Four people are seated at a table in a meeting room, while a presenter speaks in front of a screen.

Cyber Liability on the Board of Directors: More Tools Won't Protect You

Cyber Liability on the Board of Directors: More Tools Won't Protect You

Yannick H.,

Too Long; Didn't Read

Since Swiss law extended the Board of Directors' duty of care (Art. 717 CO) to cybersecurity and the new FADP introduces personal fines of up to CHF 250,000 for the responsible individual, cybersecurity has become a liability issue for the board, not just an IT issue. In an emergency, one thing above all will protect you: written proof that you acted with due diligence. With every cyber-related decision made by the board, ask yourself: Could we prove this in court?

ODCUS Blog-Artikel Titelbild

The meeting nobody wants to lead

Imagine the board meeting taking place three weeks after a ransomware incident. Production has been at a standstill for five days. Customer data has been leaked. The insurance company is asking questions that nobody can answer properly.

And then comes the sentence everyone in the room has been dreading: "Who was actually responsible here?"

The usual answer is "IT". In our experience, this is exactly the moment when most board members understand for the first time that this answer no longer protects them. In recent years, cybersecurity has quietly shifted from a technical question to a liability question. And liability cannot be delegated.

Why "IT is handling it" no longer works as a defense

Today, the board of directors' duty of care under Art. 717 CO explicitly includes cybersecurity. This includes defining a cyber strategy, ensuring regulatory compliance, and establishing clear guidelines on how cyber risks are identified, assessed, and monitored. These are not tasks you hand off to the IT department. These are supervisory duties that remain with the board.

In addition, there is the revised Swiss Data Protection Act (revDPA). The revDPA provides for fines of up to CHF 250,000, specifically against the responsible natural person. Not against the company. Against you, with your personal assets. Anyone who ignores known risks or underestimates the relevance of the topic can be held personally liable after an incident.

For operators of critical infrastructures, the Information Security Act further tightens the situation. An ISMS is mandatory by the end of 2026, the reporting obligation for cyberattacks is already active, and fines have been in force since autumn 2025.

The numbers give the topic a sense of urgency. The National Cyber Security Centre (NCSC) recorded a record high of reported incidents for 2025. It is therefore not a question of whether your company will be targeted, but when.

The expensive reflex: buying more after the incident

At this point, most boards make the same logical error.

After an incident, board members reach for the most obvious lever: they spend more money. A new tool. Additional security. Another vendor promising that something like this will never happen again. The board feels better afterwards because they have taken action.

The problem: more security spending hardly reduces your personal liability risk. After an incident, a court does not ask how many tools you have licensed. It asks whether you fulfilled your duty of care. Those are two completely different things.

A company can operate seven overlapping security products and still be liable because nobody ever documented what risks the board knew about, what decisions they made, and why. Another company can get by with significantly fewer tools and be well-protected because its due diligence is seamlessly documented.

Money buys tools. In a liability case, however, something else counts: your documented due diligence.

What actually protects you: proof of due diligence

In the event of a lawsuit against the board of directors, only one currency counts: seamless, written proof of the due diligence exercised. Verbal agreements, informal updates, or a vague "we talked about it" are worthless in court.

Specifically, this means your board should be able to prove:

  • that key cyber risks were identified and addressed within the board of directors

  • that there is a cyber strategy approved by the board

  • that reporting to the board of directors is done regularly, not just when there is a crisis

  • that decisions made, including consciously accepted residual risks, are documented

This is not extra effort for the sake of effort. It is the shift away from "we are spending, so we are protected" to "we can prove that we are acting diligently". This exact shift relieves you personally.


Dokumentierte Sorgfalt schützt den Verwaltungsrat, nicht die Anzahl der Sicherheits-Tools

Figure: What protects the board of directors in a liability case is documented due diligence, not the number of security tools deployed.

And here the circle closes back to the budget. If actual protection consists of structure and proof rather than additional licenses, then the right question is not "What else do we need to buy?", but "Do we have what we already have under control and documented?". In many mandates, real security starts with cleaning up existing tools and properly documenting due diligence, not with buying new ones. More protection, fewer tools, lower costs is not an argument for saving money, but a more effective defense.

What this means for your next meeting

You do not need to become a cyber expert. That is not the expectation of a board member. The expectation is that you ask the right questions and document the answers.

Three questions are enough to start with. Do we know our biggest cyber risks, in writing? Is someone reporting to us regularly about this, in a language the board understands? And would we be able to prove that we acted diligently after an incident?

If the answer to any of these questions is hesitation, you have a gap. Not a technical gap. A liability gap.

This is exactly what the security reporting to management and the board of directors is for, as we set it up in our CISO mandates. It translates the risk situation into business and liability language while recording that the board was informed and took action. The report is the security measure and the proof of due diligence in one.

(You can find more on the structural framework in our articles on IT Governance for SMEs and on the revDPA.)

The honest question

Picture the meeting after the incident once again. The question "Who was responsible?" is in the air.

The answer that protects you is not "We had the best software". It is "Here is documented what risks we knew, what decisions we made, and why".

Which of these two answers could your board of directors give today? Your answer decides whether cybersecurity is a manageable supervisory topic for you or a personal liability risk that you don't see yet.

If you want to know where your board stands on this, get in touch with us. An initial conversation is non-binding.

Join us on the journey

Effortlessly schedule a conversation and discover how we bring success in the digital world to your company.

Two men are sitting together in a cozy setting, smiling and enjoying a conversation over drinks.

Join us on the journey

Effortlessly schedule a conversation and discover how we bring success in the digital world to your company.

Two men are sitting together in a cozy setting, smiling and enjoying a conversation over drinks.
Abstract design featuring vibrant purple and blue gradients with geometric shapes and lines.
The text reads: "Let’s begin our digital journey."
Contact us!

Grabenstrasse 15a

6340 Baar

Switzerland

+41 43 217 86 70

Copyright © 2026 ODCUS | All rights reserved.

Abstract design featuring vibrant purple and blue gradients with geometric shapes and lines.
The text reads: "Let’s begin our digital journey."
Contact us!

Grabenstrasse 15a

6340 Baar

Switzerland

+41 43 217 86 70

Copyright © 2026 ODCUS | All rights reserved.