INSIGHT

Directors' duties and cyber resilience

By Gavin Smith, Valeska Bloch
Cybersecurity & Privacy Data Financial Services Health Media, Advertising & Marketing Technology Telecommunications

In brief

The Target data breach brought the liability of boards and directors in relation to cyber resilience into focus. Target's shareholders brought litigation against all of its directors, the chief financial officer and the chief information officer due to what was perceived as recklessness and disregard for their duties as directors. Directors' liability in relation to cyber security hasn't yet been tested in Australia, but it's only a matter of time.

The key question for directors is how cyber resilient is your organisation? Cyber resilience is an organisation’s ability to prepare for and quickly respond to a cyber attack.

When can a director be held liable?

In Australia, there are two instances in which a company director could be held liable for a cyber breach:

  • Privacy Act: a company director could be subject to a civil penalty for a breach of the Privacy Act if they engage in, aid, abet, are knowingly concerned in or are a party to, serious or repeated interferences with privacy.
  • Duty of care and diligence: directors must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in the circumstances. If a director failed to exercise care and diligence in relation to a company's cyber resilience, they could be found to be in breach of this duty.

We haven't yet seen either of these possibilities eventuate in Australia, but that's only a matter of time. For example, directors might be held to be liable where a board is informed that a company has serious cyber security vulnerabilities but the board resolves not to spend money to address those issues.

What should directors do?

In Australia, there is clear appetite for boards to understand their company's cyber profile but there is still a way to go. The ASX's recent Cyber Health Check survey on Australia's top 100 listed companies found that only 34 per cent of boards had clearly defined risk appetite for cyber and only 11 per cent of boards had a clear understanding of where the company's key information or data assets were being shared with another provider.1 ASIC Commissioner Cathie Armour has commented that board members should 'be actively thinking about whether cyber security should be assessed more regularly than other risks' and should 'think about lifting their capability' in the area.2

Effective corporate governance involves active engagement by directors and the board in managing cyber risks. ASIC has encouraged directors to consider:

  • how cyber risks impact on their directors' duties and annual director report disclosure requirements;
  • whether they have appropriate board-level oversight of cyber risks and cyber resilience, particularly where data is shared with third parties; and
  • whether cyber risks have been incorporated into the company's governance and risk management practices and what controls and measures exist for managing these risks.

We also recommend:

  • monitoring compliance with your IT and data security policy and regularly testing and updating the systems and processes in place to address cyber risks;
  • educating yourself on the nature and possible consequences of the cyber risks that are applicable to your business; and
  • engaging cyber security experts to review your cyber resilience and consult if an incident occurs.

Footnotes

  1. 'ASX 100 Cyber Health Check Report: Capturing the Opportunities While Managing the Threats, April 2017.
  2. James Eyers, 'ASIC says boards underprepared for cyber threat' Australian Financial Review, 13 September 2016.