Partner Content

Australian government flags personal liability for directors for cyber incidents

John Moran and Kate Boomer, Clyde & CoJuly 15, 2021
Cyber attack malware wannacry ransomware or maze virus encrypted files and lock on cloud computer concept. Hacker is offering key to unlock data for money. Vector illustration of security technology
Credit: Shutterstock/Foxeel

The political focus on cybersecurity continues, with the Australian government on 13 July publishing a discussion paper on Australia’s cybersecurity regulation and incentives. While the paper canvases a range of initiatives, there is a clear focus on the role of directors and officers in preventing cyber incidents.

What are directors’ and officers’ current exposures to cyber risks?

For some time, we have been discussing the theoretical exposure that directors and officers face in the wake of cyber incidents. In particular, directors’ obligations of care and skill found in section 180 of the Corporations Act 2001 (Cth), require directors to guard against key business risk. As a result, directors are already exposed to claims for damages and regulatory investigations if they do not ensure that their companies have appropriate systems in place to prevent and respond to cyber incidents (particularly in circumstances where multiple incidents may have occurred).

The burden is more acute for directors of Australian Financial Services (AFS) licence holders. AFS licensees are required have in place systems and controls to manage business risks. The Australian Prudential Regulation Authority and the Australian Securities and Investments Commission (ASIC) have made it clear that cyber risks are a key systems and control issue (see: Cybersecurity, privacy and the financial services sector: regulatory game changers for data governa: Clyde & Co for more information).

What has the Australian government said?

In the discussion paper, the government has said that the present formulation of the obligations of directors and officers in respect of cyber risks are deficient because they:

  • Lack clarity and specificity
  • Are focused on obligations to shareholders and not customers or the public more generally.

In reaching this conclusion, the government points to research that shows boards do not currently have an appropriate understanding of cyber risks and says this creates a larger risk for consumers and the Australian economy. The paper proposes three options for addressing this issue:

  • The status quo (no action)
  • A voluntary cybersecurity governance standard for larger businesses
  • A mandatory standard for cybersecurity governance that would require businesses to put in place measures within a particular timeframe.

The paper contemplates that any voluntary standards would describe the responsibilities and processes for managing cybersecurity risk, thereby supporting the role of company boards in overseeing cybersecurity risk. It is proposed that the standards be developed in consultation with industry and align with international standards.

The paper makes no comment on how any mandatory standard would be enforced or the penalties associated with any breach. Some commentators have suggested that it could operate in a similar manner to boards’ obligations in respect of workplace health and safety systems and controls.

The government is calling for submissions on the discussion paper by 27 August 2021 and is hosting a series of consultation events from 23 July 2021.

Analysis

There is currently significant political pressure on the government to take action in respect of cyber risk and its impact on the Australian economy – businesses and consumers alike. In June, Labour MP Tim Watts introduced a private member’s bill proposing a mandatory ransomware reporting framework, requiring notice to be provided to the Australian Cyber Security Centre upon payment of a ransom demand.

Creating a framework for greater individual responsibility has been a standard government response in the face of challenges such as this. Given the political pressure, it is unlikely that the government will opt for the status quo at the conclusion of the consultation period.

A mandatory approach represents a significant shift from the current obligations and creates a high compliance burden. This may prove unpalatable for a government that considers itself pro-business. That said, we expect that the imposition of mandated obligations in this space will remain on the table for many years to come.

In the event that the government opts for a voluntary framework, compliance with the framework may nonetheless become the standard of care in civil proceedings or ASIC prosecutions for breaches of the directors’ duties. The government says in the consultation paper that “a voluntary standard could be considered by a court when determining whether failures relating to the oversight of cyber risk constituted a breach of directors’ duties”. As such, the standard may therefore become mandatory in practice, if not in law.

The discussion paper highlights that cybersecurity and cyber resilience and data governance must be a fundamental part of all organisations’ risk management practices and frameworks. Boards will face increasing scrutiny to maintain effective data governance practices to mitigate against cyber incidents, including data breaches.

Whether standards are voluntary or mandatory, if an organisation suffers a cyber incident and is not able to demonstrate that it has adequate policies and procedure in place, directors may be exposed to a claim. This also coincides with the increased scrutiny companies are now facing when taking out insurance cover for cyber risks, with companies (and their boards) now needing to show a genuine commitment to cyber resilience and a real understanding of the systems and processes in place to prevent future incidents or vulnerabilities.

Contributed by John Moran, partner, Sydney, and Kate Boomer, special counsel, Brisbane at Clyde & Co

John Moran and Kate Boomer, Clyde & CoJuly 15, 2021
Back to top button