Note: EBM is not providing legal advice in this article, we are simply looking at this issue from an insurance perspective. Directors and executives should seek legal advice appropriate to their own circumstances.
Boards and directors in the firing line when cyber risks aren’t mitigated
Optus. Medibank Private. Telstra. Medlab Pathology. My Deal. VinoMoto. LastPass. Harcourts…the list of high-profile companies falling victim to cyberattacks and data breaches shows little sign of abating. There were 16 successful cyber extortion incidents in November 2022 alone, according to CyberCX. In just a few weeks toward the end of 2022, around 24 million private records were exposed – in a nation of 26 million people – thanks to a spate of data breaches. The frequency and severity of incidents continue to rise.
At the same time, governments, customers, shareholders and the public are losing any kind of tolerance for board decisions that contribute to the losses. Legal experts have cautioned that boards and directors can face personal liability for the decisions they make regarding cyber security and incident responses.
A world of data – a world of risk
Today, organisations have access to extraordinary amounts of data which they may use to automate processes, personalise offerings and extract other benefits that the data can afford. But these opportunities are set against a backdrop of unprecedented regulatory scrutiny, demands from consumers and investors for greater transparency in relation to data handling, and heightened financial, operational and reputational threats. Responsibility for that information security and data governance rests with the company’s board and senior management.
It’s a situation not lost on many executives. KPMG’s Cyber Trust Insights 2022 report revealed that 78% of survey respondents said that collecting data brought unique cyber security challenges and issues meeting increasing regulatory standards.
Cyber events such as data breaches can be devastating to an organisation – financially and in terms of reputation. Consequently, company directors should actively consider how to mitigate the impacts of such incidents to protect data subjects and their shareholders.
Cyber security is rightfully a hot topic in the board room. The Government is looking to strengthen cyber security and introduce reforms to both the Privacy Act and Cyber Security Regulations (with the proposed reforms increasing the compliance burden for Australian businesses and increasing risks for company directors). Meanwhile, high-profile data breaches could potentially be the catalyst for more legal action (class actions and privacy liability suits) by data subjects, customers and shareholders – and that risk of litigation weighs heavily on company directors and management alike.
The increasing frequency, scale and sophistication of cyber security incidents, and the costs involved (financially and reputationally) have made cyber security a high priority for directors, executives and legal advisers. Managing cyber risks is now a core governance concern and directors need to adopt robust decision-making to mitigate cyber risk within their organisations.
Boards held accountable
Under the Corporations Act 2001, directors have a duty to act in ‘good faith in the best interests of the corporation’ when exercising their powers and discharging their duties. Lawyers have indicated that the duty requires each director to be familiar with the fundamentals of the business, its financial status, stay informed about the organisation’s activities, and monitor the organisation’s affairs and policies – including within the context of cyberspace. The Corporations Act renders directors liable for cyber security, so directors who fail to properly consider cyber risks and the cyber security of their company, risk breaching their duty of care.
According to an international law firm, compliance with directors’ duties requires directors to:
- understand cyber risks and the operational, financial and reputational impact on the company if those risks eventuate
- consider what systems and processes should be put in place to ensure the company is prepared to address these cyber risks on an ongoing basis, and
- determine how the organisation should respond in the heat of a crisis to protect the interests of the company.
A failure, whether actual or perceived, to implement adequate measures for mitigating cyber security risks could see the directors being held responsible for neglecting to prevent a foreseeable breach. If they fail to act to implement cyber security best practice in their company, then this could be seen as not acting in good faith, noted an article for the Australian Institute of Company Directors.
The consequences for boards and directors include fines and penalties for breaching legislation (Corporations Act, Privacy Act), disqualification and reputational damage. The failure to identify a cyber risk (due diligence), and failure to address the risk (due care), could render a company director personally liable. That personal liability, under the Corporations Act, could include fines paid to the Commonwealth, compensation paid to the company or others for any loss or damage they suffer, and prohibition from managing a company.
As well as the possibility of being held personally liable and facing disqualification and/or reputational damage for cyber security failures that result in regulatory breaches (direct and ancillary), directors’ acts or omissions may also contribute to the liability of organisations, particularly in circumstances where regulators (including ASIC, APRA and the OAIC) have repeatedly emphasised the criticality of board-level oversight of cyber and data risk issues, according to a leading law firm.
Being prepared
So how can boards ensure that they meet their cyber governance obligations? Here are some fundamental actions to be considered:
- Understand your obligations under legislation (Corporations Act, Privacy Act).
- Ascertain whether specific cybersecurity expertise is required at board level, and/or cybersecurity awareness needs to be improved.
- Consider appointing a board risk committee or cyber risk experts on a permanent or consultancy basis.
- Investigate your organisation’s current cyber resilience/maturity baseline. Ascertain how it compares with respected standards.
- Confirm with management that the organisation has adequate cybersecurity and resilience risk management systems, controls, documentation and resources (financial, technological and human) to ensure the company (or individuals and other customers) are not exposed to an unacceptable level of risk.
- Assign time and budget to continually educate board members about evolving risks.
- Foster a culture where cyber security is discussed and prioritised.
- Continually monitor the cyber landscape and what is happening in your sector.
- Ensure management develops strong cyber incident response and business continuity plans, and tests the efficacy of planning and procedures.
- Discuss key aspects of the response plan with insurers and legal practitioners, for example in respect to whether a ransom would be paid or not.
- Involve the whole board in cyberattack simulations to develop response abilities.
- Include cyber resilience and data governance in the organisation’s ESG agenda.
It is also important to make sure that the company and its directors and officers are adequately protected by insurance. Talk to you EBM Account Manager about cyber insurance and D&O policies.