The liability landscape facing directors and officers in Israel in relation to cyber events

Executive summary 

Currently in Israel, there is no comprehensive body of case law or established legal precedent to guide Directors and Officers (“D&Os”) regarding potential exposures arising from cyber risks. This lack of clarity creates significant uncertainty for D&Os on the boards of companies in Israel and highlights the need for regulatory and / or legislative intervention to provide a clear framework, particularly given the expectation of significant claims being pursued following cyber events.

Background

In recent years, there has been an escalation in cyber events in Israel which, together with technological advances, have significantly changed society and exposed management personnel to new and dangerous risks. Historically, responsibility for such incidents were principally the domain of a company’s IT department.  However,  today, Israeli board members are seen as having an important role in preventing, managing and resolving these kinds of incidents, which can cause not only huge financial losses but also damage to reputation and trust, and which can lead to legal action against D&Os.

In common with other countries, typical cyber incidents in Israel include: 

1. ransomware attacks, in which hackers lock systems and demand ransom to release them; 
2. phishing attacks, in which sensitive information is stolen by impersonating legitimate emails; and 
3. Distributed Denial of Service (DDoS) attacks which lead to system crashes through artificial load. Notably, on 17.2.2025, the annual report of the National Cyber Directorate in Israel was published, finding that there was a 24% increase in reports of cyber incidents in 2024.

Against this backdrop, prudently, many Israeli companies are assessing their risk management procedures, ideally with the benefit of a deep understanding of cyber risks, with a view to having the ability to adapt and respond quickly to an unwelcome cyber event.

In addition, as set out further below, in the absence of legal authorities, guidelines have been provided by the Israel Securities Authority to clarify that the board of directors is responsible for formulating cyber policy, overseeing risk management and ensuring an appropriate response to threats.

With the development and sophistication of cyber incidents, it is expected that D&Os and companies in Israel will continue to prepare for such risks and to proactively engage  with experts and consultants in the cyber field where appropriate, in order to understand and address potential exposures.
  

Recommendations to directors from the Israel Securities Authority

Since January 2024, the Israel Securities Authority has recommended that D&Os of in scope corporations (i.e. corporations which offered shares pursuant to an IPO or publicly trade securities), ensure strict controls over security systems, that the organisation complies with regulatory standards and that actions are taken to prevent attacks and manage cyber incidents in emergencies.

In light of increasing risks and regulations in the field of information security, active involvement of D&Os in managing cyber risks is recommended by the Israel Securities Authority.  This includes: supervising the conduct of risk surveys, determining an annual work plan and monitoring its implementation; operating an information security system with the assistance of experts and outsourcing services; regulating systematic procedures for handling cyber incidents; disclosing and reporting to the investing public on the risks and the steps taken to mitigate them, as well as internal controls for risk management. These obligations sit alongside requirements for adequate disclosure in periodic reports on risks, ratings, and coping plans.  In addition, disclosure of information on the education of D&Os, their experience, skills, and expertise in information security and cyber is required.

Guidance to directors from the Israeli Privacy Protection Authority

The Israeli Privacy Protection Authority requires certain companies (being those involved with the processing of personal information or whose activity may cause an increase risk to privacy), to create, as a matter of routine, internal control and supervision mechanisms, in order to monitor the company's compliance with all legal provisions in the field of information security. The board of directors can be held liable in two particular situations: i) if the board of directors has failed to assimilate systems of control and information regarding regulatory compliance; ii) if the board of directors has failed to supervise the implementation of the aforementioned system.

The Israeli Privacy Protection Authority can impose a fine of up to  ILS320,000 (c. USD 92,000 / c. GBP 68,000 at current rates) on D&Os for each individual violation (the company itself could
be exposed to even greater fines).

Directors, cyber, and case law in Israel

There are various parties that could potentially commence legal proceedings against D&Os as a result of management failures leading to losses derived from cyber events, such as the public, shareholders (including on behalf of the company itself in the form of a derivative action) and various regulatory authorities etc.

Absent an established body of case law regarding directors’ duties in relation to cyber risks, an Israeli court will seek  to determine the minimum requirements for the conduct of D&Os in the field of cyber when assessing their potential liability in cyber incidents / information security breaches.  As part of this, we expect an Israeli court to have regard to what measures and actions could have reasonably been taken to mitigate risks.

The following are key issues which we expect an Israeli court will wish to examine:

1. the extent to which a D&O is required to have technical knowledge and personal involvement in the cyber field;
2. the circumstances and extent to which a D&O can rely on advice from external experts and whether such reliance presents a defence in legal proceedings;
3. what degree of involvement is required from a D&O in the management / supervision of a company's cyber activities (e.g. daily, monthly), or is a periodic review of the security and risk policies sufficient? (This issue highlights the potential for differences in a directors' responsibility in the cyber field compared to  other areas, such as responsibility for the company's financial system and / or its regulatory management);
4. what evidence is available to show whether a D&O has fulfilled their supervisory duties;
5. whether statements of approval of cyber risk management plans are sufficient or if greater involvement is required, particularly in the event of exceptional events; and
6. to what extent is publicly available guidance to be considered when determining whether D&Os have acted in good faith and reasonably to manage cyber risks, e.g. guidance from the Israel Securities Authority / Israeli Privacy Protection Authority.

The existence of these kind of issues highlights the need for regulatory or legislative clarification to provide a clear framework for D&Os, particularly given the significant potential ramifications for D&Os arising from rulings in the event of cyber incidents.

Indeed, the uncertain legal landscape accentuates the risks facing D&Os, with Plaintiffs potentially able to take advantage of the lack of clear guidance on directors’ duties and the availability of any defences in the cyber field.

Our expectation is that as Israeli courts consider the scope of directors’ duties, the court will expand the scope of responsibility of the bodies entrusted with the management of the company (principally, the board).  In addition, the courts will seek to refine the actions that must be taken to provide D&Os with legal protection, i.e. to show that they acted reasonably and took appropriate measures to protect the company and avoid damage to it and third parties as a result of a cyber incident.

Insurance considerations 

From an insurance perspective, we expect to see an increased demand for D&O liability policies being broadened to specifically cover cyber incidents and legal expenses for exposures arising from associated shareholder or regulatory actions.

Companies will wish to consider the appropriateness of their cover in the context of possible international cyber-attacks, especially those operating globally.

An increase in the duties of D&Os in respect of cyber events could potentially lead to an increase in the demand for professional liability policies of those experts and consultants that award services to the companies in the cyber risks arena. Companies and D&Os may also demand these service providers to undertake to indemnify them in respect of losses that could occur as a result of a cyber event that they did not prevent, as well as for these companies and / or D&Os inclusion in the service providers’ policies as additional insureds for the liability of these service providers, covering them for claims brought against them by third parties.