<![CDATA[Digital transformation positions cyberattacks as a critical business risk, raising accountability questions at the board level. This article aims to (i) map the synergy between the legal frameworks of the Limited Liability Company Law (UU PT), the Personal Data Protection Law (UU PDP), and the Electronic Information and Transactions Law (UU ITE) and sectoral regulations in dividing the obligations for preventing, monitoring, and reporting cyber incidents; (ii) formulate operational parameters for when negligence in cybersecurity governance can be qualified as a breach of fiduciary duty (specifically the duty of care) to the point of implicating the personal liability of company organs and, in certain circumstances, the penetration of limited liability; and (iii) assess the limits of the applicability of the Business Judgment Rule (BJR) as a post-incident safe harbor through process-based evidence. This research uses a normative juridical method with three approaches: legislation (Law 40/2007 concerning Limited Liability Companies, Law 27/2022 concerning Personal Data Protection, the ITE Law and its amendments, and sectoral regulations), doctrinal (fiduciary duty and BJR), and limited comparative (GDPR and the Caremark doctrine regarding the duty of oversight). The research findings indicate that: (i) failure to establish and oversee an adequate cybersecurity system can be viewed as a breach of duty of care, and if accompanied by circumstances indicating abuse or bad faith can strengthen the basis for attribution of personal responsibility and open up the possibility of assessing the penetration of limited liability; (ii) BJR only protects decisions/supervision made in good faith, based on adequate information, free from conflicts of interest, and accompanied by proportional preventive measures; (iii) documented and deadline-sensitive compliance—including notification of data protection failures no later than 3x24 hours, reporting of financial services sector incidents, and disclosure of information to issuers regarding material facts—is a key evidentiary element for assessing the fairness of the process and the enforceability of BJR; and (iv) the NIST Cybersecurity Framework and ISO/IEC 27001 can be positioned as objective benchmarks for assessing compliance with prudential standards. These findings offer a simple supervisory adequacy test for courts and process documentation guidelines (process dossiers) for Directors and Boards of Commissioners to strengthen the defensibility of post-incident decisions and supervision.]]>
Copyrights © 2026
