ABCOO - Home

Cyber-Risk Oversight and Legal Liabilities of Board Members

It was not long before the world has faced with an outage on the DDOs systems of a tech giant and responsibility claims knocked the door of board rooms, it seems notably essential to remember the legal liabilities of the members of the Board of Directors (“Board”) in times of cyber-crisis. In this article, we examine legal liability of the Board members by staying with general principles in Joint Stock Companies (“JSC”).

According to Turkish Commercial Code (“TCC”), JSCs are managed and represented by the Board. As part of that power, TCC requires Board members to act in compliance with “duty of care” under the article 369 of the TCC. That being said, members are required to act as a prudent manager while exercising their duties (such as senior management of the company, supervising of management) and to protect the interests of company.

In order to prevent steady increase in rental fees, "The Law Amending the Attorneyship Law and the Turkish Code of Obligations" ("Law") has entered into force upon its publication in the Official Gazette dated 11 June 2022, numbered 31863. The Law has added Provisional Article 1 to Turkish Code of Obligations ("TCO") and thereby temporarily capped rent increase rates at 25% in residential units which were previously capped by the Consumer Price Index (“CPI”). As regulated, the increase in the rental fees determined under the lease agreements, which are renewed for a new lease period starting from 11 June 2022 to 1 July 2023, shall not exceed 25%. On the other hand, the cap regulated under TCO is still applicable and therefore, in the event that the annual average of CPI is lower than 25%, then the lower CPI rate will apply.

As great power comes with great responsibility, if Board members breach their obligations stipulated by law and the articles of association with fault (including negligence), they shall be liable to the company and shareholders as well as the creditors of the company for the damages incurred under the article 553 of TCC. TCC also stipulates that organs or persons who transfer a duty or authority arising from the law or the articles of association to another person based on the law shall not be liable for the acts and decisions of these persons, unless it is proved that they did not exercise due care in the selection of the persons who took over these duties and powers.   

Another restriction on liability is that no one can be held responsible for breaches of the law or the articles of association or corruption beyond his control; this non-responsibility cannot be overridden by justifying the duty of supervision and care.

Put simply, board members may not be held liable if they exercise their duties as diligent as a prudent manager. To better measure the duty of care, “business judgement rule” should be considered as well. On the facts of that rule, decisions taken by the Board members within their commercial discretion may not lead to liability, if the decision is (i) free from conflict of interest or not influenced by a third party, (ii) taken on the basis of appropriate and sufficient information, (iii) in the best interest of the company and (iv) made in good faith.

All things considered, since senior management and supervising is non-delegable and inalienable authority, cybersecurity oversight and data governance is a must for the Board to mitigate data-related legal risks. As a noteworthy example, establishing specialized risk or audit committee to oversee cyber risks, having cybersecurity experts on Board and risk management frameworks, regular reporting to the Board etc. may help Board to exercise appropriate oversight and management with due care.

Better Late Than Never

Legal 500 2024 EMEA Edition

Divorce Cases with Questions and Answers in Supreme Court Practice and Doctrine