사이버보안 리스크와 이사회의 역할 - 試論的 고찰

Cybersecurity risks have emerged as a pivotal factor with the potential to significantly impact a companyʼs performance. Managing and mitigating such risks have gained prominence as a critical mission for corporate boards. Within the European Union (EU), NIS2 underscores the role of the board of directors in addressing cybersecurity risks. Drawing from the recent judicial trends emphasizing the duty of oversight in the state of Delaware, it is anticipated that legal precedents acknowledging board membersʼ breaches of duty due to inadequate internal control systems related to cyber security risks will soon materialize. In line with the proactive stance of Korean Supreme Court in recognizing directorsʼ liability for breaches of the duty of oversight, it is foreseeable that South Korea will follow a similar trajectory to the United States. In the context of cyber security risks, proactive risk management and the implementation of appropriate procedures hold more significance than retrospective accountability. The board should be cognizant of the importance of cybersecurity risks and devote attention to devising suitable procedures in light of the companyʼs operational circumstances for effectively managing such risks. However, as directors cannot become cybersecurity experts themselves, their role entails (i) posing pertinent questions to the management, thereby encouraging them to allocate the necessary resources for cybersecurity risk management, and (ii) securing the establishment of post-incident procedures aimed at minimizing damages in the event of a cyber security breach.