Cyber risk – Not just a back office IT issue

Welcome to the first of our new-look corporate updates. This issue we highlight some trends in relation to board oversight of cyber risk.

Technology forms a fundamental aspect of almost every business today. Virtually all companies are plugged into the online world, and utilise information technology in the delivery of their strategy. The impact of a cyber attack on a business can be highly damaging from leakage of market sensitive and confidential information, to a loss of intellectual property to significant damage to reputation and ultimately a loss of consumer and shareholder confidence.

In a speech recently delivered by ASIC’s Chairman, Greg Medcraft, ASIC continues to highlight cyber resilience as a key priority for increased regulatory scrutiny.

Cyber resilience is the ability to prepare for, respond to and recover from a cyber attack. Whilst there may be an awareness of cyber threats to businesses, ASIC finds that the market on the whole lacks a culture of cyber resilience.

ASIC has noted in its reports on this issue that the obligations on company directors and officers to discharge their duties with care and diligence under the Corporations Act 2001 (Cth) extend to cyber security. ASIC considers board engagement on this issue to be imperative and that these risks should not simply be left to companies’ technology leaders to manage. 

Whilst ASIC recognises that the measures implemented by companies in approaching cyber resilience will ultimately depend on the nature, scale and complexity of the relevant business, there is certainly a clear expectation for boards to actively engage in this issue.

Cyber resilience, today, is no longer just a back-office IT function. It is a boardroom issue and a failure by directors and officers to have a closer look at their governance practices to identify, protect against, respond to, and recover from, cyber risks may constitute a breach of their directors’ duties.

There are various tools available to assist boards and companies to assess and manage their cyber risks. If you would like to discuss these further, or any other issues in the corporate governance space, please do not hesitate to contact a member of our team.