanger the performance and efficiency of the company. Unfortunately, corporate information assets are susceptible to various forms/types of cyber attacks. These attacks range from unauthorised access, malicious mobile code and inappropriate use to disclosure and information and/or data theft. The increased use of the Internet by companies highlights these vulnerabilities and renders the effective protection thereof all the more relevant. It is submitted that adversaries no longer launch cyber attacks for fame, but rather for financial gain. Companies need to strike a balance between the protection of sensitive and confidential corporate information and the availability of such information to stakeholders. Corporate information must be available to stakeholders, and in some instances the public, not only to encourage investment in the company, but also to comply with the company’s statutory duty of disclosure and transparency. The importance of corporate information and the protection of its integrity against ever-increasing risks and threats necessitate that companies gain assurance that reasonable steps are taken to secure the corporate information assets. Failing this the company and/or its employee(s) may face potential legal liability. This paper will first analyse the most prevalent cyber risks facing companies today before moving on to identify crucial legal questions that directors and members of top management must ask themselves in order to determine their potential legal exposure in instances of security breaches.