The political focus on cyber security has continued this week with the Australian Government today publishing a discussion paper on Australia’s cyber security regulation and incentives. Whilst the paper canvases a range of initiatives, there is a clear focus on the role of directors and officers in preventing cyber incidents. In this news flash, we summarise reforms up for discussion and what they mean for directors’ and officers’ liability for cyber incidents.
For some time, we have been speaking about the theoretical exposure that directors and officers face in the wake of cyber incidents. In particular, directors’ obligations of care and skill found in section 180 of the Corporations Act 2001 (Cth), require directors to guard against key business risk. As a result, directors already are exposed to claims for damages and regulatory investigations if they do not ensure that their companies have appropriate systems in place to prevent and respond to cyber incidents (particularly in circumstances where multiple incidents may have occurred).
The burden is more acute for directors of AFSL holders. AFS licensees are required have in place systems and controls to manage business risks. APRA and ASIC have made it clear that cyber risks are a key systems and control issue as we discuss here.
In the discussion paper released today, the government has said that the present formulation of the obligations of directors and officers in respect of cyber risks are deficient because they:
lack clarity and specificity; and
are focused on obligations to shareholders and not customers or the public more generally.
In reaching this conclusion, the government points to research which shows that boards do not currently have an appropriate understanding of cyber risks and says that this creates a larger risk for consumers and the Australian economy. The paper proposes 3 options for addressing this issue:
the status quo (no action);
a voluntary cyber security governance standard for larger businesses; or
a mandatory standard for cyber security governance which would require businesses to put in place measures within a particular time frame.
The paper contemplates that any voluntary standards would describe the responsibilities and processes for managing cyber security risk, thereby supporting the role of company boards in overseeing cyber security risk. It is proposed that the standards be developed in consultation with industry and align with international standards.
The paper makes no comment on how any mandatory standard would be enforced or the penalties associated with any breach. Some commentators have suggested that it could operate in a similar manner to boards’ obligations in respect of workplace health and safety systems and controls.
The government is calling for submissions on the discussion paper by 27 August 2021 and is hosting a series of consultation events from next Friday (23 July).
There is currently significant political pressure on the government to take action in respect of cyber risk and its impact on the Australian economy – businesses and consumers alike. Late last month, Labor MP Tim Watts introduced a private members bill proposing a mandatory ransomware reporting framework, requiring notice to be provided to the Australian Cyber Security Centre upon payment of a ransom demand. See our further discussion here.
Creating a framework for greater individual responsibility has been a standard government response in the face of challenges such as this. Given the political pressure, we think it is unlikely that the government will opt for the status quo at the conclusion of the consultation period.
A mandatory approach represents a significant shift from the current obligations and creates a high compliance burden. This may prove unpalatable for a government which considers itself pro-business. That said, we expect that the imposition mandated obligations in this space will remain on the table for many years to come.
In the event that the government opts for a voluntary framework, compliance with the framework may nonetheless become the standard of care in civil proceedings or ASIC prosecutions for breaches of the directors’ duties. The government has said in the consultation paper that “a voluntary standard could be considered by a court when determining whether failures relating to the oversight of cyber risk constituted a breach of directors’ duties”. As such, the standard may therefore become mandatory in practice, if not in law.
What is said in the discussion paper highlights that cyber security and cyber resilience and data governance must be a fundamental part of all organisations' risk management practices and frameworks. Boards will face increasing scrutiny to maintain effective data governance practices to mitigate against cyber incidents, including data breaches. Whether standards are voluntary or mandatory, if an organisation suffers a cyber incident and are not able to demonstrate that they have adequate policies and procedure in place, directors may be exposed to claim. This also coincides with the increased scrutiny companies are now facing when taking out insurance cover for cyber risks, with companies (and their boards) now needing to show a genuine commitment to cyber resilience and a real understanding of the systems and processes in place to prevent future incidents or vulnerabilities.
When undertaking pre‑incident work or responding to incidents, you need a team that knows how to best prepare you for and remediate the incident, engage with both privacy and corporate regulators and to guide you to a more resilient place to recover.
John Moran is a recognised leader in both D&O liability claims, and cyber security and cyber incident response. He is uniquely placed to advise organisations about cyber incident planning and liability and exposures resulting from cyber incidents.
Kate Boomer is an expert in D&O claims. She regularly acts for directors and officers in defence of claims for breaches of their duties. She has also advised directors of companies who have suffered cyber attacks about their personal exposure to claims.
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response and privacy practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breaches and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness through to defence of regulatory investigations and proceedings, we assist clients globally with their privacy and cyber security and resilience needs.
Australia: + 61 2 9210 4464
New Zealand: 0800 527 508