Cyber risk management is an increasingly important challenge for organizations of all kinds and sizes. Corporate directors have a legal responsibility to ensure that their corporations have appropriate cyber risk management policies and practices and are prepared to respond effectively to cyber incidents. Corporate directors can obtain helpful guidance from regulators, industry associations and other organizations.

Cyber risks appear to be increasing in frequency, intensity and harmful consequences as a result of various circumstances, including increasing sophistication and complexity of cyber-attacks, increasing use of information technology (e.g. increased access points and use of third-party services and infrastructure) and data (e.g. customer personal information, payment information and Big Data), increasing regulation (e.g. regulated personal/financial information and security breach reporting obligations) and increasing legal liability (e.g. privacy breach liability). Commentators have said that there are only two kinds of organizations — those that have been hacked and know it, and those that have been hacked and don't know it yet.