Cyber resilience and directors' duties

Australian company directors have been navigating uncharted territory since the outbreak of the COVID-19 pandemic with many businesses suffering changes to both their supply chain and customer base.

It is more important than ever for directors to remember their duty under the Corporations Act to exercise their powers and discharge their duties with ‘care and diligence'¹; and to remember that the duty is owed to the company, rather than directly to shareholders.²

The incidence of cyber attacks has increased dramatically during the pandemic with many individuals working from home where security is often compromised, and with many ‘usual’ business practices being disrupted on a daily basis.

ASIC Report 4291 states that:

• board participation is considered to be important to promote a strong culture of cyber resilience;
• a failure by a director of a company to meet his or her obligations to identify and manage a cyber risk may result in disqualification from that role;
• directors need to be aware of a company’s cyber security capabilities and to set goals for a target level of resilience by establishing a plan to improve and maintain current systems; and
• importantly, an assessment must be made of what data is essential to company operations and an up to date inventory of that data should be maintained.

On 21 August 2020, ASIC commenced proceedings in the Federal Court against RI Advice Pty Ltd (RI) an Australian Financial Services licence holder, following a number of alleged cyber breach incidents at certain authorised representatives of RI.

ASIC alleges that:

• an authorised representative of RI was subject to an attack where a malicious user successfully gained access to its server and spent more than 155 hours logged into it.  The server contained sensitive client information, including identification documents; and
• RI failed to implement adequate policies, systems, and resources which were appropriate to manage the risks in relation to cyber security and cyber resilience.

ASIC is seeking:

• declarations that RI contravened section 912A(1)(a), (b), (c), (d) and (h) and (5A) of the Corporations Act;³
• orders that RI pay a civil penalty in an ‘appropriate amount’ to be determined by the Court; and
• compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cyber security and cyber resilience and provide a report from a suitably qualified independent expert that such systems have been implemented.

A failure to notify the Office of the Australian Information Commissioner of a data breach pursuant to the notifiable data breach legislation⁴ may also expose a company to a significant fine, particularly in circumstances where a company cannot demonstrate that the obligation to protect data and information in relation to individuals has been met.

The Australian Competition and Consumer Commission (ACCC) also has a number of statutory powers under the Australian Consumer Law which could be exercised to penalise companies who have poor cyber security, there is a potential for a finding of a false or misleading representation by a company in circumstances where it has poor data security.

Lavan Comment

Accordingly, it is important that directors are pro-active in this area and ensure that a company is in a position to demonstrate that it took all necessary steps to protect the company’s data from a cyber attack.

Sitting back and doing nothing will not be a defence and may well expose a director to a risk of disqualification, and the company to significant fine issued by the OAIC, or to an investigation by ASIC.