While the Government's discussion paper canvases a range of initiatives, there is a clear focus on the role of directors and officers in preventing cyber incidents. But what is directors'and officers'current exposure to cyber risks?
For some time, we have been speaking about the theoretical exposure that directors and officers face in the wake of cyber incidents. In particular, directors’ obligations of care and skill found in section 180 of the Corporations Act 2001 (Cth), require directors to guard against key business risk.
As a result, directors already are exposed to claims for damages and regulatory investigations if they do not ensure that their companies have appropriate systems in place to prevent and respond to cyber incidents (particularly in circumstances where multiple incidents may have occurred).
The burden is more acute for directors of AFSL holders. AFS licensees are required to have in place systems and controls to manage business risks. APRA and ASIC have made it clear that cyber risks are a key systems and control issue as we discuss here.
What has the government said?
In the discussion paper the government has said that the present formulation of the obligations of directors and officers in respect of cyber risks are deficient because they:
In reaching this conclusion, the government points to research which shows that boards do not currently have an appropriate understanding of cyber risks and says that this creates a larger risk for consumers and the Australian economy. The paper proposes three options for addressing this issue:
-
the status quo (no action);
-
a voluntary cyber security governance standard for larger businesses; or
-
a mandatory standard for cyber security governance which would require businesses to put in place measures within a particular time frame.
The paper contemplates that any voluntary standards would describe the responsibilities and processes for managing cyber security risk, thereby supporting the role of company boards in overseeing cyber security risk. It is proposed that the standards be developed in consultation with industry and align with international standards.
The paper makes no comment on how any mandatory standard would be enforced or the penalties associated with any breach. Some commentators have suggested that it could operate in a similar manner to boards’ obligations in respect of workplace health and safety systems and controls.
The government is calling for submissions on the discussion paper by 27 August 2021 and is hosting a series of consultation events from next Friday, 23 July.
Analysis
There is currently significant political pressure on the government to take action in respect of cyber risk and its impact on the Australian economy – businesses and consumers alike. Late last month, Labor MP Tim Watts introduced a private members bill proposing a mandatory ransomware reporting framework, requiring notice to be provided to the Australian Cyber Security Centre upon payment of a ransom demand. See our further discussion here.
Creating a framework for greater individual responsibility has been a standard government response in the face of challenges such as this. Given the political pressure, we think it is unlikely that the government will opt for the status quo at the conclusion of the consultation period.
A mandatory approach represents a significant shift from the current obligations and creates a high compliance burden. This may prove unpalatable for a government which considers itself pro-business. That said, we expect that the imposition of mandated obligations in this space will remain on the table for many years to come.
In the event that the government opts for a voluntary framework, compliance with the framework may nonetheless become the standard of care in civil proceedings or ASIC prosecutions for breaches of the directors’ duties.
The government has said in the consultation paper that “a voluntary standard could be considered by a court when determining whether failures relating to the oversight of cyber risk constituted a breach of directors’ duties”. As such, the standard may therefore become mandatory in practice, if not in law.
What is said in the discussion paper highlights that cyber security and cyber resilience and data governance must be a fundamental part of all organisations' risk management practices and frameworks.
Boards will face increasing scrutiny to maintain effective data governance practices to mitigate against cyber incidents, including data breaches. Whether standards are voluntary or mandatory, if an organisation suffers a cyber incident and are not able to demonstrate that they have adequate policies and procedure in place, directors may be exposed to claim.
This also coincides with the increased scrutiny companies are now facing when taking out insurance cover for cyber risks, with companies (and their boards) now needing to show a genuine commitment to cyber resilience and a real understanding of the systems and processes in place to prevent future incidents or vulnerabilities.
This article was originally written by WOB member and D&O claims expert Kate Boomer, Special Council with Clyde&Co. Read the original article HERE
Download the Discussion Paper
HERE